Bug 28390 - screen new security issue CVE-2021-26937
Summary: screen new security issue CVE-2021-26937
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-20 18:51 CET by David Walser
Modified: 2021-03-04 17:55 CET (History)
3 users (show)

See Also:
Source RPM: screen-4.8.0-2.mga8.src.rpm
CVE: CVE-2021-26937
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-02-20 18:51:28 CET 
CVE-2021-26937 has been assigned for a security issue discussed in this thread:
https://www.openwall.com/lists/oss-security/2021/02/09/8

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-20 18:52:52 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28391

David Walser 2021-02-20 18:53:01 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-02-20 20:11:53 CET 
Assigning this to you, DavidG, as you did the last two new versions. Bounce it back if necessary.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2021-02-26 16:48:16 CET 
Debian has issued an advisory for this on February 21:
https://www.debian.org/security/2021/dsa-4861

Status comment: (none) => Patch available from Debian

Comment 3 David Walser 2021-02-26 19:35:10 CET 
Ubuntu has issued an advisory for this on February 24:
https://ubuntu.com/security/notices/USN-4747-1

Severity: normal => major

Comment 4 David GEIGER 2021-02-27 09:17:21 CET 
Done for cauldron, mga8 and mga7!
Comment 5 David Walser 2021-02-27 17:17:29 CET 
RPMS/SRPMS:
screen-4.6.2-2.2.mga7
screen-4.8.0-2.1.mga8

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Status comment: Patch available from Debian => (none)
CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Comment 6 David Walser 2021-03-03 01:24:34 CET 
Advisory:
========================

Updated screen package fixes security vulnerability:

Felix Weinmann reported a flaw in the handling of combining characters in
screen, which can result in denial of service, or potentially the execution of
arbitrary code via a specially crafted UTF-8 character sequence
(CVE-2021-26937).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937
https://www.debian.org/security/2021/dsa-4861
Comment 7 Aurelien Oudelet 2021-03-04 16:08:16 CET 
MGA7 and MGA 8 (x86_64)
Reading PoC on https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html

Copy/Paste characters sequence in Kate, deleting escape sequence to make it on 1 line.

screen-4.8.1-2.mga8:
Crashes.

screen-4.6.2-2.1.mga7:
Crashes.

Applying updates.
Rerun above tests.
No crash: screen says "Too long name file".


MGA7-64-OK
MGA8-64-OK

Validating.
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-26937
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => ouaurelien, sysadmin-bugs

Comment 8 Mageia Robot 2021-03-04 17:55:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0109.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.