Bug 823943 (CVE-2012-2385)

CVE Request:
[4] http://www.openwall.com/lists/oss-security/2012/05/22/6

This issue affects the versions of the mosh package, as shipped with Fedora release of 15 and 16. Please schedule an update.

Created mosh tracking bugs for this issue

Affects: fedora-all [bug 823950]

Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/22/9

This bug relates to inefficient processing of some ANSI escape sequences by the Mosh terminal emulator.

An application or mosh-server can send a large value as the "repeat count" of an ANSI escape sequence, causing the mosh-server or mosh-client to spend a lot of CPU time interpreting a short ANSI escape sequence.

Because these applications are already trusted, this is not a security vulnerability per se. For example, the application is also able to shut off the user's keyboard with an ANSI escape sequence -- also not a security vulnerability. Because ANSI escape sequences can do arbitrary things to the user's terminal, programs that allow untrusted user-to-user communication (including write(1), wall(1), and e-mail and newsgroup readers) need to filter these out.

Mosh 1.2.1 will contain code to avoid spending all this CPU time by ignoring nonsensical repeat counts. But in general, any terminal emulator must trust the application, since the application decides what should be on the screen. If it wants to fill the screen with garbage or send a lot of beeps or turn off the user's keyboard, most terminal emulators will do what the applicaiton asks. These are matters of discretion and are not security vulnerabilities. (Similarly, the mosh-client must trust the mosh-server to decide what is on the screen and whether to accept user input.)

We have suggested this text as the issue description:

===
Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator.
===

This gets away from the suggestion that the problem relates to "improper parsing" or the "count of parameters" (it's about wanting a limit on the _value_ of parameters so the terminal emulator doesn't do huge amounts of work to execute a very short sequence), or to data coming from "a remote attacker."

Thank you,
Keith Winstein
Mosh project

Created mosh tracking bugs for this issue

Affects: epel-all [bug 832351]

mosh-1.2.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

mosh-1.2.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

mosh-1.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Upstream ticket:
[1] https://github.com/keithw/mosh/issues/271

Relevant upstream patch:
[2] https://github.com/keithw/mosh/commit/9791768705528e911bfca6c4d8aa88139035060e

References:
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871

mosh-1.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

mosh-1.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.