Pardus: 2010-111: Vte: Arbitrary Code Execution

Posted by Benjamin D. Thomas

A vulnerability has been fixed in Vte, which an allow malicious users to execute arbitrary code

------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-111           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-08-11
  Severity: 4
      Type: Local
------------------------------------------------------------------------

Summary
======
A vulnerability has been fixed in Vte, which an allow malicious users to
execute arbitrary code


Description
==========
CVE-2010-2713:

The vte_sequence_handler_window_manipulation function  in  vteseq.c  in
libvte  (aka libvte9)  in  VTE  0.25.1  and  earlier,   as   used   in
gnome-terminal, does not properly handle escape sequences, which allows
remote attackers to execute arbitrary commands  or  obtain  potentially
sensitive information via a (1) window title or (2) icon title sequence.
NOTE: this issue exists because of a CVE-2003-0070 regression.



Affected packages:

  Pardus 2009:
    vte, all before 0.20.5-8-4


Resolution
=========
There are update(s) for vte. You can update them via Package Manager or
with a single command from console:

    pisi up vte

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id919

------------------------------------------------------------------------