"Hello, I noticed someone posted this to the screen-devel list. I can reproduce it here, just catting the testcase does crash my screen session. https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html (I think it wasn't supposed to be public, but it is, so better it's visible to security teams) It looks like it might be exploitable at first glance, I see a crash here in encoding.c, because i is out of range. 1411 else if (!combchars[i]) 1412 { 1413 combchars[i] = (struct combchar *)malloc(sizeof(struct combchar)); 1414 if (!combchars[i]) 1415 return; 1416 combchars[i]->prev = i; 1417 combchars[i]->next = i; 1418 } Exploitable or not, it would be annoying if someone stuffed this into logfiles being tailed, or whatever. Tavis."
Possible patch: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html
(In reply to Hanno Böck from comment #1) > Possible patch: > https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html dalias from musl wasn't happy with this, keeping an eye on it: [20:24:19] <dalias> ok https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html is the right patch to apply [20:24:34] <dalias> please update fix with that, since the current patch in alpine just *breaks* multilingual use of screen
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3673b1b7cfa56d2e8f5ebc4de3d028774f331c52 commit 3673b1b7cfa56d2e8f5ebc4de3d028774f331c52 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2021-02-24 19:21:31 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2021-02-24 19:25:15 +0000 app-misc/screen: Revision bump, security bug #769770 Bug: https://bugs.gentoo.org/769770 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Sven Wegener <swegener@gentoo.org> app-misc/screen/files/screen-CVE-2021-26937.patch | 61 +++++++++ app-misc/screen/screen-4.8.0-r2.ebuild | 159 ++++++++++++++++++++++ 2 files changed, 220 insertions(+)
thanks, tell us when ready to stable
(In reply to Sam James from comment #4) > thanks, tell us when ready to stable shall we?
Yep, it is ready for stabilization.
(In reply to Sven Wegener from comment #6) > Yep, it is ready for stabilization. Thanks, let's roll!
amd64 stable
x86 stable
hppa/sparc stable
arm done
ppc done
ppc64 done
arm64 done
s390 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c6196d6e44e6fce001b39bd2db418a44678c63b commit 8c6196d6e44e6fce001b39bd2db418a44678c63b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-25 21:04:24 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-25 21:04:30 +0000 app-misc/screen: security cleanup Bug: https://bugs.gentoo.org/769770 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-misc/screen/screen-4.8.0-r1.ebuild | 158 --------------------------------- 1 file changed, 158 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-11 at https://security.gentoo.org/glsa/202105-11 by GLSA coordinator Thomas Deutschmann (whissi).
