Description: "I recently discovered a bug in tmux (terminal multiplexer) which could lead to crash or code execution. The bug was in `input_csi_dispatch_sgr_colon` function which is used by tmux server process. The problem is that a bound check for a stack-allocated array `p` is bypassed if 8th chunk of input buffer is empty: while ((out = strsep(&ptr, ":")) != NULL) { if (*out != '\0') { p[n++] = strtonum(out, 0, INT_MAX, &errstr); if (errstr != NULL || n == nitems(p)) { return; } } else n++; } Thus by using an escape sequence like "\033[::::::7::1:2:3::5:6:7:m" we can overwrite arbitrary 4-byte locations on the stack. Moreover, an empty arguments ("::") may be used to skip choosen offsets, and thereby keep stack canaries untouched. Code execution is proved practical only if tmux address space isn't fully randomized. So ASLR with PIE will mitigiate this issue but more complex exploits may be theoretically created."
amd64 done
ppc done
arm64 done
arm done
x86 done
ppc64 stable
sparc done
hppa stable
This issue was resolved and addressed in GLSA 202011-10 at https://security.gentoo.org/glsa/202011-10 by GLSA coordinator Sam James (sam_c).
Reopening for cleanup.
Reopening for stable/cleanup.
s390 stable