Bug 1801405 (CVE-2020-9366)
Summary: | CVE-2020-9366 screen: Out of bounds access when setting w_xtermosc after OSC 49 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cbuissar, jridky, lnykryn, phracek, vdolezal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | screen 4.8.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-24 15:50:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1801406, 1801408 | ||
Bug Blocks: | 1801409 |
Description
Pedro Sampaio
2020-02-10 19:57:15 UTC
Created screen tracking bugs for this issue: Affects: epel-8 [bug 1801408] Affects: fedora-all [bug 1801406] Now I noticed I can't reproduce this issue on el7. Looking for culprits, I found commit https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=c5db181b6e017cfccb8d7842ce140e59294d9f62 (note the deletion of "--typ2"). This commit comes after screen v2.6.2 so only screen version 2.7.0 is affected. I can't reproduce this issue on f31 either. re comment #2: I meant versions v4.6.2 and v4.7.0, of course. @psampaio Since I didn't find any of the active package versions vulnerable, I cancelled the updates. Unless you have some objections, I'll mark these bugs as CLOSED NOTABUG. In reply to comment #3: > re comment #2: > I meant versions v4.6.2 and v4.7.0, of course. > > @psampaio > Since I didn't find any of the active package versions vulnerable, I > cancelled the updates. > Unless you have some objections, I'll mark these bugs as CLOSED NOTABUG. If you mean bugs 1801406 and 1801406, yeah sure, I have no objections. Hi Vaclav, per upstream, "This issue is present at least since v.4.2.0", so the commit you point may not be the culprit Hi Cedric, yes, I saw that comment, but - I was able to reproduce this issue in v.4.7.0 only - the commit I pointed to (c5db181) expands required size of w_xtermosc by 1, which is what the fixing commit (68386df) does I have sent a mail to the upstream list, but I haven't received any reply yet. Huh, now, reviewing c5db181, I noticed that d_xtermosc also needs to be expanded. (Luckily this doesn't seem serious.) Yes, after looking at it, I think I would agree with you : at least as shipped in RHEL7, I dont see it impacted. c5db181 seems to be the first vulnerable commit. Thx! Statement: It is believed that the vulnerability was caused by upstream commit c5db181. GNU screen versions prior to 4.7.0 do not seem to be impacted. upstream fixes : https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=0dd53533e20d2948351a99ec5336fbc9b82b226a https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b https://git.savannah.gnu.org/cgit/screen.git/commit/?id=b14e76eb5d6be889d58e37e420384e59a74eddd6 Fixed version & list of upstream fixes corrected per https://www.openwall.com/lists/oss-security/2020/02/25/7 |