Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 708460 (CVE-2020-9366) - <app-misc/screen-4.8.0: out of bounds access when setting w_xtermosc after OSC 49 (CVE-2020-9366)
Summary: <app-misc/screen-4.8.0: out of bounds access when setting w_xtermosc after OS...
Status: RESOLVED FIXED
Alias: CVE-2020-9366
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-06 10:16 UTC by Jeroen Roovers
Modified: 2020-03-30 14:45 UTC (History)
5 users (show)

See Also:
Package list:
app-misc/screen-4.8.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2020-02-06 10:16:18 UTC
"
This release
  * Improves startup time by only polling for already open files to
    close
  * Fixes:
       - Fix for segfault if termcap doesn't have Km entry
       - Make screen exit code be 0 when checking --version
       - Fix potential memory corruption when using OSC 49

As last fix, fixes potential memory overwrite of quite big size (~768
bytes), and even though I'm not sure about potential exploitability of
that issue, I highly recommend everyone to upgrade as soon as possible.
This issue is present at least since v.4.2.0 (haven't checked earlier).
Thanks to pippin who brought this to my attention.

For full list of changes see
https://git.savannah.gnu.org/cgit/screen.git/log/?h=v.4.8.0
"
Comment 1 Jeroen Roovers gentoo-dev 2020-02-06 14:42:06 UTC
(In reply to Jeroen Roovers from comment #0)
> As last fix, fixes potential memory overwrite of quite big size (~768
> bytes), and even though I'm not sure about potential exploitability of
> that issue, I highly recommend everyone to upgrade as soon as possible.

As seen on oss-security@ this is regarded as a security bug fix release.
Comment 2 Hank Leininger 2020-02-25 13:56:28 UTC
CVE-2020-9366 has been assigned to this vulnerability.
Comment 3 Larry the Git Cow gentoo-dev 2020-02-27 08:59:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7652c1f375a096d86e4d13b17ae97327e7d3af6

commit c7652c1f375a096d86e4d13b17ae97327e7d3af6
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2020-02-08 03:43:38 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-02-27 08:59:35 +0000

    app-misc/screen: version bump (security fix); GLEP 81
    
    Upstream released a fix for a memory overwrite; no CVE,
    but see referenced bug and
    https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
    Also updated for GLEP 81.
    Changed ${EROOT%/} to ${EROOT}, because CI complained.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/708460
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-misc/screen/Manifest            |   1 +
 app-misc/screen/screen-4.8.0.ebuild | 156 ++++++++++++++++++++++++++++++++++++
 2 files changed, 157 insertions(+)
Comment 4 Sam James gentoo-dev Security 2020-03-01 01:41:09 UTC
CVE: CVE-2020-9366
Comment 5 Sam James gentoo-dev Security 2020-03-01 01:41:31 UTC
(In reply to sam_c - Security Padawan from comment #4)
> CVE: CVE-2020-9366

Oops, didn't see it was already posted. Sorry.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-03-01 17:39:46 UTC
CVE-2020-9366 (https://nvd.nist.gov/vuln/detail/CVE-2020-9366):
  A buffer overflow was found in the way GNU Screen before 4.8.0 treated the
  special escape OSC 49. Specially crafted output, or a special program, could
  corrupt memory and crash Screen or possibly have unspecified other impact.
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-01 21:45:19 UTC
amd64 stable
Comment 8 Hank Leininger 2020-03-01 23:29:12 UTC
Note that in the weeks since the 4.8 bump, the screen developers have made another related fix:

https://git.savannah.gnu.org/cgit/screen.git/commit/?id=b14e76eb5d6be889d58e37e420384e59a74eddd6

They have not yet made a 4.8.1 release that includes that fix.
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-02 12:30:10 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-02 12:32:50 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-02 12:34:11 UTC
s390 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-02 12:40:24 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-02 15:23:58 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-03 07:54:54 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2020-03-05 15:06:28 UTC
arm stable
Comment 16 Mart Raudsepp gentoo-dev 2020-03-14 21:09:27 UTC
arm64 stable
Comment 17 Rolf Eike Beer 2020-03-19 21:45:20 UTC
hppa stable
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2020-03-20 05:01:50 UTC
GLSA Vote: No

Please finish up your stabilization so we can cleanup
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:08:12 UTC
SuperH port disbanded.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2020-03-30 05:49:43 UTC
Removing m64k from stabilization (~m68k in Keywords)
GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).
Comment 21 Larry the Git Cow gentoo-dev 2020-03-30 08:35:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=592e938b9fc207bb0e4cc44a9ef4e1c451dc316d

commit 592e938b9fc207bb0e4cc44a9ef4e1c451dc316d
Author:     Patrice Clement <monsieurp@gentoo.org>
AuthorDate: 2020-03-30 08:34:54 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2020-03-30 08:35:23 +0000

    app-misc/screen: remove vulnerable versions.
    
    Bug: https://bugs.gentoo.org/708460
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Patrice Clement <monsieurp@gentoo.org>

 app-misc/screen/Manifest               |   3 -
 app-misc/screen/screen-4.6.1.ebuild    | 161 ---------------------------------
 app-misc/screen/screen-4.6.2-r1.ebuild | 160 --------------------------------
 app-misc/screen/screen-4.7.0.ebuild    | 160 --------------------------------
 4 files changed, 484 deletions(-)
Comment 22 Sam James gentoo-dev Security 2020-03-30 11:17:28 UTC
Thanks all.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2020-03-30 14:45:05 UTC
This issue was resolved and addressed in
 GLSA 202003-62 at https://security.gentoo.org/glsa/202003-62
by GLSA coordinator Thomas Deutschmann (whissi).