CVE-2006-4573: GNU Screen UTF-8 Character Handling Vulnerabilities

Debian Bug report logs - #395225
CVE-2006-4573: GNU Screen UTF-8 Character Handling Vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: submit@bugs.debian.org

Subject: CVE-2006-4573: GNU Screen UTF-8 Character Handling Vulnerabilities

Date: Wed, 25 Oct 2006 20:06:13 +0200

Package: screen
Severity: grave
Tags: security

From http://secunia.com/advisories/22583/:
"Some vulnerabilities have been reported in GNU Screen, which can be 
exploited by malicious people to cause a DoS (Denial of Service) or 
potentially compromise a vulnerable system.
 
 The vulnerabilities are caused due to errors within the handling of 
certain UTF-8 characters. This can be exploited to crash GNU Screen 
or potentially execute arbitrary code by printing a specially crafted 
string to the window."

This is fixed in 4.0.3

Please mention the CVE id in the changelog.

Message #10 received at 395225@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 395225@bugs.debian.org, 395225-submitter@bugs.debian.org

Subject: Intent to NMU screen to fix this (and fix debconf l10n issues)

Date: Fri, 27 Oct 2006 22:56:42 +0200

[Message part 1 (text/plain, inline)]

While working on the l10n NMU campaign, I went on this bug which seems
really easy to fix by building the new 4.0.3 version.

Unless someone else also wants to work on it, I will upload a 4.0.3
NMU ASAP.

It will also include the pending debconf l10n things which the
maintainer seems to not care about.

-- 

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 395225@bugs.debian.org (full text, mbox, reply):

From: Adam Lazur <zal@debian.org>

To: Christian Perrier <bubulle@debian.org>, 395225@bugs.debian.org

Cc: 395225-submitter@bugs.debian.org

Subject: Re: Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)

Date: Fri, 27 Oct 2006 14:47:20 -0700

Christian Perrier (bubulle@debian.org) said:
> While working on the l10n NMU campaign, I went on this bug which seems
> really easy to fix by building the new 4.0.3 version.
> 
> Unless someone else also wants to work on it, I will upload a 4.0.3
> NMU ASAP.
> 
> It will also include the pending debconf l10n things which the
> maintainer seems to not care about.

If you have an NMU ready to go, please go ahead and upload it. I won't
have time to work on the screen package until Sunday evening, and by
then I'll just be duping your efforts.

.adam

Message #26 received at 395225@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 395225@bugs.debian.org, 395225-submitter@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)

Date: Sat, 28 Oct 2006 07:44:16 +0200

[Message part 1 (text/plain, inline)]

tags 395225 patch pending
thanks

Quoting Adam Lazur (zal@debian.org):
> Christian Perrier (bubulle@debian.org) said:
> > While working on the l10n NMU campaign, I went on this bug which seems
> > really easy to fix by building the new 4.0.3 version.
> > 
> > Unless someone else also wants to work on it, I will upload a 4.0.3
> > NMU ASAP.
> > 
> > It will also include the pending debconf l10n things which the
> > maintainer seems to not care about.
> 
> If you have an NMU ready to go, please go ahead and upload it. I won't
> have time to work on the screen package until Sunday evening, and by
> then I'll just be duping your efforts.


The NMU is ready and will be uploaded.

Attached are two patches:

screen.patch is the patch for the debian/ directory between 4.0.2-4.1
and 4.0.3-0.1 for unstable. Please note that it includes the debconf
translation updates which were pending and were indeed my initial
reason to look at the package. They are *very* safe as they are only
file additions.

upstream.patch is the patch between upstream versions 4.0.2 and
4.0.3. It should be reviewed by the stable security team and probably
applied in sarge (please note that sarge, testing and unstable
versions are the same versions).

[screen.patch (text/plain, attachment)]

[upstream.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 395225-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 395225-close@bugs.debian.org

Subject: Bug#395225: fixed in screen 4.0.3-0.1

Date: Fri, 27 Oct 2006 23:17:11 -0700

Source: screen
Source-Version: 4.0.3-0.1

We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive:

screen_4.0.3-0.1.diff.gz
  to pool/main/s/screen/screen_4.0.3-0.1.diff.gz
screen_4.0.3-0.1.dsc
  to pool/main/s/screen/screen_4.0.3-0.1.dsc
screen_4.0.3-0.1_i386.deb
  to pool/main/s/screen/screen_4.0.3-0.1_i386.deb
screen_4.0.3.orig.tar.gz
  to pool/main/s/screen/screen_4.0.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 395225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated screen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Oct 2006 07:35:57 +0200
Source: screen
Binary: screen
Architecture: source i386
Version: 4.0.3-0.1
Distribution: unstable
Urgency: high
Maintainer: Adam Lazur <zal@debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 screen     - a terminal multiplexor with VT100/ANSI terminal emulation
Closes: 303818 331583 345059 358160 395225
Changes: 
 screen (4.0.3-0.1) unstable; urgency=high
 .
   * Non-maintainer upload to fix a security issue
   * New upstream version fixing utf8 combining characters handling. The
     bugs could be used to crash/hang screen by writing a special string
     to a window (CVE-2006-4573). Closes: #395225
   * Debconf translation updates:
     - Finnish added. Closes: #303818
     - Swedish added. Closes: #331583
     - Portuguese added. Closes: #345059
     - Italian updated. Closes: #358160
Files: 
 87a09e37b86313dc87c1b568932a090a 624 misc optional screen_4.0.3-0.1.dsc
 8506fd205028a96c741e4037de6e3c42 840602 misc optional screen_4.0.3.orig.tar.gz
 7cf078e23c8374d562998b5674a42ab6 34349 misc optional screen_4.0.3-0.1.diff.gz
 0563abba97b99115f8f3a61767b16229 585370 misc optional screen_4.0.3-0.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFQvCQ1OXtrMAUPS0RAm8FAJ9bVicwZi9cxJKDNqlBN6MVdY+pYQCghgd7
LqMpGIBDD0CSkKcWLH8Ua28=
=6o6f
-----END PGP SIGNATURE-----

Message #41 received at 395225@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Christian Perrier <bubulle@debian.org>

Cc: 395225@bugs.debian.org, 395225-submitter@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)

Date: Sun, 29 Oct 2006 00:58:02 +0200

Christian Perrier wrote:
> upstream.patch is the patch between upstream versions 4.0.2 and
> 4.0.3. It should be reviewed by the stable security team and probably
> applied in sarge (please note that sarge, testing and unstable
> versions are the same versions).

An update for stable is already ready, but blocked by technical
problems with the security buildd network: The sparc and hppa buildds
can't upload. I haven't heard back from debian-admin, so I don't have
an idea, when we'll be able to issue DSAs again.

Cheers,
        Moritz

Send a report that this bug log contains spam.