Input validation error in Opensuse and Oracle Solaris - CVE-2011-2198
Published: May 21, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41641
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-2198
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SUSE
Oracle
Oracle
Affected software:
Opensuse
Oracle Solaris
Opensuse
Oracle Solaris
Detailed vulnerability description
The vulnerability allows a remote #AU# to perform service disruption.
The "insert-blank-characters" capability in caps.c in gnome-terminal (vte) before 0.28.1 allows remote authenticated users to cause a denial of service (CPU and memory consumption and crash) via a crafted file, as demonstrated by a file containing the string "�33[100000000000000000@".
How to mitigate CVE-2011-2198
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-updates/2012-08/msg00001.html
- http://www.openwall.com/lists/oss-security/2011/06/09/3
- http://www.openwall.com/lists/oss-security/2011/06/13/10
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629688
- https://bugzilla.gnome.org/show_bug.cgi?id=652124
- https://bugzilla.redhat.com/show_bug.cgi?id=712148
- https://git.gnome.org/browse/vte/commit/?h=vte-0-28&id=ac71d26f067be3a21bff315c3cabf24c94360dd6