Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 753206 (CVE-2020-27347)

Summary: <app-misc/tmux-3.1c: Buffer overflow in escape sequence parser (CVE-2020-27347)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: shell-tools, zlogene
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2020/11/05/3
Whiteboard: B2 [glsa+ cve]
Package list:
app-misc/tmux-3.1c
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-05 14:06:39 UTC
Description:
"I recently discovered a bug in tmux (terminal multiplexer) which could
lead to crash or code execution. The bug was in
`input_csi_dispatch_sgr_colon` function which is used by tmux server
process.

The problem is that a bound check for a stack-allocated array `p` is
bypassed if 8th chunk of input buffer is empty:

       while ((out = strsep(&ptr, ":")) != NULL) {
               if (*out != '\0') {
                       p[n++] = strtonum(out, 0, INT_MAX, &errstr);
                       if (errstr != NULL || n == nitems(p)) {
                               return;
                       }
               } else
                       n++;
       }

Thus by using an escape sequence like "\033[::::::7::1:2:3::5:6:7:m" we
can overwrite arbitrary 4-byte locations on the stack. Moreover, an
empty arguments ("::") may be used to skip choosen offsets, and thereby
keep stack canaries untouched.

Code execution is proved practical only if tmux address space isn't
fully randomized. So ASLR with PIE will mitigiate this issue but more
complex exploits may be theoretically created."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-06 17:34:14 UTC
amd64 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-06 17:34:42 UTC
ppc done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-06 18:13:12 UTC
arm64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-06 18:13:46 UTC
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-06 22:35:28 UTC
x86 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-07 01:25:24 UTC
ppc64 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-07 20:25:58 UTC
sparc done
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2020-11-07 20:52:06 UTC
hppa stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-11-11 03:50:02 UTC
This issue was resolved and addressed in
 GLSA 202011-10 at https://security.gentoo.org/glsa/202011-10
by GLSA coordinator Sam James (sam_c).
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-11 03:51:47 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-11 03:51:58 UTC
Reopening for stable/cleanup.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-11-14 09:16:19 UTC
s390 stable