Bug 212056 (CVE-2006-4573) - CVE-2006-4573 screen buffer overflow
Summary: CVE-2006-4573 screen buffer overflow
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2006-4573
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Marcela Mašláňová
QA Contact: Brock Organ
URL: http://lists.gnu.org/archive/html/scr...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-24 19:41 UTC by Josh Bressers
Modified: 2021-02-25 18:36 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-09 15:12:00 UTC
Embargoed:

Attachments (Terms of Use)

Description Josh Bressers 2006-10-24 19:41:34 UTC 
From the screen-users mailing list:

    I've just released screen-4.0.3. This is not the promised next version
    with vertical split and other cool things, but just a security release
    that fixes two bugs in the utf8 combining characters handling. The
    bugs could be used to crash/hang screen by writing a special string
    to a window.

    The fixed version is (as usual) available via:

    ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-4.0.3.tar.gz

    Credits go to cstone & Rich Felker for finding the bugs.

Kees Cook of Ubuntu analysed this issue and determined that it's likely an
exploitable issue, but it's non trivial to exploit.  This will require a fair
amount of user interaction to exploit, thus the low severity.

This issue also likely affects RHEL2.1 and RHEL3
Comment 2 Marcela Mašláňová 2006-12-11 12:38:30 UTC 
Solved in rawhide.
Comment 3 Marcela Mašláňová 2007-03-28 11:07:25 UTC 
New version, fix bugs from comment#1
Comment 4 Marcela Mašláňová 2007-08-09 15:12:00 UTC 
Please update on screen-4.0.3 and higher.
Comment 5 Josh Bressers 2011-08-02 18:32:12 UTC 
Statement:

Red Hat no longer plans to fix this issue in Red Hat Enterprise Linux 4.
Note You need to log in before you can comment on or make changes to this bug.