It was reported to Ubuntu that vte regressed the fix for CVE-2003-0070 in the following upstream commit: http://git.gnome.org/browse/vte/commit/?id=58bc3a942f198a1a8788553ca72c19d7c1702b74 This would allow for an information disclosure of the window title of the gnome-terminal. This issue does not affect Red Hat Enterprise Linux 5 or earlier, which still replace the contents of the window title with "LTerminal", rather than "l[contents of terminal window]"; as demonstrated with: $ echo -e "\e[21t"
Created attachment 430733 [details] proposed patch to fix the issue
This has been assigned the name CVE-2010-2713.
This is now public: http://git.gnome.org/browse/vte/commit/?id=8b971a7b2c59902914ecbbc3915c45dd21530a91
Created vte tracking bugs for this issue Affects: fedora-all [bug 615046]
This was fixed upstream in 0.19.4; currently Fedora has 0.24.1-1.fc13, 0.26.1-1.fc14, and 0.28.0-1.fc15. This has been fixed.