Bug#982435: screen: CVE-2021-26937
On Wed, Feb 10, 2021 at 05:51:50PM +0100, Axel Beckert wrote: > > It though doesn't crash an unpatched screen. > Hey Axel, I tried to reply to your screen-devel post, but it's taking a while to subscribe! Here is the message I sent: On 2021-02-10, Axel Beckert wrote: > + else if (i < sizeof combchars / sizeof *combchars) { This doesn't seem right, I think it should be compared against the calloc param at the top of utf8_handle_comb(), but I don't really understand enough about unicode to know where that 0x802 comes from! I think for sure this code doesn't handle c > 0x801, so maybe that's an acceptable fix? i.e. --- encoding.c>-2020-02-05 12:09:38.0 -0800 +++ encoding.c>-2021-02-10 15:00:05.0 -0800 @@ -1357,6 +1357,9 @@ int root, i, c1; int isdouble; + if (c > 0x801) +return; + c1 = mc->image | (mc->font << 8) | mc->fontx << 16; isdouble = c1 >= 0x1100 && utf8_isdouble(c1); if (!combchars) Tavis. -- _o)$ lynx lock.cmpxchg8b.com /\\ _o) _o) $ finger tav...@sdf.org _\_V _( ) _( ) @taviso
Bug#982435: screen: CVE-2021-26937
Hi, Utkarsh Gupta wrote: > On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta wrote: > > I'll take care of fixing stretch and jessie and I am aware of all this > > since I was the one who got this CVE assigned! :D > > Somewhat related, I also got CVE-2021-27135 assigned for xterm. > I'll take care of the updates when the patch is available. > > But interestingly, while reproducing the issue in screen, you can also > easily reproduce this issue in xterm. See[1]. > > [1]: https://www.openwall.com/lists/oss-security/2021/02/09/7 Ick! And indeed, double clicking that line closes xterm. Ouch. urxvt and kitty seem not affected — but also don't seem to render it correctly either. I btw. managed to get Taviso's crash with xterm (365-1 from Debian Unstable) even shorter. $ base64 -d < CVE-2021-26937.poc.minimized | gzip -d - > test $ lynx -dump test | head -1 And the e.g. double clicking on the resulting line. Compressed and base64 encoded: H4sICO4NJGACA3Rlc3Qub25lbGluZQB72tb2EIT2P92//2F7H5gxA0hCRdr2gRlzkES2gxkTESLt C0CMtl1IIu1gxnwkXbvAjM0IkdbNYMZiJF3rwYx2JJFWMGMmkjl7YGqaYeZsAzM2IemCSM1C0rUa yOACAGPLp0/r It though doesn't crash an unpatched screen. Actually when Tavis mentioned Thomas, I just wanted to test where I have most contact with Thomas: Lynx. But I found no similar issues in Lynx. :-) Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: PGP signature
Bug#982435: screen: CVE-2021-26937
Hello, On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta wrote: > I'll take care of fixing stretch and jessie and I am aware of all this > since I was the one who got this CVE assigned! :D Somewhat related, I also got CVE-2021-27135 assigned for xterm. I'll take care of the updates when the patch is available. But interestingly, while reproducing the issue in screen, you can also easily reproduce this issue in xterm. See[1]. [1]: https://www.openwall.com/lists/oss-security/2021/02/09/7 - u
Bug#982435: screen: CVE-2021-26937
On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta wrote: > I'll take care of fixing stretch and jessie and I am aware of all this > since I was the one who got this CVE assigned! :D Oh, I forgot to mention, I say this with my LTS and ELTS hat on!^ But in case if you want to work on the package yourself, that's very welcome too! :) Either way, thanks for CCing and keeping everybody in the loop this way! - u
Bug#982435: screen: CVE-2021-26937
Hi Axel, On Wed, Feb 10, 2021 at 5:17 PM Axel Beckert wrote: > Thanks for the heads up! Hadn't notice that upstream bug report > yesterday, but I do have it in my inbox. > > https://savannah.gnu.org/bugs/?60030 got locked down in the meanwhile > as it seems. > > Can you keep me in the loop wrt. to patches, e.g. by GPG-encrypted > mail? Me, too, please (though I'll keep an eye on it myself)! :) I'll take care of fixing stretch and jessie and I am aware of all this since I was the one who got this CVE assigned! :D - u
Processed: Re: Bug#982435: screen: CVE-2021-26937
Processing control commands: > tag -1 + confirmed Bug #982435 [src:screen] screen: CVE-2021-26937 Added tag(s) confirmed. > found -1 4.6.2-3 Bug #982435 [src:screen] screen: CVE-2021-26937 Marked as found in versions screen/4.6.2-3. > found -1 4.5.0-6 Bug #982435 [src:screen] screen: CVE-2021-26937 Marked as found in versions screen/4.5.0-6. > found -1 4.2.1-3+deb8u1 Bug #982435 [src:screen] screen: CVE-2021-26937 Marked as found in versions screen/4.2.1-3+deb8u1. -- 982435: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982435 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#982435: screen: CVE-2021-26937
Control: tag -1 + confirmed Control: found -1 4.6.2-3 Control: found -1 4.5.0-6 Control: found -1 4.2.1-3+deb8u1 Hi Salvatore, Salvatore Bonaccorso wrote: > The following vulnerability was published for screen, Thanks for the heads up! Hadn't notice that upstream bug report yesterday, but I do have it in my inbox. https://savannah.gnu.org/bugs/?60030 got locked down in the meanwhile as it seems. Can you keep me in the loop wrt. to patches, e.g. by GPG-encrypted mail? > CVE-2021-26937[0]: > | encoding.c in GNU Screen through 4.8.0 allows remote attackers to > | cause a denial of service (invalid write access and application crash) > | or possibly have unspecified other impact via a crafted UTF-8 > | character sequence. > > To reproduce the issue and crash screen: Can confirm. > https://security-tracker.debian.org/tracker/CVE-2021-26937 Can also confirm that it affects screen in Debian 10 Buster (4.6.2-3), Debian 9 Stretch (4.5.0-6) as well. Additionally it also affects Debian 8 Jessie ELTS (4.2.1-3+deb8u1). Cc'ing debian-...@lists.debian.org for that. I though want to note that at least reading https://lists.gnu.org/archive/html/screen-devel/2021-02/msg0.html in my mail reader (mutt) which runs inside screen, did _not_ crash my screen session. So it seems as if mutt has unarmed it in some way. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE signature.asc Description: PGP signature
Bug#982435: screen: CVE-2021-26937
Source: screen Version: 4.8.0-3 Severity: grave Tags: security upstream Forwarded: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg0.html X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for screen, filling it for now as RC severity, feel free to downgrade if you disagree. CVE-2021-26937[0]: | encoding.c in GNU Screen through 4.8.0 allows remote attackers to | cause a denial of service (invalid write access and application crash) | or possibly have unspecified other impact via a crafted UTF-8 | character sequence. To reproduce the issue and crash screen: $ cat poc.base64 H4sIAD7OImACA02W61IiQQyFX10WpkdZF5QFF4TVWbkoKpcZVuQyMM/iD99DTPM1p4qiTp1O0klO OvDp3Mf3p/gsio+4ZqB9+D4ybm+gJ8y7gesTEyffwG2EiQ3ci9fGwOLERAsDffGaGYiFiQx0JE6O TZk4SwOZePmjW/F6MZAK4yO/ideVAani2JZ/wpwZOBMvqyIuhHkyUDkyriRHXUDJjoLXOyASY+v8 3gnTImf0igriwBzb8io5Nw2MyWcoR3PA1EBZ1EkN5GJsKhdbYTpoGm7/YeBScm7S1T1MRg8HeFWs UumhuwDcAcJkmtyuivEf8fLzox0b0I2EozLqbC3OCuMZ/dnB1CVyDHglsu/Pi9wVUu1RYELkcORn Yy2Rn+3S/8JcERB1Ij/zN3LXFr3GMI8GErE5N9CE2RD5r9j4V6m3twBv2Pj3VZPZ2DO0QfcbA12J 7BW8E8bvjQl9Hsilv7CZACygzacxD4CUQRqJe8MAUrowCQdQZyA98yz5FGySDu5N5jDU1ebtRHhV AHVsJlyxgumicninGVO3wX3MZI643XdM1oVL2S1hP484eiB53425ePWR2yHTBCY8qyXTkhI5533l yH3BFvXlhL0RhOtjc9iQJfLJ2VGMsTfe70SdMOENbPz0NkQd/4iepC5qjzsw57Qu6JWRD5XGbZIP PRwaCAukTM6J5LxArwSmxLYJHXN0w/GIlhj/BqzYkFu8PDOVugYoWGPBZjTzDuAv/SlvOeLSUPsQ Y0bUrQ084tU7lRORz3GBzFlxGe4t8WInxGu8qsw8izGuMhJlNm1KOSHDW+6ih+7SwFK6ERK7ZoEs sLE4Lvw92InXPerk5DNlfixDJz8K0ZxGxSg484P6Be3RyjwMCQAA $ base64 -d poc.base64 | gzip -d - If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937 [1] https://lists.gnu.org/archive/html/screen-devel/2021-02/msg0.html [2] https://www.openwall.com/lists/oss-security/2021/02/09/3 [3] https://savannah.gnu.org/bugs/?60030 Regards, Salvatore