Control: tag -1 + confirmed Control: found -1 4.6.2-3 Control: found -1 4.5.0-6 Control: found -1 4.2.1-3+deb8u1 Hi Salvatore, Salvatore Bonaccorso wrote: > The following vulnerability was published for screen, Thanks for the heads up! Hadn't notice that upstream bug report yesterday, but I do have it in my inbox. https://savannah.gnu.org/bugs/?60030 got locked down in the meanwhile as it seems. Can you keep me in the loop wrt. to patches, e.g. by GPG-encrypted mail? > CVE-2021-26937[0]: > | encoding.c in GNU Screen through 4.8.0 allows remote attackers to > | cause a denial of service (invalid write access and application crash) > | or possibly have unspecified other impact via a crafted UTF-8 > | character sequence. > > To reproduce the issue and crash screen: Can confirm. > https://security-tracker.debian.org/tracker/CVE-2021-26937 Can also confirm that it affects screen in Debian 10 Buster (4.6.2-3), Debian 9 Stretch (4.5.0-6) as well. Additionally it also affects Debian 8 Jessie ELTS (4.2.1-3+deb8u1). Cc'ing debian-lts@lists.debian.org for that. I though want to note that at least reading https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html in my mail reader (mutt) which runs inside screen, did _not_ crash my screen session. So it seems as if mutt has unarmed it in some way. Regards, Axel -- ,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Attachment:
signature.asc
Description: PGP signature