This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 823943 - (CVE-2012-2385) CVE-2012-2385 mosh: DoS (excessive CPU use) by processing short ANSI escape sequence
CVE-2012-2385 mosh: DoS (excessive CPU use) by processing short ANSI escape s...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120515,reported=2...
: Security
Depends On: 823950 832351
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-22 09:44 EDT by Jan Lieskovsky
Modified: 2012-10-29 04:03 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-29 04:03:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 1 Jan Lieskovsky 2012-05-22 09:55:06 EDT
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2012/05/22/6
Comment 2 Jan Lieskovsky 2012-05-22 09:55:51 EDT
This issue affects the versions of the mosh package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-05-22 09:57:05 EDT
Created mosh tracking bugs for this issue

Affects: fedora-all [bug 823950]
Comment 4 Kurt Seifried 2012-05-22 13:40:41 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/22/9
Comment 5 Keith Winstein 2012-05-23 04:34:54 EDT
This bug relates to inefficient processing of some ANSI escape sequences by the Mosh terminal emulator.

An application or mosh-server can send a large value as the "repeat count" of an ANSI escape sequence, causing the mosh-server or mosh-client to spend a lot of CPU time interpreting a short ANSI escape sequence.

Because these applications are already trusted, this is not a security vulnerability per se. For example, the application is also able to shut off the user's keyboard with an ANSI escape sequence -- also not a security vulnerability. Because ANSI escape sequences can do arbitrary things to the user's terminal, programs that allow untrusted user-to-user communication (including write(1), wall(1), and e-mail and newsgroup readers) need to filter these out.

Mosh 1.2.1 will contain code to avoid spending all this CPU time by ignoring nonsensical repeat counts. But in general, any terminal emulator must trust the application, since the application decides what should be on the screen. If it wants to fill the screen with garbage or send a lot of beeps or turn off the user's keyboard, most terminal emulators will do what the applicaiton asks. These are matters of discretion and are not security vulnerabilities. (Similarly, the mosh-client must trust the mosh-server to decide what is on the screen and whether to accept user input.)

We have suggested this text as the issue description:

===
Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator.
===

This gets away from the suggestion that the problem relates to "improper parsing" or the "count of parameters" (it's about wanting a limit on the _value_ of parameters so the terminal emulator doesn't do huge amounts of work to execute a very short sequence), or to data coming from "a remote attacker."

Thank you,
Keith Winstein
Mosh project
Comment 6 Stefan Cornelius 2012-06-15 04:40:21 EDT
Created mosh tracking bugs for this issue

Affects: epel-all [bug 832351]
Comment 7 Fedora Update System 2012-06-25 20:44:42 EDT
mosh-1.2.2-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-25 20:51:09 EDT
mosh-1.2.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-25 20:57:33 EDT
mosh-1.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-07-03 15:34:51 EDT
mosh-1.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-07-07 15:29:02 EDT
mosh-1.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.