Summary: | sysutils/screen: CVE-2021-26937 | ||||||
---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Daniel Engberg <diizzy> | ||||
Component: | Individual Port(s) | Assignee: | Cy Schubert <cy> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Many People | CC: | chris | ||||
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(cy) |
||||
Version: | Latest | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Daniel Engberg
2021-02-14 18:14:26 UTC
No upstream patch exists yet. Will need to cobble something up ourselves. Can you provide the exploit to to me, please. I would like to try to use it to create a patch. Thank you. Created attachment 222444 [details]
Patch
Found a patch. Need to test it against the exploit. If anyone can point to the exploit script.
The exploit at https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html doesn't work on FreeBSD. A commit references this bug: Author: cy Date: Mon Feb 15 01:35:36 UTC 2021 New revision: 565281 URL: https://svnweb.freebsd.org/changeset/ports/565281 Log: Fix CVE-2021-26937: segfaults by displaying some UTF-8 characters CVE-2021-26937 segfaults when displayingsome UTF-8 characters described in https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html. PR: 253515 Reported by: daniel.engberg.lists at pyret.net Obtained from: https://build.opensuse.org/request/show/871482 MFH: 2020Q1 Security: CVE-2021-26937 Changes: head/sysutils/screen/Makefile head/sysutils/screen/files/patch-ansi.c head/sysutils/screen/files/patch-encoding.c A commit references this bug: Author: cy Date: Mon Feb 15 19:17:28 UTC 2021 New revision: 565328 URL: https://svnweb.freebsd.org/changeset/ports/565328 Log: Revert r565281. It breaks UTF-8. Reported by: Trond.Endrestol at ximalas.info Christos Chatzaras <chris at cretaforce.gr> PR: 253515 Changes: head/sysutils/screen/Makefile head/sysutils/screen/files/patch-ansi.c head/sysutils/screen/files/patch-encoding.c The OpenSuSE patch breaks screen. The upstream bug is marked private and no commits have been made to the upstream git repo. A commit references this bug: Author: cy Date: Tue Feb 16 00:45:10 UTC 2021 New revision: 565376 URL: https://svnweb.freebsd.org/changeset/ports/565376 Log: Fix CVE-2021-26937 for real: segfaults by displaying some UTF-8 characters This is a recommit of r565281 fixing a typo in r565281, causing a regression. CVE-2021-26937 segfaults when displayingsome UTF-8 characters described in https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html. PR: 253515 Reported by: daniel.engberg.lists at pyret.net Obtained from: https://build.opensuse.org/request/show/871482 MFH: 2020Q1 Security: CVE-2021-26937 Changes: head/sysutils/screen/Makefile head/sysutils/screen/files/patch-ansi.c head/sysutils/screen/files/patch-encoding.c Fixed. |