Your message dated Wed, 10 Feb 2021 22:04:03 +0000 with message-id <e1l9xad-0002ye...@fasolo.debian.org> and subject line Bug#982435: fixed in screen 4.8.0-4 has caused the Debian Bug report #982435, regarding screen: CVE-2021-26937 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 982435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982435 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: screen Version: 4.8.0-3 Severity: grave Tags: security upstream Forwarded: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for screen, filling it for now as RC severity, feel free to downgrade if you disagree. CVE-2021-26937[0]: | encoding.c in GNU Screen through 4.8.0 allows remote attackers to | cause a denial of service (invalid write access and application crash) | or possibly have unspecified other impact via a crafted UTF-8 | character sequence. To reproduce the issue and crash screen: $ cat poc.base64 H4sIAD7OImACA02W61IiQQyFX10WpkdZF5QFF4TVWbkoKpcZVuQyMM/iD99DTPM1p4qiTp1O0klO OvDp3Mf3p/gsio+4ZqB9+D4ybm+gJ8y7gesTEyffwG2EiQ3ci9fGwOLERAsDffGaGYiFiQx0JE6O TZk4SwOZePmjW/F6MZAK4yO/ideVAani2JZ/wpwZOBMvqyIuhHkyUDkyriRHXUDJjoLXOyASY+v8 3gnTImf0igriwBzb8io5Nw2MyWcoR3PA1EBZ1EkN5GJsKhdbYTpoGm7/YeBScm7S1T1MRg8HeFWs UumhuwDcAcJkmtyuivEf8fLzox0b0I2EozLqbC3OCuMZ/dnB1CVyDHglsu/Pi9wVUu1RYELkcORn Yy2Rn+3S/8JcERB1Ij/zN3LXFr3GMI8GErE5N9CE2RD5r9j4V6m3twBv2Pj3VZPZ2DO0QfcbA12J 7BW8E8bvjQl9Hsilv7CZACygzacxD4CUQRqJe8MAUrowCQdQZyA98yz5FGySDu5N5jDU1ebtRHhV AHVsJlyxgumicninGVO3wX3MZI643XdM1oVL2S1hP484eiB53425ePWR2yHTBCY8qyXTkhI5533l yH3BFvXlhL0RhOtjc9iQJfLJ2VGMsTfe70SdMOENbPz0NkQd/4iepC5qjzsw57Qu6JWRD5XGbZIP PRwaCAukTM6J5LxArwSmxLYJHXN0w/GIlhj/BqzYkFu8PDOVugYoWGPBZjTzDuAv/SlvOeLSUPsQ Y0bUrQ084tU7lRORz3GBzFlxGe4t8WInxGu8qsw8izGuMhJlNm1KOSHDW+6ih+7SwFK6ERK7ZoEs sLE4Lvw92InXPerk5DNlfixDJz8K0ZxGxSg484P6Be3RyjwMCQAA $ base64 -d poc.base64 | gzip -d - If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937 [1] https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html [2] https://www.openwall.com/lists/oss-security/2021/02/09/3 [3] https://savannah.gnu.org/bugs/?60030 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: screen Source-Version: 4.8.0-4 Done: Axel Beckert <a...@debian.org> We believe that the bug you reported is fixed in the latest version of screen, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 982...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Axel Beckert <a...@debian.org> (supplier of updated screen package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 10 Feb 2021 22:25:44 +0100 Source: screen Architecture: source Version: 4.8.0-4 Distribution: unstable Urgency: low Maintainer: Axel Beckert <a...@debian.org> Changed-By: Axel Beckert <a...@debian.org> Closes: 982435 Changes: screen (4.8.0-4) unstable; urgency=low . * Update URL in 52fix_screen_utf8_nfd.patch by following the redirect. * [CVE-2021-26937] Patch out of bounds array access to fix crash. (Closes: #982435; urgency=low to get more exposure for that patch.) Checksums-Sha1: 0e1e8096e9d6d5a0870ce1844ef63171288bcb15 2317 screen_4.8.0-4.dsc 8490f41bfac9c05d53f4a73a2fc200e9d25da28c 48436 screen_4.8.0-4.debian.tar.xz 965ecd2aba60c8ff77ae6fff7dc9e56a6e1a5824 6716 screen_4.8.0-4_source.buildinfo Checksums-Sha256: 57729a52362813e43971c217c43d5d6a87348c2b137a4f676f6a37e7e307a15f 2317 screen_4.8.0-4.dsc 6b3092d2bbb5e16c2f10b72da96af6b28b55f3150ec3721ec34dbba8e3c83bb8 48436 screen_4.8.0-4.debian.tar.xz b68d71ff262fe91761fb72c6d477327b67fe485c49bd2fd24ec150096f6c930c 6716 screen_4.8.0-4_source.buildinfo Files: f18251fe1a94d065b5798cf08a4948b9 2317 misc standard screen_4.8.0-4.dsc 286810a062755b639eff7f7b59c0d0c8 48436 misc standard screen_4.8.0-4.debian.tar.xz c1a0a89e0c1ba09192ffb36e6cf1300d 6716 misc standard screen_4.8.0-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAmAkU+cACgkQa+Zjx1o1 yXUN/g/+KqJ2yvYlInpZ1DUrPMsDUZjZ/EunCUER2VPf4R+Ixj962+T+I0GxKbh2 MDwIWlw9V1invZHKrd2+NJRSd6VDbCri1btZk2s01i7mOemOzlT9eke2A1QVmL6M wHmIcxxTrAqTumeTHYGvffU/lAaqrxHHejUo/nLrRFKGGZN/yRRqyLIk7I/PZ4ht O7nwV1KdwEw7Toor0f+14Pebpdx5uJkDkhT3fcI4iDy/dkDOLt20rLxrayLqBjME qsqGBUohnHxQkebK+/mb2GA3y+TGC35Rt2RRKQzS9LkXqwH9lYBhK6jTdDLD7Tfz LO0CHF71xJII9XERaOhYUF2Z5dyqO7BqC3kZhLrVYz3TcAxUfO/30vsDDAxS+Idm cYDnpzctBZBBLt/Cz6lgTmFxLlqYeV7NAA0TrBqGCd1PbiTVRGIe2spH9v0aXmHL 1pPssRl7PdA4uXuauYkzEe9+RwbwyHD4PMcPxCIZtvHRxMvPLPUl005KB5GLn5M1 5Vn7aSL1LFN6agPQpyQM76reKjTCA/Fed4Iq1utGsD9CwMZoOrseAS67V8hVs9oX Jgw7vgoGMKVRFiDLSvmWU7TbwW8hv8tWNbYw3B5HSePqU+VrD3XYwAMYP91gOn+Q OuZzHd9135C9PzqMmhK3eG4w/VBKQTn/3VOJkMzPfR/srhvEn6E= =GWha -----END PGP SIGNATURE-----
--- End Message ---
