[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#982435: screen: CVE-2021-26937

Control: tag -1 + confirmed
Control: found -1 4.6.2-3
Control: found -1 4.5.0-6
Control: found -1 4.2.1-3+deb8u1

Hi Salvatore,

Salvatore Bonaccorso wrote:
> The following vulnerability was published for screen,

Thanks for the heads up! Hadn't notice that upstream bug report
yesterday, but I do have it in my inbox.

https://savannah.gnu.org/bugs/?60030 got locked down in the meanwhile
as it seems.

Can you keep me in the loop wrt. to patches, e.g. by GPG-encrypted

> CVE-2021-26937[0]:
> | encoding.c in GNU Screen through 4.8.0 allows remote attackers to
> | cause a denial of service (invalid write access and application crash)
> | or possibly have unspecified other impact via a crafted UTF-8
> | character sequence.
> To reproduce the issue and crash screen:

Can confirm.

> https://security-tracker.debian.org/tracker/CVE-2021-26937

Can also confirm that it affects screen in Debian 10 Buster
(4.6.2-3), Debian 9 Stretch (4.5.0-6) as well.

Additionally it also affects Debian 8 Jessie ELTS (4.2.1-3+deb8u1).
Cc'ing debian-lts@lists.debian.org for that.

I though want to note that at least reading
in my mail reader (mutt) which runs inside screen, did _not_ crash my
screen session. So it seems as if mutt has unarmed it in some way.

		Regards, Axel
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Attachment: signature.asc
Description: PGP signature

Reply to: