Red Hat Bugzilla – Bug 613110
CVE-2010-2713 vte: responds to get window title escape sequence request
Last modified: 2015-10-15 17:13:16 EDT
It was reported to Ubuntu that vte regressed the fix for CVE-2003-0070 in the following upstream commit:
This would allow for an information disclosure of the window title of the gnome-terminal.
This issue does not affect Red Hat Enterprise Linux 5 or earlier, which still replace the contents of the window title with "LTerminal", rather than "l[contents of terminal window]"; as demonstrated with:
$ echo -e "\e[21t"
Created attachment 430733 [details]
proposed patch to fix the issue
This has been assigned the name CVE-2010-2713.
This is now public:
Created vte tracking bugs for this issue
Affects: fedora-all [bug 615046]
This was fixed upstream in 0.19.4; currently Fedora has 0.24.1-1.fc13, 0.26.1-1.fc14, and 0.28.0-1.fc15. This has been fixed.