[FLSA-2004:1187] Updated screen resolves security vulnerability

Jason Edgecombe jedgecombe at carolina.rr.com
Wed Jan 28 02:41:24 UTC 2004 

FYI,

I did get this advisory via bugtraq.

Jason Edgecombe

Jesse Keating wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>- -----------------------------------------------------------------------
>               Fedora Legacy Update Advisory
>
>Synopsis:          Updated screen resolves security vulnerability
>Advisory ID:       FLSA:1187
>Issue date:        2004-01-26
>Product:           Red Hat Linux
>Keywords:          Security
>Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=1187
>CVE Names:         CAN-2003-0972
>- -----------------------------------------------------------------------
>
>1. Topic:
>
>Updated screen packages are now available that fix a security
>vulnerability which may allow privilege escalation for local users, and
>possibly remote attacks or getting control of another user's screen.
>
>2. Relevant releases/architectures:
>
>Red Hat Linux 7.2 - i386
>Red Hat Linux 7.3 - i386
>Red Hat Linux 8.0 - i386
>
>3. Problem description:
>
>The screen utility allows you to have multiple logins on just one
>terminal. Screen is useful for users who telnet into a machine or are
>connected via a dumb terminal, but want to use more than just one
>login.
>
>Timo Sirainen has reported an integer signedness error in ansi.c for GNU
>screen 4.0.1 and earlier, and 3.9.15 and earlier, which allows local
>users to execute arbitrary code via a large number of ";" (semicolon)
>characters in escape sequences, which leads to a buffer overflow. The
>Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2003-0966 to this issue.
>
>Users of screen should update to these update packages, which contain a
>backported security patch that corrects this issue.
>
>Fedora Legacy would like to thank Timo Sirainen for discovering and
>disclosing this issue, and Jason Rohwedder and Christian Pearce for
>providing a backported fix for Red Hat Linux 7.2, 7.3, and 8.0.
>
>All users are advised to upgrade to these update packages, which contain
>a backported security patch that corrects this issue.
>
>4. Solution:
>
>Before applying this update, make sure all previously released errata
>relevant to your system have been applied.
>
>To update all RPMs for your particular architecture, run:
>
>rpm -Fvh [filenames]
>
>where [filenames] is a list of the RPMs you wish to upgrade.  Only those
>RPMs which are currently installed will be updated.  Those RPMs which
>are not installed but included in the list will not be updated.  Note
>that you can also use wildcards (*.rpm) if your current directory
>*only* contains the desired RPMs.
>
>Please note that this update is also available via yum and apt.  Many
>people find this an easier way to apply updates.  To use yum issue:
>
>yum update
>
>or to use apt:
>
>apt-get update; apt-get upgrade
>
>This will start an interactive process that will result in the
>appropriate RPMs being upgraded on your system.  This assumes that you
>have yum or apt-get configured for obtaining Fedora Legacy content.
>Please visit http://www.fedoralegacy.org/download for directions on how
>to configure yum and apt-get.
>
>5. Bug IDs fixed:
>
>http://bugzilla.fedora.us - 1187 - screen security patch in rh7x, rh8
>
>6. RPMs required:
>
>Red Hat Linux 7.2:
>
>SRPMS:
>http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/screen-3.9.9-4.legacy.src.rpm
>i386:
>http://download.fedoralegacy.org/redhat/7.2/updates/i386/screen-3.9.9-4.legacy.i386.rpm
>
>Red Hat Linux 7.3:
>
>SRPMS:
>http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/screen-3.9.11-4.legacy.src.rpm
>i386:
>http://download.fedoralegacy.org/redhat/7.3/updates/i386/screen-3.9.11-4.legacy.i386.rpm
>
>Red Hat Linux 8.0:
>
>SRPMS:
>http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/screen-3.9.11-11.legacy.src.rpm
>i386:
>http://download.fedoralegacy.org/redhat/8.0/updates/i386/screen-3.9.11-11.legacy.i386.rpm
>
>7. Verification:
>
>SHA1 sum                                 Package Name
>- ---------------------------------------------------------------------------
>194fbeb6e1871aad733966eb03525ee3fa6b736e
>7.2/updates/SRPMS/screen-3.9.9-4.legacy.src.rpm
>38752ec03ec07ab125ab495910861d0317dfe095
>7.2/updates/i386/screen-3.9.9-4.legacy.i386.rpm
>
>e22108165eeb8a4f2d6f078600117d2a3b5dc88d
>7.3/updates/SRPMS/screen-3.9.11-4.legacy.src.rpm
>278a76f5b56d32bc983ab5dc388397c98dffe31c
>7.3/updates/i386/screen-3.9.11-4.legacy.i386.rpm
>
>578b3166a0f647ac2a798ad81bdea43c9fe55c7b
>8.0/updates/SRPMS/screen-3.9.11-11.legacy.src.rpm
>c1422da61421e74a5a66e5404f1fcd33134c07e8
>8.0/updates/i386/screen-3.9.11-11.legacy.i386.rpm
>
>These packages are GPG signed by Fedora Legacy for security.  Our key is
>available from http://www.fedoralegacy.org/about/security.php
>
>You can verify each package with the following command:
>
>    rpm --checksig -v <filename>
>
>If you only wish to verify that each package has not been corrupted or
>tampered with, examine only the sha1sum with the following command:
>
>    sha1sum <filename>
>
>8. References:
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972
>http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2
>https://bugzilla.fedora.us/show_bug.cgi?id=1187
>
>9. Contact:
>
>The Fedora Legacy security contact is <secnotice at fedoralegacy.org>. More
>project details at https://www.fedoralegacy.org
>
>- -- 
>Jesse Keating RHCE	(geek.j2solutions.net)
>Fedora Legacy Team	(www.fedoralegacy.org)
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.2 (GNU/Linux)
>
>iD8DBQFAFfJ24v2HLvE71NURAonTAKCW99PZaO+Pqgw/Wyz79XcvoDwUtQCePW59
>bm7VDH125SXLZ3FwJR0mZvI=
>=zOd3
>-----END PGP SIGNATURE-----
>
>
>--
>fedora-legacy-list mailing list
>fedora-legacy-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
>  
>

More information about the fedora-legacy-list mailing list