CVE-2010-2713

NameCVE-2010-2713
DescriptionThe vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence. NOTE: this issue exists because of a CVE-2003-0070 regression.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vte (PTS)jessie, stretch1:0.28.2-5fixed
buster, bullseye, bookworm1:0.28.2-6fixed
sid, trixie1:0.28.2-6.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vtesourcelenny(not affected)
vtesource(unstable)1:0.24.3-1

Notes

[lenny] - vte <not-affected> (Uses a hardcoded string in the terminal icon/window title)
http://git.gnome.org/browse/vte/commit/?id=58bc3a942f198a1a8788553ca72c19d7c1702b74
http://git.gnome.org/browse/vte/commit/?id=8b971a7b2c59902914ecbbc3915c45dd21530a91

Search for package or bug name: Reporting problems