152654 – screen security patch in rh7x, rh8

Bug 152654 - screen security patch in rh7x, rh8

Summary: screen security patch in rh7x, rh8

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	Package request
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:
Whiteboard:	rh72, rh73, rh80
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-01-06 23:15 UTC by David Lawrence
Modified:	2007-04-18 17:22 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2005-03-30 23:19:49 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Patched SRPMS for screen buffer overflow

Details at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972
http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2

RH 7.3 https://mail.codegrinder.com/www/screen-3.9.11-4.legacy.src.rpm
RH 7.2 https://mail.codegrinder.com/www/screen-3.9.9-4.legacy.src.rpm
MD5SUM https://mail.codegrinder.com/www/screen-md5sums.asc

The 7.3 rpms work for me.. I don't have a 7.2 box available to test that one.

The default in 7.3 is to not suid the screen binary, so I think we're safe
from privilege escalation (unless the user does it of their own volition). 
But, I am a bit concerned with the idea that someone could hijack my screen
session.  So, is this a patch we want to push? If so, we should patch the RH8
rpms as well.  RH hasn't yet released a patch for 9, though it has a 
vulnerable version.  

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/+4b3w2QEY5tkPw0RAmP9AKCqmaOn98UuworKLkSkhep5CKtPPQCeLcko
vfHlFs/qLeYGAKf1HO7uF1s=
=Wt91
-----END PGP SIGNATURE-----



------- Additional Comments From pearcec 2004-01-07 03:47:20 ----

I did a rpm --rebuild screen-3.9.9-4.legacy.src.rpm on my RedHat 7.2 machine. 
It compile, installed and works fine.  I have no way of testing it fixed the
problem.  I never use screen and don't know how to make extensive use of it.



------- Additional Comments From pearcec 2004-01-07 08:29:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I took the fix that Jason did to screen and applied it to Red Hat 8.0.  I had to
update the BuildRequires to look for autoconf213.
 
http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.md5sum
http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.src.rpm
http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.i386.rpm
 
I installed it and it works.  I didn't test the exploit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD8DBQE//FAVdlzgVFWktjoRAgeVAJ4x9t/QehEX2Gk8SjYJ3xmLZcDD4QCeJ2Ly
DwJh0cPXJkXeo+cQ4SIJE98=
=vywN
-----END PGP SIGNATURE-----




------- Additional Comments From pearcec 2004-01-08 03:49:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I took the fix that Jason did to screen and applied it to Red Hat 8.0.  I had
toupdate the BuildRequires to look for autoconf213.
                                                                                
RH80: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.src.rpm
MD5SUM: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.md5sum
                                                                                
I installed and did simple tests.
                                                                                
This is an update from my previous comment.  I forgot to sign the package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD8DBQE//V+3dlzgVFWktjoRAqGnAJ4m9DwoaTHwQCtrxdu4OJLFFX7O1QCeK0ZZ
nvyDTPGjo9+X6nlbRXasveM=
=+Bgi
-----END PGP SIGNATURE-----




------- Additional Comments From pearcec 2004-01-12 12:06:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I took the two patches from the RedHat 9 src rpm.  I added them as patches
to the last src rpm from RedHat 8.0.  It compiles and runs.
  
Details at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972
http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2
  
RH80: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.src.rpm
MD5SUM: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.md5sum
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD8DBQFAAxrxdlzgVFWktjoRAhWNAKCHEBtKidLs69jn8Y5bc0F67ijCDACfQ3yM
4qIO5wP8YzXhP0THLdqptvY=
=Qb6y
-----END PGP SIGNATURE-----




------- Additional Comments From pearcec 2004-01-12 12:08:51 ----

Please ignore the last comment.  I had a cut and paste error.



------- Additional Comments From pearcec 2004-01-15 10:26:23 ----

Jason please sign the md5sum file.  I can't pass this by my QA radar.



------- Additional Comments From rohwedde 2004-01-15 10:33:06 ----

It's signed now..  I verified that md5sums were identical to that of my build
server at home.



------- Additional Comments From pearcec 2004-01-15 11:21:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
56495de603a5f80fd03380eca8522c5f  screen-3.9.11-4.legacy.src.rpm
af36ba4d78614e363b6c24f9e1f3130a  screen-3.9.9-4.legacy.src.rpm
 
19572f92404995e7b2dea8117204dd67  screen-3.9.11.tar.gz
7584be0380e37a4ebe9eee129f0a6c9d  screen-3.9.11-semicolon-overflow.patch
 
9a8b1d6c7438c64b884c4f7d7662afdc  screen-3.9.9.tar.gz
780995aa50bd43c0ed368908f09d9ea9  screen-3.9.9-semicolon-overflow.patch
 
I verified the patch from :
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972
http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2
 
I cross referenced it with mandrakes fix :
 
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:113
 
Namely :
 
screen-3.9.13-2.1.91mdk.src.rpm
 
* SPEC looks good
* Tested on RedHat 7.2 and 7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
 
iD8DBQFABwTldlzgVFWktjoRAkjDAJ46aR3um+RDWp5omS2obLtPGdam0wCfY3LE
QWGy3PHrJx/aXcLVuG7rrJE=
=7pTE
-----END PGP SIGNATURE-----




------- Additional Comments From warren 2004-01-15 11:53:05 ----

Thanks Christian, that is a good example of the kind of analysis needed for
legacy specific packages.



------- Additional Comments From drees 2004-01-15 14:10:34 ----

I've built and tested
https://mail.codegrinder.com/www/screen-3.9.11-4.legacy.src.rpm on a RH 7.3
system I've got.  The resulting RPM after installed passed the basic
functionality tests I ran on it.



------- Additional Comments From jkeating 2004-01-18 16:51:21 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
7.2 af36ba4d78614e363b6c24f9e1f3130a  screen-3.9.9-4.legacy.src.rpm
 
Tested on 7.2, builds fine, patch matches the link.  Limited functionality test
passes.
 
7.3 56495de603a5f80fd03380eca8522c5f  screen-3.9.11-4.legacy.src.rpm
 
Tested on 7.3, builds fine, patch matches the link.  Limited functionality test
passes.
 
8.0 f8c77a72fa27e07714870349c93437f6  screen-3.9.11-11.legacy.src.rpm
 
Tested on 8.0.  Patch matches link, spec has minimal changes, builds fine,
Limited functionality test passes.
 
I vote for PUBLISH.
 
Note to the packager, in the future, please name the patch with the CAN or CVE
number.  I'm not going to rebuild this package like that in the interest of
getting the update out.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFAC0cS4v2HLvE71NURAhPlAJ40jO9mOSIA0Qkkf3CECIjsKQZHJgCgoJVJ
xcY544oYAVEsxGsQqmQs+mE=
=0nae
-----END PGP SIGNATURE-----




------- Additional Comments From drees 2004-01-20 22:35:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RH73

Legacy RPMs QAd:
e22108165eeb8a4f2d6f078600117d2a3b5dc88d  screen-3.9.11-4.legacy.src.rpm
278a76f5b56d32bc983ab5dc388397c98dffe31c  screen-3.9.11-4.legacy.i386.rpm

Reference RedHat RPM:
af5c93e98de038b5a0a4c099776da338c78671f9  screen-3.9.11-3.src.rpm

Verified Legacy src RPM against RedHat RPM.  Changes as noted are the
addition of Patch screen-3.9.11-semicolon-overflow.patch.  Patch
verified against link in original comment.  Src RPM builds OK. ldd of
new binary matches old one.  Passes basic functionality tests.
Checked contents of i386 RPM which match the RPM I built (except for the
.gz files which were different because of the stored modification time
of the files, after unzipping they were verified to be the same).

Vote PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADjrHNTjPeWOqtfsRAo2TAKCJCFlCNzj9QIzEhfNrv0wgUSBF2QCfcqSj
0+PLw8wHqxluam61rTlJhZA=
=66N8
-----END PGP SIGNATURE-----




------- Additional Comments From drees 2004-01-20 22:38:29 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just to be clear, I only QA'd screen for RedHat 7.3 in my previous message.
I don't have access to RedHat 7.2 or RedHat 8.0 machines.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFADjuINTjPeWOqtfsRAgpaAJ9zWv3zzq7MkJvSbTpDnTpbdh7uwACeOXg8
m4v0f9zeRdMVjdUFYyTbANo=
=e/4U
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-01-22 07:08:31 ----

I have downloaded the test version of screen and from my testing so
dose it work ok on RH 7.3.




------- Additional Comments From jkeating 2004-01-22 07:30:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Packages published to download.fedoralegacy.org updates-testing

http://download.fedoralegacy.org/redhat/

194fbeb6e1871aad733966eb03525ee3fa6b736e 
7.2/updates-testing/SRPMS/screen-3.9.9-4.legacy.src.rpm
38752ec03ec07ab125ab495910861d0317dfe095 
7.2/updates-testing/i386/screen-3.9.9-4.legacy.i386.rpm

e22108165eeb8a4f2d6f078600117d2a3b5dc88d 
7.3/updates-testing/SRPMS/screen-3.9.11-4.legacy.src.rpm
278a76f5b56d32bc983ab5dc388397c98dffe31c 
7.3/updates-testing/i386/screen-3.9.11-4.legacy.i386.rpm

578b3166a0f647ac2a798ad81bdea43c9fe55c7b 
8.0/updates-testing/SRPMS/screen-3.9.11-11.legacy.src.rpm
c1422da61421e74a5a66e5404f1fcd33134c07e8 
8.0/updates-testing/i386/screen-3.9.11-11.legacy.i386.rpm

Pleae Verify in production.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAEAhQ4v2HLvE71NURAgfsAKCGkNkCjKdTKHsHVzrCC+kkxFWwQgCbBCqc
AJTAJTC7P6rC4EXMh13PCJY=
=JyeU
-----END PGP SIGNATURE-----



------- Additional Comments From drees 2004-01-25 11:13:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RH73 278a76f5b56d32bc983ab5dc388397c98dffe31c  screen-3.9.11-4.legacy.i386.rpm

rpm --checksig is good
ldd of new screen binary matches previous RedHat version.
File list of new binary RPM matches old list
Passes basic functionality tests

VERIFIED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAFDIpNTjPeWOqtfsRAgnmAKC8N7nO0WIHHA/9xbkn538Aqe3fJwCeJH7v
p/wvh5h+S7mHF21KatwZe0I=
=+0pw
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-01-26 18:55:23 ----

FLSA:1187 has been issued for this.



------- Bug moved to this database by dkl 2005-03-30 18:19 -------

This bug previously known as bug 1187 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1187
Originally filed under the Fedora Legacy product and Package request component.

Unknown version unspecified in product Fedora Legacy. Setting version to "core1".
Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was rohwedde.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Note You need to log in before you can comment on or make changes to this bug.