Debian Bug report logs -
#950896
screen: CVE-2020-9366: out of bounds access when setting w_xtermosc after OSC 49
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 7 Feb 2020 21:33:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version screen/4.7.0-1
Fixed in version screen/4.8.0-1
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Axel Beckert <abe@debian.org>:
Bug#950896; Package src:screen.
(Fri, 07 Feb 2020 21:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Axel Beckert <abe@debian.org>.
(Fri, 07 Feb 2020 21:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: screen
Version: 4.7.0-1
Severity: important
Tags: security upstream fixed-upstream
Hi
There is a new upstream release 4.8.0 which fixes as well an out of
bounds access issue:
https://www.openwall.com/lists/oss-security/2020/02/06/3
Regards,
Salvatore
Added tag(s) pending.
Request was from Axel Beckert <abe@debian.org>
to control@bugs.debian.org.
(Sat, 08 Feb 2020 01:00:03 GMT) (full text, mbox, link).
Reply sent
to Axel Beckert <abe@debian.org>:
You have taken responsibility.
(Sat, 08 Feb 2020 02:42:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Feb 2020 02:42:03 GMT) (full text, mbox, link).
Message #12 received at 950896-close@bugs.debian.org (full text, mbox, reply):
Source: screen
Source-Version: 4.8.0-1
We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 950896@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated screen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Feb 2020 02:16:54 +0100
Source: screen
Architecture: source
Version: 4.8.0-1
Distribution: unstable
Urgency: medium
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Closes: 950896
Changes:
screen (4.8.0-1) unstable; urgency=medium
.
* Import new upstream release 4.8.0.
+ Fixes out of bounds access when setting w_xtermosc after OSC 49.
(Closes: #950896)
+ Refresh patches where needed.
* Declare compliance with Debian Policy 4.5.0. (No changes needed.)
Checksums-Sha1:
fd393bb3cda6b12349794d5aa1cb6486c9af38a4 2317 screen_4.8.0-1.dsc
2328927e10e68d357bdfec7bd740726011e834e9 854854 screen_4.8.0.orig.tar.gz
9e76ca2d2717bc4b56ab67a382597323890cd45f 833 screen_4.8.0.orig.tar.gz.asc
bfeaa53a753849a4466b24ee216b3ba0832f71a8 46936 screen_4.8.0-1.debian.tar.xz
16972c6bfc7eb0ad452a5173ef6ebddd2f9102af 6599 screen_4.8.0-1_source.buildinfo
Checksums-Sha256:
15a0d6c25079c409eaa591a9c7fb7790abd81f1895fd384cb2fe1673aece4e6d 2317 screen_4.8.0-1.dsc
6e11b13d8489925fde25dfb0935bf6ed71f9eb47eff233a181e078fde5655aa1 854854 screen_4.8.0.orig.tar.gz
fa98276a340936a1d182663ab99b2f411ae9222d35c46e82a20a1ea84a4a17a0 833 screen_4.8.0.orig.tar.gz.asc
79cbd86fed11286b162ab84776a71b19250e1d3525c3304286da2e0145f33c02 46936 screen_4.8.0-1.debian.tar.xz
deadeae75b74a8994774a22be2a21be96ca7520c2d488647db6eaf637026f642 6599 screen_4.8.0-1_source.buildinfo
Files:
9db0d9643d375a7972067a0b634b0fc6 2317 misc standard screen_4.8.0-1.dsc
d276213d3acd10339cd37848b8c4ab1e 854854 misc standard screen_4.8.0.orig.tar.gz
98ab25ac1648eb454e983467b46e95e0 833 misc standard screen_4.8.0.orig.tar.gz.asc
6187c540f4dff4f95c58dab72b1b7002 46936 misc standard screen_4.8.0-1.debian.tar.xz
51219da9eb19697d9b2e2c1f6908d68f 6599 misc standard screen_4.8.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAl4+D4kACgkQa+Zjx1o1
yXUudw//ZznwPjSU1W8W8PW86cWqrvoHkpyLdjRZoYeL6PnC7jVMNyf4QYkotJhP
mhs7lB8bFFnGRhtc9MKfnL+YpQaSG+PeBoFp5uSHJXzNPHBc2otsHJeBnDnnzY/n
r368cXkDoxbCDSa1VfYahVmz5O5wngfWp+70j6ZWvZFtjd1LBu1zkYe93UnCgd91
KTZBMt0/QWMZgKdgevN4lMvX3Tz31bz7vucVIazyIujW2MZFF6DahFABE2HDJKrO
+vqhC6dWmFxKDCXRHlRQH2ZUVev9CjN0DfygHVhvGHbyM4VwoTZ4Ia2pa1iCF4Ph
pFDvtZq5TBf3KKTtbcf5l+KJWjNJlDFlwle9J3Xovrsrp0BQyOXipxp+JFek+1tM
6AHhYFG0v+6kHloAIgJRORdKLoqtOrAR5fFrU+UCqerLQ7CmoEoEfMGUEFmuwiGx
G4xaXnvtl8CmUgaouYHC2Uh4ueSjGsNGzPgg1+5bp+gabfRrzI5YpFw4NiPo8KXn
XRIxUMFYasbVEQ706bGoVrOcGOy0u+Zq2GqXfSBQWX5vbUzutrRQpfkIgsDoU91A
5cyEW86luceFtnkY8QsDhL6VSTAmavDsajdPhsIP5TBta5S/9vSe1cvPnP0qmhER
jWKiYYO61z0KqnqYG0WGDTIrpMzTF8wT40u5Eyf7kIB9ok5tVpg=
=453z
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Axel Beckert <abe@debian.org>:
Bug#950896; Package src:screen.
(Mon, 24 Feb 2020 19:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Axel Beckert <abe@debian.org>.
(Mon, 24 Feb 2020 19:21:02 GMT) (full text, mbox, link).
Message #17 received at 950896@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 screen: CVE-2020-9366: out of bounds access when setting w_xtermosc after OSC 49
Hi
On Fri, Feb 07, 2020 at 10:28:55PM +0100, Salvatore Bonaccorso wrote:
> Source: screen
> Version: 4.7.0-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi
>
> There is a new upstream release 4.8.0 which fixes as well an out of
> bounds access issue:
>
> https://www.openwall.com/lists/oss-security/2020/02/06/3
This in meanwhile has been assigned CVE-2020-9366.
Regards,
Salvatore
Changed Bug title to 'screen: CVE-2020-9366: out of bounds access when setting w_xtermosc after OSC 49' from 'screen: out of bounds access when setting w_xtermosc after OSC 49'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 950896-submit@bugs.debian.org.
(Mon, 24 Feb 2020 19:21:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Feb 25 09:27:52 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon