Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-2385 mosh: DoS (excessive CPU use) by processing short ANSI escape sequence|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-10-29 04:03:34 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||823950, 832351|
Comment 1 Jan Lieskovsky 2012-05-22 09:55:06 EDT
CVE Request:  http://www.openwall.com/lists/oss-security/2012/05/22/6
Comment 2 Jan Lieskovsky 2012-05-22 09:55:51 EDT
This issue affects the versions of the mosh package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-05-22 09:57:05 EDT
Created mosh tracking bugs for this issue Affects: fedora-all [bug 823950]
Comment 4 Kurt Seifried 2012-05-22 13:40:41 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/22/9
Comment 5 Keith Winstein 2012-05-23 04:34:54 EDT
This bug relates to inefficient processing of some ANSI escape sequences by the Mosh terminal emulator. An application or mosh-server can send a large value as the "repeat count" of an ANSI escape sequence, causing the mosh-server or mosh-client to spend a lot of CPU time interpreting a short ANSI escape sequence. Because these applications are already trusted, this is not a security vulnerability per se. For example, the application is also able to shut off the user's keyboard with an ANSI escape sequence -- also not a security vulnerability. Because ANSI escape sequences can do arbitrary things to the user's terminal, programs that allow untrusted user-to-user communication (including write(1), wall(1), and e-mail and newsgroup readers) need to filter these out. Mosh 1.2.1 will contain code to avoid spending all this CPU time by ignoring nonsensical repeat counts. But in general, any terminal emulator must trust the application, since the application decides what should be on the screen. If it wants to fill the screen with garbage or send a lot of beeps or turn off the user's keyboard, most terminal emulators will do what the applicaiton asks. These are matters of discretion and are not security vulnerabilities. (Similarly, the mosh-client must trust the mosh-server to decide what is on the screen and whether to accept user input.) We have suggested this text as the issue description: === Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator. === This gets away from the suggestion that the problem relates to "improper parsing" or the "count of parameters" (it's about wanting a limit on the _value_ of parameters so the terminal emulator doesn't do huge amounts of work to execute a very short sequence), or to data coming from "a remote attacker." Thank you, Keith Winstein Mosh project
Comment 6 Stefan Cornelius 2012-06-15 04:40:21 EDT
Created mosh tracking bugs for this issue Affects: epel-all [bug 832351]
Comment 7 Fedora Update System 2012-06-25 20:44:42 EDT
mosh-1.2.2-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-25 20:51:09 EDT
mosh-1.2.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-25 20:57:33 EDT
mosh-1.2.2-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Jan Lieskovsky 2012-06-29 10:08:03 EDT
Upstream ticket:  https://github.com/keithw/mosh/issues/271 Relevant upstream patch:  https://github.com/keithw/mosh/commit/9791768705528e911bfca6c4d8aa88139035060e References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871
Comment 11 Fedora Update System 2012-07-03 15:34:51 EDT
mosh-1.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-07-07 15:29:02 EDT
mosh-1.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.