Debian Bug report logs - #395225
CVE-2006-4573: GNU Screen UTF-8 Character Handling Vulnerabilities

version graph

Package: screen; Maintainer for screen is Axel Beckert <abe@debian.org>; Source for screen is src:screen.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Wed, 25 Oct 2006 18:18:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Merged with 395999

Found in version screen/4.0.2-4.1

Fixed in versions screen/4.0.3-0.1, 4.0.3-0.1

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>:
Bug#395225; Package screen. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Adam Lazur <zal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2006-4573: GNU Screen UTF-8 Character Handling Vulnerabilities
Date: Wed, 25 Oct 2006 20:06:13 +0200
Package: screen
Severity: grave
Tags: security

From http://secunia.com/advisories/22583/:
"Some vulnerabilities have been reported in GNU Screen, which can be 
exploited by malicious people to cause a DoS (Denial of Service) or 
potentially compromise a vulnerable system.
 
 The vulnerabilities are caused due to errors within the handling of 
certain UTF-8 characters. This can be exploited to crash GNU Screen 
or potentially execute arbitrary code by printing a specially crafted 
string to the window."

This is fixed in 4.0.3

Please mention the CVE id in the changelog.



Information forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>:
Bug#395225; Package screen. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Adam Lazur <zal@debian.org>. Full text and rfc822 format available.

Message #10 received at 395225@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 395225@bugs.debian.org, 395225-submitter@bugs.debian.org
Subject: Intent to NMU screen to fix this (and fix debconf l10n issues)
Date: Fri, 27 Oct 2006 22:56:42 +0200
[Message part 1 (text/plain, inline)]
While working on the l10n NMU campaign, I went on this bug which seems
really easy to fix by building the new 4.0.3 version.

Unless someone else also wants to work on it, I will upload a 4.0.3
NMU ASAP.

It will also include the pending debconf l10n things which the
maintainer seems to not care about.

-- 


[signature.asc (application/pgp-signature, inline)]

Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#395225. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#395225; Package screen. Full text and rfc822 format available.

Acknowledgement sent to Adam Lazur <zal@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #18 received at 395225@bugs.debian.org (full text, mbox):

From: Adam Lazur <zal@debian.org>
To: Christian Perrier <bubulle@debian.org>, 395225@bugs.debian.org
Cc: 395225-submitter@bugs.debian.org
Subject: Re: Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)
Date: Fri, 27 Oct 2006 14:47:20 -0700
Christian Perrier (bubulle@debian.org) said:
> While working on the l10n NMU campaign, I went on this bug which seems
> really easy to fix by building the new 4.0.3 version.
> 
> Unless someone else also wants to work on it, I will upload a 4.0.3
> NMU ASAP.
> 
> It will also include the pending debconf l10n things which the
> maintainer seems to not care about.

If you have an NMU ready to go, please go ahead and upload it. I won't
have time to work on the screen package until Sunday evening, and by
then I'll just be duping your efforts.

.adam



Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#395225. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>:
Bug#395225; Package screen. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Adam Lazur <zal@debian.org>. Full text and rfc822 format available.

Message #26 received at 395225@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 395225@bugs.debian.org, 395225-submitter@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)
Date: Sat, 28 Oct 2006 07:44:16 +0200
[Message part 1 (text/plain, inline)]
tags 395225 patch pending
thanks

Quoting Adam Lazur (zal@debian.org):
> Christian Perrier (bubulle@debian.org) said:
> > While working on the l10n NMU campaign, I went on this bug which seems
> > really easy to fix by building the new 4.0.3 version.
> > 
> > Unless someone else also wants to work on it, I will upload a 4.0.3
> > NMU ASAP.
> > 
> > It will also include the pending debconf l10n things which the
> > maintainer seems to not care about.
> 
> If you have an NMU ready to go, please go ahead and upload it. I won't
> have time to work on the screen package until Sunday evening, and by
> then I'll just be duping your efforts.


The NMU is ready and will be uploaded.

Attached are two patches:

screen.patch is the patch for the debian/ directory between 4.0.2-4.1
and 4.0.3-0.1 for unstable. Please note that it includes the debconf
translation updates which were pending and were indeed my initial
reason to look at the package. They are *very* safe as they are only
file additions.

upstream.patch is the patch between upstream versions 4.0.2 and
4.0.3. It should be reviewed by the stable security team and probably
applied in sarge (please note that sarge, testing and unstable
versions are the same versions).



[screen.patch (text/plain, attachment)]
[upstream.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch, pending Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#395225. Full text and rfc822 format available.

Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #36 received at 395225-close@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 395225-close@bugs.debian.org
Subject: Bug#395225: fixed in screen 4.0.3-0.1
Date: Fri, 27 Oct 2006 23:17:11 -0700
Source: screen
Source-Version: 4.0.3-0.1

We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive:

screen_4.0.3-0.1.diff.gz
  to pool/main/s/screen/screen_4.0.3-0.1.diff.gz
screen_4.0.3-0.1.dsc
  to pool/main/s/screen/screen_4.0.3-0.1.dsc
screen_4.0.3-0.1_i386.deb
  to pool/main/s/screen/screen_4.0.3-0.1_i386.deb
screen_4.0.3.orig.tar.gz
  to pool/main/s/screen/screen_4.0.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 395225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated screen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Oct 2006 07:35:57 +0200
Source: screen
Binary: screen
Architecture: source i386
Version: 4.0.3-0.1
Distribution: unstable
Urgency: high
Maintainer: Adam Lazur <zal@debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 screen     - a terminal multiplexor with VT100/ANSI terminal emulation
Closes: 303818 331583 345059 358160 395225
Changes: 
 screen (4.0.3-0.1) unstable; urgency=high
 .
   * Non-maintainer upload to fix a security issue
   * New upstream version fixing utf8 combining characters handling. The
     bugs could be used to crash/hang screen by writing a special string
     to a window (CVE-2006-4573). Closes: #395225
   * Debconf translation updates:
     - Finnish added. Closes: #303818
     - Swedish added. Closes: #331583
     - Portuguese added. Closes: #345059
     - Italian updated. Closes: #358160
Files: 
 87a09e37b86313dc87c1b568932a090a 624 misc optional screen_4.0.3-0.1.dsc
 8506fd205028a96c741e4037de6e3c42 840602 misc optional screen_4.0.3.orig.tar.gz
 7cf078e23c8374d562998b5674a42ab6 34349 misc optional screen_4.0.3-0.1.diff.gz
 0563abba97b99115f8f3a61767b16229 585370 misc optional screen_4.0.3-0.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFQvCQ1OXtrMAUPS0RAm8FAJ9bVicwZi9cxJKDNqlBN6MVdY+pYQCghgd7
LqMpGIBDD0CSkKcWLH8Ua28=
=6o6f
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Adam Lazur <zal@debian.org>:
Bug#395225; Package screen. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Adam Lazur <zal@debian.org>. Full text and rfc822 format available.

Message #41 received at 395225@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Christian Perrier <bubulle@debian.org>
Cc: 395225@bugs.debian.org, 395225-submitter@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)
Date: Sun, 29 Oct 2006 00:58:02 +0200
Christian Perrier wrote:
> upstream.patch is the patch between upstream versions 4.0.2 and
> 4.0.3. It should be reviewed by the stable security team and probably
> applied in sarge (please note that sarge, testing and unstable
> versions are the same versions).

An update for stable is already ready, but blocked by technical
problems with the security buildd network: The sparc and hppa buildds
can't upload. I haven't heard back from debian-admin, so I don't have
an idea, when we'll be able to issue DSAs again.

Cheers,
        Moritz



Message sent on to Stefan Fritsch <sf@sfritsch.de>:
Bug#395225. Full text and rfc822 format available.

Forcibly Merged 395225 395999. Request was from Andreas Henriksson <andreas@fatal.se> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 23:26:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:15:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.