PR#1: Add patch7 to fix out of bounds access when setting w_xtermosc - rpms/screen

rpms / screen

#1 Add patch7 to fix out of bounds access when setting w_xtermosc

Merged 3 years ago by vdolezal. Opened 3 years ago by carlwgeorge.

rpms/ carlwgeorge/screen rhbz1801408 into epel8

Add patch7 to fix out of bounds access when setting w_xtermosc

Carl George • 3 years ago

9ec0053

screen-4.8.0-fix-out-of-bounds-access-when-setting-w_xtermosc.patch

file added

+41

		`@@ -0,0 +1,41 @@`
		`+ From 6fe3671984fbe073edc38edc0a0e820841bfefa4 Mon Sep 17 00:00:00 2001`
		`+ From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>`
		`+ Date: Thu, 30 Jan 2020 17:56:27 +0100`
		`+ Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49`
		`+ MIME-Version: 1.0`
		`+ Content-Type: text/plain; charset=UTF-8`
		`+ Content-Transfer-Encoding: 8bit`
		`+`
		`+ echo -e "\e]49\e; \n\ec"`
		`+ crashes screen.`
		`+`
		`+ This happens because 49 is divided by 10 and used as table index`
		`+ resulting in access to w_xtermosc[4], which is out of bounds with table`
		`+ itself being size 4. Increase size of table by 1 to 5, which is enough`
		`+ for all current uses.`
		`+`
		`+ As this overwrites memory based on user input it is potential security`
		`+ issue.`
		`+`
		`+ Reported-by: pippin@gimp.org`
		`+ Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>`
		`+ ---`
		`+ window.h \| 2 +-`
		`+ 1 file changed, 1 insertion(+), 1 deletion(-)`
		`+`
		`+ diff --git a/window.h b/window.h`
		`+ index bd10dcd..a8afa19 100644`
		`+ --- a/window.h`
		`+ +++ b/window.h`
		`+ @@ -237,7 +237,7 @@ struct win`
		`+ char w_vbwait;`
		`+ char w_norefresh; /* dont redisplay when switching to that win */`
		`+ #ifdef RXVT_OSC`
		`+ - char w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */`
		`+ + char w_xtermosc[5][MAXSTR]; /* special xterm/rxvt escapes */`
		`+ #endif`
		`+ int w_mouse; /* mouse mode 0,9,1000 */`
		`+ #ifdef HAVE_BRAILLE`
		`+ --`
		`+ 2.24.1`
		`+`

screen.spec

file modified

+6 -1

		`@@ -4,7 +4,7 @@`
		`Summary: A screen manager that supports multiple logins on one terminal`
		`Name: screen`
		`Version: 4.6.2`
		`- Release: 9%{?dist}`
		`+ Release: 10%{?dist}`
		`License: GPLv3+`
		`URL: http://www.gnu.org/software/screen`
		`Requires(pre): /usr/sbin/groupadd`
		`@@ -24,6 +24,8 @@`
		`Patch4: screen-4.3.1-suppress_remap.patch`
		`Patch5: screen-4.3.1-crypt.patch`
		`Patch6: screen-4.5.1-texinfo.patch`
		`+ # https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=68386dfb1fa33471372a8cd2e74686758a2f527b`
		`+ Patch7: screen-4.8.0-fix-out-of-bounds-access-when-setting-w_xtermosc.patch`

		`%description`
		`The screen utility allows you to have multiple logins on just one`
		`@@ -117,6 +119,9 @@`
		`%endif`

		`%changelog`
		`+ * Mon Feb 10 2020 Carl George <carl@george.computer> - 4.6.2-10`
		`+ - Add patch7 to fix out of bounds access when setting w_xtermosc rhbz#1801408`
		`+`
		`* Sat Jul 20 2019 Stephen Smoogen <smooge@fedora00.int.smoogespace.com> - 4.6.2-9`
		`- Use this as test of EPEL build system for compiles`

carlwgeorge commented 3 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=1801408

vdolezal commented 3 years ago

LGTM

Pull-Request has been merged by vdolezal

3 years ago

carlwgeorge commented 3 years ago

Thanks for the quick merge!

vdolezal commented 3 years ago

Meh, now I noticed I can't reproduce it on f31. It looks that the issue first appeared in screen v.4.7.0 (in commit c5db181), so screen in EPEL8 is not affected.

carlwgeorge commented 3 years ago

Upstream believed that the issue was present in 4.2.0 until 4.8.0, but wasn't sure how exploitable it was.

https://seclists.org/oss-sec/2020/q1/65

I only know what the upstream has said about this, and don't know how to reproduce it to test. Can you tell me more about your reproducer?