Discussion:
Bug#1081907: vte: CVE-2024-37535
Add Reply
Moritz Mühlenhoff
2024-09-15 21:30:01 UTC
Reply
Permalink
Source: vte
X-Debbugs-CC: ***@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for vte. This is already addressed
in vte2.91, but also filing this for completeness for the deprecated source
package:

CVE-2024-37535[0]:
| GNOME VTE before 0.76.3 allows an attacker to cause a denial of
| service (memory consumption) via a window resize escape sequence, a
| related issue to CVE-2000-0476.

https://gitlab.gnome.org/GNOME/vte/-/issues/2786
https://www.openwall.com/lists/oss-security/2024/06/09/1
https://gitlab.gnome.org/GNOME/vte/-/commit/fd5511f24b7269195a7083f409244e9787c705dc (master)
https://gitlab.gnome.org/GNOME/vte/-/commit/1803ba866053a3d7840892b9d31fe2944a183eda (master)
https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2 (0.76.3)
https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39 (0.76.3)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-37535
https://www.cve.org/CVERecord?id=CVE-2024-37535

Please adjust the affected versions in the BTS as needed.
Simon McVittie
2024-09-15 22:10:01 UTC
Reply
Permalink
Post by Moritz Mühlenhoff
The following vulnerability was published for vte. This is already addressed
in vte2.91, but also filing this for completeness for the deprecated source
| GNOME VTE before 0.76.3 allows an attacker to cause a denial of
| service (memory consumption) via a window resize escape sequence, a
| related issue to CVE-2000-0476.
I think this is wontfix. The only reason why the GTK2-based vte is still
in Debian at all is for the benefit of debian-installer, which hasn't
caught up with GTK3 yet.

In principle we could remove the .deb and leave only the .udeb, but I think
that would make it harder to test vte, so is probably not a great idea.

It would probably make sense to add vte to the list of packages that don't
have security support.

smcv
Moritz Mühlenhoff
2024-09-27 13:50:01 UTC
Reply
Permalink
Post by Simon McVittie
Post by Moritz Mühlenhoff
The following vulnerability was published for vte. This is already addressed
in vte2.91, but also filing this for completeness for the deprecated source
| GNOME VTE before 0.76.3 allows an attacker to cause a denial of
| service (memory consumption) via a window resize escape sequence, a
| related issue to CVE-2000-0476.
I think this is wontfix. The only reason why the GTK2-based vte is still
in Debian at all is for the benefit of debian-installer, which hasn't
caught up with GTK3 yet.
In principle we could remove the .deb and leave only the .udeb, but I think
that would make it harder to test vte, so is probably not a great idea.
It would probably make sense to add vte to the list of packages that don't
have security support.
Thanks for the notice, I missed that the only reverse dependency is
d-i, which has no real attack surface for this bug. As such, I'll mark
it as unimportant in the security tracker.

Feel free to mark the bug as wontfix or even close it, both seem fine
(there's a public reference in the Security Tracker anyway).

Cheers,
Moritz
Simon McVittie
2024-09-27 14:10:01 UTC
Reply
Permalink
Control: tags -1 + wontfix
Post by Moritz Mühlenhoff
Post by Simon McVittie
I think this is wontfix. The only reason why the GTK2-based vte is still
in Debian at all is for the benefit of debian-installer, which hasn't
caught up with GTK3 yet.
Feel free to mark the bug as wontfix or even close it, both seem fine
(there's a public reference in the Security Tracker anyway).
Doing so now.

Thanks,
smcv

Loading...