-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patched SRPMS for screen buffer overflow Details at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972 http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2 RH 7.3 https://mail.codegrinder.com/www/screen-3.9.11-4.legacy.src.rpm RH 7.2 https://mail.codegrinder.com/www/screen-3.9.9-4.legacy.src.rpm MD5SUM https://mail.codegrinder.com/www/screen-md5sums.asc The 7.3 rpms work for me.. I don't have a 7.2 box available to test that one. The default in 7.3 is to not suid the screen binary, so I think we're safe from privilege escalation (unless the user does it of their own volition). But, I am a bit concerned with the idea that someone could hijack my screen session. So, is this a patch we want to push? If so, we should patch the RH8 rpms as well. RH hasn't yet released a patch for 9, though it has a vulnerable version. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/+4b3w2QEY5tkPw0RAmP9AKCqmaOn98UuworKLkSkhep5CKtPPQCeLcko vfHlFs/qLeYGAKf1HO7uF1s= =Wt91 -----END PGP SIGNATURE----- ------- Additional Comments From pearcec 2004-01-07 03:47:20 ---- I did a rpm --rebuild screen-3.9.9-4.legacy.src.rpm on my RedHat 7.2 machine. It compile, installed and works fine. I have no way of testing it fixed the problem. I never use screen and don't know how to make extensive use of it. ------- Additional Comments From pearcec 2004-01-07 08:29:46 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I took the fix that Jason did to screen and applied it to Red Hat 8.0. I had to update the BuildRequires to look for autoconf213. http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.md5sum http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.src.rpm http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.i386.rpm I installed it and it works. I didn't test the exploit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE//FAVdlzgVFWktjoRAgeVAJ4x9t/QehEX2Gk8SjYJ3xmLZcDD4QCeJ2Ly DwJh0cPXJkXeo+cQ4SIJE98= =vywN -----END PGP SIGNATURE----- ------- Additional Comments From pearcec 2004-01-08 03:49:30 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I took the fix that Jason did to screen and applied it to Red Hat 8.0. I had toupdate the BuildRequires to look for autoconf213. RH80: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.src.rpm MD5SUM: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.md5sum I installed and did simple tests. This is an update from my previous comment. I forgot to sign the package. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE//V+3dlzgVFWktjoRAqGnAJ4m9DwoaTHwQCtrxdu4OJLFFX7O1QCeK0ZZ nvyDTPGjo9+X6nlbRXasveM= =+Bgi -----END PGP SIGNATURE----- ------- Additional Comments From pearcec 2004-01-12 12:06:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I took the two patches from the RedHat 9 src rpm. I added them as patches to the last src rpm from RedHat 8.0. It compiles and runs. Details at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972 http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2 RH80: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.src.rpm MD5SUM: http://www.commnav.com/~pearcec/screen-3.9.11-11.legacy.md5sum -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAAxrxdlzgVFWktjoRAhWNAKCHEBtKidLs69jn8Y5bc0F67ijCDACfQ3yM 4qIO5wP8YzXhP0THLdqptvY= =Qb6y -----END PGP SIGNATURE----- ------- Additional Comments From pearcec 2004-01-12 12:08:51 ---- Please ignore the last comment. I had a cut and paste error. ------- Additional Comments From pearcec 2004-01-15 10:26:23 ---- Jason please sign the md5sum file. I can't pass this by my QA radar. ------- Additional Comments From rohwedde 2004-01-15 10:33:06 ---- It's signed now.. I verified that md5sums were identical to that of my build server at home. ------- Additional Comments From pearcec 2004-01-15 11:21:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 56495de603a5f80fd03380eca8522c5f screen-3.9.11-4.legacy.src.rpm af36ba4d78614e363b6c24f9e1f3130a screen-3.9.9-4.legacy.src.rpm 19572f92404995e7b2dea8117204dd67 screen-3.9.11.tar.gz 7584be0380e37a4ebe9eee129f0a6c9d screen-3.9.11-semicolon-overflow.patch 9a8b1d6c7438c64b884c4f7d7662afdc screen-3.9.9.tar.gz 780995aa50bd43c0ed368908f09d9ea9 screen-3.9.9-semicolon-overflow.patch I verified the patch from : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972 http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2 I cross referenced it with mandrakes fix : http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:113 Namely : screen-3.9.13-2.1.91mdk.src.rpm * SPEC looks good * Tested on RedHat 7.2 and 7.3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFABwTldlzgVFWktjoRAkjDAJ46aR3um+RDWp5omS2obLtPGdam0wCfY3LE QWGy3PHrJx/aXcLVuG7rrJE= =7pTE -----END PGP SIGNATURE----- ------- Additional Comments From warren 2004-01-15 11:53:05 ---- Thanks Christian, that is a good example of the kind of analysis needed for legacy specific packages. ------- Additional Comments From drees 2004-01-15 14:10:34 ---- I've built and tested https://mail.codegrinder.com/www/screen-3.9.11-4.legacy.src.rpm on a RH 7.3 system I've got. The resulting RPM after installed passed the basic functionality tests I ran on it. ------- Additional Comments From jkeating 2004-01-18 16:51:21 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 7.2 af36ba4d78614e363b6c24f9e1f3130a screen-3.9.9-4.legacy.src.rpm Tested on 7.2, builds fine, patch matches the link. Limited functionality test passes. 7.3 56495de603a5f80fd03380eca8522c5f screen-3.9.11-4.legacy.src.rpm Tested on 7.3, builds fine, patch matches the link. Limited functionality test passes. 8.0 f8c77a72fa27e07714870349c93437f6 screen-3.9.11-11.legacy.src.rpm Tested on 8.0. Patch matches link, spec has minimal changes, builds fine, Limited functionality test passes. I vote for PUBLISH. Note to the packager, in the future, please name the patch with the CAN or CVE number. I'm not going to rebuild this package like that in the interest of getting the update out. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAC0cS4v2HLvE71NURAhPlAJ40jO9mOSIA0Qkkf3CECIjsKQZHJgCgoJVJ xcY544oYAVEsxGsQqmQs+mE= =0nae -----END PGP SIGNATURE----- ------- Additional Comments From drees 2004-01-20 22:35:58 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RH73 Legacy RPMs QAd: e22108165eeb8a4f2d6f078600117d2a3b5dc88d screen-3.9.11-4.legacy.src.rpm 278a76f5b56d32bc983ab5dc388397c98dffe31c screen-3.9.11-4.legacy.i386.rpm Reference RedHat RPM: af5c93e98de038b5a0a4c099776da338c78671f9 screen-3.9.11-3.src.rpm Verified Legacy src RPM against RedHat RPM. Changes as noted are the addition of Patch screen-3.9.11-semicolon-overflow.patch. Patch verified against link in original comment. Src RPM builds OK. ldd of new binary matches old one. Passes basic functionality tests. Checked contents of i386 RPM which match the RPM I built (except for the .gz files which were different because of the stored modification time of the files, after unzipping they were verified to be the same). Vote PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFADjrHNTjPeWOqtfsRAo2TAKCJCFlCNzj9QIzEhfNrv0wgUSBF2QCfcqSj 0+PLw8wHqxluam61rTlJhZA= =66N8 -----END PGP SIGNATURE----- ------- Additional Comments From drees 2004-01-20 22:38:29 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just to be clear, I only QA'd screen for RedHat 7.3 in my previous message. I don't have access to RedHat 7.2 or RedHat 8.0 machines. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFADjuINTjPeWOqtfsRAgpaAJ9zWv3zzq7MkJvSbTpDnTpbdh7uwACeOXg8 m4v0f9zeRdMVjdUFYyTbANo= =e/4U -----END PGP SIGNATURE----- ------- Additional Comments From jonny.strom 2004-01-22 07:08:31 ---- I have downloaded the test version of screen and from my testing so dose it work ok on RH 7.3. ------- Additional Comments From jkeating 2004-01-22 07:30:38 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages published to download.fedoralegacy.org updates-testing http://download.fedoralegacy.org/redhat/ 194fbeb6e1871aad733966eb03525ee3fa6b736e 7.2/updates-testing/SRPMS/screen-3.9.9-4.legacy.src.rpm 38752ec03ec07ab125ab495910861d0317dfe095 7.2/updates-testing/i386/screen-3.9.9-4.legacy.i386.rpm e22108165eeb8a4f2d6f078600117d2a3b5dc88d 7.3/updates-testing/SRPMS/screen-3.9.11-4.legacy.src.rpm 278a76f5b56d32bc983ab5dc388397c98dffe31c 7.3/updates-testing/i386/screen-3.9.11-4.legacy.i386.rpm 578b3166a0f647ac2a798ad81bdea43c9fe55c7b 8.0/updates-testing/SRPMS/screen-3.9.11-11.legacy.src.rpm c1422da61421e74a5a66e5404f1fcd33134c07e8 8.0/updates-testing/i386/screen-3.9.11-11.legacy.i386.rpm Pleae Verify in production. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAEAhQ4v2HLvE71NURAgfsAKCGkNkCjKdTKHsHVzrCC+kkxFWwQgCbBCqc AJTAJTC7P6rC4EXMh13PCJY= =JyeU -----END PGP SIGNATURE----- ------- Additional Comments From drees 2004-01-25 11:13:25 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RH73 278a76f5b56d32bc983ab5dc388397c98dffe31c screen-3.9.11-4.legacy.i386.rpm rpm --checksig is good ldd of new screen binary matches previous RedHat version. File list of new binary RPM matches old list Passes basic functionality tests VERIFIED -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAFDIpNTjPeWOqtfsRAgnmAKC8N7nO0WIHHA/9xbkn538Aqe3fJwCeJH7v p/wvh5h+S7mHF21KatwZe0I= =+0pw -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-01-26 18:55:23 ---- FLSA:1187 has been issued for this. ------- Bug moved to this database by dkl 2005-03-30 18:19 ------- This bug previously known as bug 1187 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1187 Originally filed under the Fedora Legacy product and Package request component. Unknown version unspecified in product Fedora Legacy. Setting version to "core1". Unknown priority P1. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was rohwedde. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.