Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753206 (CVE-2020-27347) - <app-misc/tmux-3.1c: Buffer overflow in escape sequence parser (CVE-2020-27347)
Summary: <app-misc/tmux-3.1c: Buffer overflow in escape sequence parser (CVE-2020-27347)
Status: RESOLVED FIXED
Alias: CVE-2020-27347
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-11-05 14:06 UTC by Sam James
Modified: 2020-11-14 09:16 UTC (History)
2 users (show)

See Also:
Package list:
app-misc/tmux-3.1c
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-05 14:06:39 UTC
Description:
"I recently discovered a bug in tmux (terminal multiplexer) which could
lead to crash or code execution. The bug was in
`input_csi_dispatch_sgr_colon` function which is used by tmux server
process.

The problem is that a bound check for a stack-allocated array `p` is
bypassed if 8th chunk of input buffer is empty:

       while ((out = strsep(&ptr, ":")) != NULL) {
               if (*out != '\0') {
                       p[n++] = strtonum(out, 0, INT_MAX, &errstr);
                       if (errstr != NULL || n == nitems(p)) {
                               return;
                       }
               } else
                       n++;
       }

Thus by using an escape sequence like "\033[::::::7::1:2:3::5:6:7:m" we
can overwrite arbitrary 4-byte locations on the stack. Moreover, an
empty arguments ("::") may be used to skip choosen offsets, and thereby
keep stack canaries untouched.

Code execution is proved practical only if tmux address space isn't
fully randomized. So ASLR with PIE will mitigiate this issue but more
complex exploits may be theoretically created."
Comment 1 Sam James archtester gentoo-dev Security 2020-11-06 17:34:14 UTC
amd64 done
Comment 2 Sam James archtester gentoo-dev Security 2020-11-06 17:34:42 UTC
ppc done
Comment 3 Sam James archtester gentoo-dev Security 2020-11-06 18:13:12 UTC
arm64 done
Comment 4 Sam James archtester gentoo-dev Security 2020-11-06 18:13:46 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2020-11-06 22:35:28 UTC
x86 done
Comment 6 Sam James archtester gentoo-dev Security 2020-11-07 01:25:24 UTC
ppc64 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-11-07 20:25:58 UTC
sparc done
Comment 8 Sergei Trofimovich gentoo-dev 2020-11-07 20:52:06 UTC
hppa stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-11-11 03:50:02 UTC
This issue was resolved and addressed in
 GLSA 202011-10 at https://security.gentoo.org/glsa/202011-10
by GLSA coordinator Sam James (sam_c).
Comment 10 Sam James archtester gentoo-dev Security 2020-11-11 03:51:47 UTC Comment hidden (obsolete)
Comment 11 Sam James archtester gentoo-dev Security 2020-11-11 03:51:58 UTC
Reopening for stable/cleanup.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-11-14 09:16:19 UTC
s390 stable