'Re: [oss-security] GNU screen "out of bounds access when setting w_xtermosc after OSC 49"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] GNU screen "out of bounds access when setting w_xtermosc after OSC 49"
From:       Amadeusz =?UTF-8?B?U8WCYXdpxYRza2k=?= <amade () asmblr ! net>
Date:       2020-02-25 18:15:38
Message-ID: 20200225191538.54fc0d2e () milkyway ! galaxy
[Download RAW message or body]

On Tue, 25 Feb 2020 14:05:33 +0100
Salvatore Bonaccorso <carnil@debian.org> wrote:

> Hi
> 
> On Thu, Feb 06, 2020 at 03:04:18PM +0100, Solar Designer wrote:
> > Hi,
> > 
> > GNU screen 4.8.0 was released yesterday with a documented security fix
> > in it:
> > 
> > https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
> > 
> > ---
> > From: 	Amadeusz Slawinski
> > Subject: 	[screen-devel] GNU Screen v.4.8.0
> > Date: 	Wed, 5 Feb 2020 21:45:35 +0100
> > 
> > Hello everyone,
> >  
> > I'm announcing availability of GNU Screen v.4.8.0
> > 
> > Screen is a full-screen window manager that multiplexes a physical
> > terminal between several processes, typically interactive shells. 
> > 
> > This release
> >   * Improves startup time by only polling for already open files to
> >     close
> >   * Fixes:
> >        - Fix for segfault if termcap doesn't have Km entry
> >        - Make screen exit code be 0 when checking --version
> >        - Fix potential memory corruption when using OSC 49
> > 
> > As last fix, fixes potential memory overwrite of quite big size (~768
> > bytes), and even though I'm not sure about potential exploitability of
> > that issue, I highly recommend everyone to upgrade as soon as possible.
> > This issue is present at least since v.4.2.0 (haven't checked earlier).
> > Thanks to pippin who brought this to my attention.  
> 
> Regarding the affected versions,
> https://bugzilla.redhat.com/show_bug.cgi?id=1801405#c6 points out that
> the issue is caused by the upsteram commit
> https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=c5db181b6e017cfccb8d7842ce140e59294d9f62
> which would be only in v4.7.0.
> 
> Is this correct?
> 

Right, that seems correct.
There is also another fix that should've been made:
https://git.savannah.gnu.org/cgit/screen.git/commit/?id=b14e76eb5d6be889d58e37e420384e59a74eddd6
Will try to release 4.8.1 with it soon.

Amadeusz
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic