Bug 823943 (CVE-2012-2385) - CVE-2012-2385 mosh: DoS (excessive CPU use) by processing short ANSI escape sequence
Summary: CVE-2012-2385 mosh: DoS (excessive CPU use) by processing short ANSI escape s...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2012-2385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 823950 832351
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-22 13:44 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-10-29 08:03:34 UTC


Attachments (Terms of Use)

Comment 1 Jan Lieskovsky 2012-05-22 13:55:06 UTC
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2012/05/22/6

Comment 2 Jan Lieskovsky 2012-05-22 13:55:51 UTC
This issue affects the versions of the mosh package, as shipped with Fedora release of 15 and 16. Please schedule an update.

Comment 3 Jan Lieskovsky 2012-05-22 13:57:05 UTC
Created mosh tracking bugs for this issue

Affects: fedora-all [bug 823950]

Comment 4 Kurt Seifried 2012-05-22 17:40:41 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/22/9

Comment 5 Keith Winstein 2012-05-23 08:34:54 UTC
This bug relates to inefficient processing of some ANSI escape sequences by the Mosh terminal emulator.

An application or mosh-server can send a large value as the "repeat count" of an ANSI escape sequence, causing the mosh-server or mosh-client to spend a lot of CPU time interpreting a short ANSI escape sequence.

Because these applications are already trusted, this is not a security vulnerability per se. For example, the application is also able to shut off the user's keyboard with an ANSI escape sequence -- also not a security vulnerability. Because ANSI escape sequences can do arbitrary things to the user's terminal, programs that allow untrusted user-to-user communication (including write(1), wall(1), and e-mail and newsgroup readers) need to filter these out.

Mosh 1.2.1 will contain code to avoid spending all this CPU time by ignoring nonsensical repeat counts. But in general, any terminal emulator must trust the application, since the application decides what should be on the screen. If it wants to fill the screen with garbage or send a lot of beeps or turn off the user's keyboard, most terminal emulators will do what the applicaiton asks. These are matters of discretion and are not security vulnerabilities. (Similarly, the mosh-client must trust the mosh-server to decide what is on the screen and whether to accept user input.)

We have suggested this text as the issue description:

===
Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator.
===

This gets away from the suggestion that the problem relates to "improper parsing" or the "count of parameters" (it's about wanting a limit on the _value_ of parameters so the terminal emulator doesn't do huge amounts of work to execute a very short sequence), or to data coming from "a remote attacker."

Thank you,
Keith Winstein
Mosh project

Comment 6 Stefan Cornelius 2012-06-15 08:40:21 UTC
Created mosh tracking bugs for this issue

Affects: epel-all [bug 832351]

Comment 7 Fedora Update System 2012-06-26 00:44:42 UTC
mosh-1.2.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-06-26 00:51:09 UTC
mosh-1.2.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2012-06-26 00:57:33 UTC
mosh-1.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2012-07-03 19:34:51 UTC
mosh-1.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2012-07-07 19:29:02 UTC
mosh-1.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.