Debian Bug report logs -
#395225
CVE-2006-4573: GNU Screen UTF-8 Character Handling Vulnerabilities
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 25 Oct 2006 18:18:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security
Merged with 395999
Found in version screen/4.0.2-4.1
Fixed in versions screen/4.0.3-0.1, 4.0.3-0.1
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>
:
Bug#395225
; Package screen
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Adam Lazur <zal@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: screen
Severity: grave
Tags: security
From http://secunia.com/advisories/22583/:
"Some vulnerabilities have been reported in GNU Screen, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.
The vulnerabilities are caused due to errors within the handling of
certain UTF-8 characters. This can be exploited to crash GNU Screen
or potentially execute arbitrary code by printing a specially crafted
string to the window."
This is fixed in 4.0.3
Please mention the CVE id in the changelog.
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>
:
Bug#395225
; Package screen
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adam Lazur <zal@debian.org>
.
(full text, mbox, link).
Message #10 received at 395225@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
While working on the l10n NMU campaign, I went on this bug which seems
really easy to fix by building the new 4.0.3 version.
Unless someone else also wants to work on it, I will upload a 4.0.3
NMU ASAP.
It will also include the pending debconf l10n things which the
maintainer seems to not care about.
--
[signature.asc (application/pgp-signature, inline)]
Message sent on to Stefan Fritsch <sf@sfritsch.de>
:
Bug#395225.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#395225
; Package screen
.
(full text, mbox, link).
Acknowledgement sent to Adam Lazur <zal@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #18 received at 395225@bugs.debian.org (full text, mbox, reply):
Christian Perrier (bubulle@debian.org) said:
> While working on the l10n NMU campaign, I went on this bug which seems
> really easy to fix by building the new 4.0.3 version.
>
> Unless someone else also wants to work on it, I will upload a 4.0.3
> NMU ASAP.
>
> It will also include the pending debconf l10n things which the
> maintainer seems to not care about.
If you have an NMU ready to go, please go ahead and upload it. I won't
have time to work on the screen package until Sunday evening, and by
then I'll just be duping your efforts.
.adam
Message sent on to Stefan Fritsch <sf@sfritsch.de>
:
Bug#395225.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>
:
Bug#395225
; Package screen
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adam Lazur <zal@debian.org>
.
(full text, mbox, link).
Message #26 received at 395225@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 395225 patch pending
thanks
Quoting Adam Lazur (zal@debian.org):
> Christian Perrier (bubulle@debian.org) said:
> > While working on the l10n NMU campaign, I went on this bug which seems
> > really easy to fix by building the new 4.0.3 version.
> >
> > Unless someone else also wants to work on it, I will upload a 4.0.3
> > NMU ASAP.
> >
> > It will also include the pending debconf l10n things which the
> > maintainer seems to not care about.
>
> If you have an NMU ready to go, please go ahead and upload it. I won't
> have time to work on the screen package until Sunday evening, and by
> then I'll just be duping your efforts.
The NMU is ready and will be uploaded.
Attached are two patches:
screen.patch is the patch for the debian/ directory between 4.0.2-4.1
and 4.0.3-0.1 for unstable. Please note that it includes the debconf
translation updates which were pending and were indeed my initial
reason to look at the package. They are *very* safe as they are only
file additions.
upstream.patch is the patch between upstream versions 4.0.2 and
4.0.3. It should be reviewed by the stable security team and probably
applied in sarge (please note that sarge, testing and unstable
versions are the same versions).
[screen.patch (text/plain, attachment)]
[upstream.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: patch, pending
Request was from Christian Perrier <bubulle@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Message sent on to Stefan Fritsch <sf@sfritsch.de>
:
Bug#395225.
(full text, mbox, link).
Reply sent to Christian Perrier <bubulle@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #36 received at 395225-close@bugs.debian.org (full text, mbox, reply):
Source: screen
Source-Version: 4.0.3-0.1
We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive:
screen_4.0.3-0.1.diff.gz
to pool/main/s/screen/screen_4.0.3-0.1.diff.gz
screen_4.0.3-0.1.dsc
to pool/main/s/screen/screen_4.0.3-0.1.dsc
screen_4.0.3-0.1_i386.deb
to pool/main/s/screen/screen_4.0.3-0.1_i386.deb
screen_4.0.3.orig.tar.gz
to pool/main/s/screen/screen_4.0.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 395225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated screen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 28 Oct 2006 07:35:57 +0200
Source: screen
Binary: screen
Architecture: source i386
Version: 4.0.3-0.1
Distribution: unstable
Urgency: high
Maintainer: Adam Lazur <zal@debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description:
screen - a terminal multiplexor with VT100/ANSI terminal emulation
Closes: 303818 331583 345059 358160 395225
Changes:
screen (4.0.3-0.1) unstable; urgency=high
.
* Non-maintainer upload to fix a security issue
* New upstream version fixing utf8 combining characters handling. The
bugs could be used to crash/hang screen by writing a special string
to a window (CVE-2006-4573). Closes: #395225
* Debconf translation updates:
- Finnish added. Closes: #303818
- Swedish added. Closes: #331583
- Portuguese added. Closes: #345059
- Italian updated. Closes: #358160
Files:
87a09e37b86313dc87c1b568932a090a 624 misc optional screen_4.0.3-0.1.dsc
8506fd205028a96c741e4037de6e3c42 840602 misc optional screen_4.0.3.orig.tar.gz
7cf078e23c8374d562998b5674a42ab6 34349 misc optional screen_4.0.3-0.1.diff.gz
0563abba97b99115f8f3a61767b16229 585370 misc optional screen_4.0.3-0.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFQvCQ1OXtrMAUPS0RAm8FAJ9bVicwZi9cxJKDNqlBN6MVdY+pYQCghgd7
LqMpGIBDD0CSkKcWLH8Ua28=
=6o6f
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>
:
Bug#395225
; Package screen
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Adam Lazur <zal@debian.org>
.
(full text, mbox, link).
Message #41 received at 395225@bugs.debian.org (full text, mbox, reply):
Christian Perrier wrote:
> upstream.patch is the patch between upstream versions 4.0.2 and
> 4.0.3. It should be reviewed by the stable security team and probably
> applied in sarge (please note that sarge, testing and unstable
> versions are the same versions).
An update for stable is already ready, but blocked by technical
problems with the security buildd network: The sparc and hppa buildds
can't upload. I haven't heard back from debian-admin, so I don't have
an idea, when we'll be able to issue DSAs again.
Cheers,
Moritz
Message sent on to Stefan Fritsch <sf@sfritsch.de>
:
Bug#395225.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 23:26:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.