Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 769770 (CVE-2021-26937) - <app-misc/screen-4.8.0-r2: Crash when processing certain characters (CVE-2021-26937)
Summary: <app-misc/screen-4.8.0-r2: Crash when processing certain characters (CVE-2021...
Status: IN_PROGRESS
Alias: CVE-2021-26937
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-09 16:13 UTC by Sam James
Modified: 2021-03-26 12:01 UTC (History)
3 users (show)

See Also:
Package list:
app-misc/screen-4.8.0-r2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-02-09 16:13:30 UTC
"Hello, I noticed someone posted this to the screen-devel list. I can
reproduce it here, just catting the testcase does crash my screen
session.

https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html

(I think it wasn't supposed to be public, but it is, so better it's
visible to security teams)

It looks like it might be exploitable at first glance, I see a crash
here in encoding.c, because i is out of range.

1411   else if (!combchars[i])
1412     {
1413       combchars[i] = (struct combchar *)malloc(sizeof(struct combchar));
1414       if (!combchars[i])
1415            return;
1416       combchars[i]->prev = i;
1417       combchars[i]->next = i;
1418     }

Exploitable or not, it would be annoying if someone stuffed this into logfiles
being tailed, or whatever.

Tavis."
Comment 1 Hanno Böck gentoo-dev 2021-02-13 20:41:38 UTC
Possible patch:
https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html
Comment 2 Sam James archtester gentoo-dev Security 2021-02-13 21:09:39 UTC
(In reply to Hanno Böck from comment #1)
> Possible patch:
> https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html

dalias from musl wasn't happy with this, keeping an eye on it:
[20:24:19]  <dalias> ok https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html is the right patch to apply
[20:24:34]  <dalias> please update fix with that, since the current patch in alpine just *breaks* multilingual use of screen
Comment 3 Larry the Git Cow gentoo-dev 2021-02-24 19:25:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3673b1b7cfa56d2e8f5ebc4de3d028774f331c52

commit 3673b1b7cfa56d2e8f5ebc4de3d028774f331c52
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2021-02-24 19:21:31 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2021-02-24 19:25:15 +0000

    app-misc/screen: Revision bump, security bug #769770
    
    Bug: https://bugs.gentoo.org/769770
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 app-misc/screen/files/screen-CVE-2021-26937.patch |  61 +++++++++
 app-misc/screen/screen-4.8.0-r2.ebuild            | 159 ++++++++++++++++++++++
 2 files changed, 220 insertions(+)
Comment 4 Sam James archtester gentoo-dev Security 2021-02-24 19:33:59 UTC
thanks, tell us when ready to stable
Comment 5 Sam James archtester gentoo-dev Security 2021-03-01 20:52:44 UTC
(In reply to Sam James from comment #4)
> thanks, tell us when ready to stable

shall we?
Comment 6 Sven Wegener gentoo-dev 2021-03-04 08:43:31 UTC
Yep, it is ready for stabilization.
Comment 7 Sam James archtester gentoo-dev Security 2021-03-04 08:54:01 UTC
(In reply to Sven Wegener from comment #6)
> Yep, it is ready for stabilization.

Thanks, let's roll!
Comment 8 Agostino Sarubbo gentoo-dev 2021-03-05 07:27:27 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2021-03-05 07:32:59 UTC
x86 stable
Comment 10 Rolf Eike Beer 2021-03-05 07:37:11 UTC
hppa/sparc stable
Comment 11 Sam James archtester gentoo-dev Security 2021-03-05 18:52:45 UTC
arm done
Comment 12 Sam James archtester gentoo-dev Security 2021-03-05 20:32:30 UTC
ppc done
Comment 13 Sam James archtester gentoo-dev Security 2021-03-05 20:33:34 UTC
ppc64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-03-05 21:43:05 UTC
arm64 done
Comment 15 Agostino Sarubbo gentoo-dev 2021-03-26 12:01:45 UTC
s390 stable.

Maintainer(s), please cleanup.
Security, please vote.