Re: [screen-devel] [bug #60030] [CVE-2021-26937] Screen segfaults by displaying some UTF-8 character combination

[Axel Beckert]

Hi Felix,

On Tue, Feb 09, 2021 at 08:04:41AM -0500, Felix Weinmann wrote:
> URL:
>   <https://savannah.gnu.org/bugs/?60030>
> 
>                  Summary: Screen segfaults by displaying some UTF-8 character
> combination
>                  Project: GNU Screen
>             Submitted by: lixfel
>             Submitted on: Tue 09 Feb 2021 01:04:39 PM UTC
>                 Category: Crash/Freeze/Infloop
[...]
>                  Privacy: Private
[...]
> So this bug is already exploited, but very likely without knowing
> the origin in screen. I don't know if this bug might enable remote
> code execution, thus marked as private.

Thanks for reporting this issue.

Unfortunately setting it to private didn't really hide that bug report
from the public as all bug reports reported against Screen via
Savannah — as it seems even those marked as private — are forwarded to
a publicly archived mailing list.

So your bug report is already publicly visible at
https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
even though it is hidden on Savannah. (This is something those with
admin access to the screen project on Savannah might want to review.)

Additionally it also has been assigned a CVE ID (CVE-2021-26937) and
reported in Debian, too: https://bugs.debian.org/982435

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

signature.asc
Description: PGP signature