Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 559394 (CVE-2015-6806)

Summary: <app-misc/screen-4.3.1-r1: Stack overflow due to deep recursion causing process freeze (CVE-2015-6806)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jer, shell-tools, swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://savannah.gnu.org/bugs/?45713
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1258802
http://bugs.debian.org/797624
Whiteboard: B3 [noglsa/cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 549938    

Description Agostino Sarubbo gentoo-dev 2015-09-02 10:08:37 UTC
From ${URL} :

A vulnerability was found in screen causing stack overflow which results in crashing the screen 
server process. After running malicious command inside screen, it will recursively call MScrollV to 
depth n/256. This is time consuming and will overflow the stack if 'n' is huge.

CVE request:

http://seclists.org/oss-sec/2015/q3/462

Upstream patch:

http://git.savannah.gnu.org/cgit/screen.git/commit/?id=c336a32a1dcd445e6b83827f83531d4c6414e2cd

Upstream report (contains reproducer):

https://savannah.gnu.org/bugs/?45713


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-04 05:26:12 UTC
This one affects all of:

=app-misc/screen-4.0.3-r6
=app-misc/screen-4.2.1-r2
=app-misc/screen-4.3.1

and every ebuild in between.

But these were also reported:

http://savannah.gnu.org/bugs/?45714
http://savannah.gnu.org/bugs/?45715
Comment 2 Patrice Clement (RETIRED) gentoo-dev 2015-09-15 23:24:29 UTC
commit 71c7bd0 (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Tue Sep 15 23:14:26 2015 +0000

    app-misc/screen: Patch sources to mitigate a stack overflow. Fixes security bug 559394.
    
    Package-Manager: portage-2.2.18
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 create mode 100644 app-misc/screen/files/screen-4.3.1-ansi.c.patch
 create mode 100644 app-misc/screen/screen-4.3.1-r1.ebuild

Arch teams,

Please stabilise:
app-misc/screen-4.3.1-r1.ebuild

Target arches:
alpha
amd64
arm
arm64
hppa
ia64
m64k
mips
ppc
ppc64
s390
sh
sparc
x86

(phew!)

Thank you.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-16 05:39:34 UTC
Stable for HPPA PPC64.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2015-09-16 10:59:13 UTC
Stable on alpha.
Comment 5 Patrice Clement (RETIRED) gentoo-dev 2015-09-17 16:41:54 UTC
Stable for amd64.
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-22 09:00:51 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-09-24 08:03:23 UTC
ia64 stable
Comment 8 Markus Meier gentoo-dev 2015-09-25 05:58:18 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-09-25 14:30:20 UTC
x86 stable
Comment 10 Patrice Clement (RETIRED) gentoo-dev 2015-10-08 08:57:48 UTC
ping @sparc
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-10 14:57:34 UTC
sparc stable

GLSA vote: no.
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-10 15:06:13 UTC
(In reply to Mikle Kolyada from comment #11)
> sparc stable
> 
> GLSA vote: no.

GLSA vote: No
Comment 13 Patrice Clement (RETIRED) gentoo-dev 2015-10-10 15:37:59 UTC
commit 7eebcd3 (HEAD, master)
Author: Patrice Clement <monsieurp@gentoo.org>
Date:   Sat Oct 10 15:33:53 2015 +0000

    app-misc/screen: Clean up vulnerable versions. Fixes security bug 559394.
    
    Package-Manager: portage-2.2.20.1
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 delete mode 100644 app-misc/screen/files/4.0.2-64bit-time.patch
 delete mode 100644 app-misc/screen/files/4.0.2-no-libelf.patch
 delete mode 100644 app-misc/screen/files/4.0.2-no-pty.patch
 delete mode 100644 app-misc/screen/files/4.0.2-no-utempter.patch
 delete mode 100644 app-misc/screen/files/4.0.2-nonblock.patch
 delete mode 100644 app-misc/screen/files/4.0.2-windowlist-multiuser-fix.patch
 delete mode 100644 app-misc/screen/files/4.0.3-extend-d_termname-ng2.patch
 delete mode 100644 app-misc/screen/files/screen-4.0.1-int-overflow-fix.patch
 delete mode 100644 app-misc/screen/files/screen-4.0.1-vsprintf.patch
 delete mode 100644 app-misc/screen/files/screen-4.0.3-config.h-autoconf-2.62.patch
 delete mode 100644 app-misc/screen/files/screen-4.0.3-cppflags.patch
 delete mode 100644 app-misc/screen/files/screen-4.0.3-crosscompile.patch
 delete mode 100644 app-misc/screen/files/screen-4.0.3-setenv_autoconf.patch
 delete mode 100644 app-misc/screen/screen-4.0.3-r6.ebuild
 delete mode 100644 app-misc/screen/screen-4.0.3-r7.ebuild
 delete mode 100644 app-misc/screen/screen-4.0.3-r8.ebuild
 delete mode 100644 app-misc/screen/screen-4.2.1-r2.ebuild
 delete mode 100644 app-misc/screen/screen-4.3.1.ebuild

Markins as FIXED as per IRC discussion with Kristian and Mikle.