Bug#1038390: bookworm-pu: package vte2.91/0.70.6-1~deb12u1

To: Simon McVittie <smcv@debian.org>, 1038390@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Bug#1038390: bookworm-pu: package vte2.91/0.70.6-1~deb12u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 17 Jun 2023 21:06:07 +0200
Message-id: <[🔎] ZI4EH5nKAT4S7M97@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1038390@bugs.debian.org
In-reply-to: <[🔎] ZI3Bnad0eeGZhF2V@tautology.pseudorandom.co.uk>
References: <[🔎] ZI3Bnad0eeGZhF2V@tautology.pseudorandom.co.uk> <[🔎] ZI3Bnad0eeGZhF2V@tautology.pseudorandom.co.uk>

Hi Simon,

On Sat, Jun 17, 2023 at 03:22:21PM +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: vte2.91@packages.debian.org, debian-boot@lists.debian.org, team@security.debian.org
> Control: affects -1 + src:vte2.91
> 
> [ Reason ]
> Fix an infinite-loop bug processing a particular control sequence.
> (#1037919, LP: #2022019)
> 
> [ Impact ]
> If unfixed, the infinite loop could be triggered by a malicious program
> accessed via ssh, telnet or similar protocols and used as a denial of
> service. I asked the security team whether they wanted to do a DSA for
> this and haven't heard back, so I'm assuming the answer is no.

Aplogies, we have missed to reply to your question in #1037919. Te
point release approach looks indeed fine.

FWIW, do you know if upstream has requested a CVE for it?

Regards,
Salvatore

Reply to:

References:
- Bug#1038390: bookworm-pu: package vte2.91/0.70.6-1~deb12u1
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: Processed: tagging 1038153
Next by Date: Processed: reassign 1011777 to src:linux, reassign 1036813 to release.debian.org
Previous by thread: Processed: bookworm-pu: package vte2.91/0.70.6-1~deb12u1
Next by thread: Bug#1038390: vte2.91 0.70.6-1~deb12u1 flagged for acceptance
Index(es):
- Date
- Thread