oss-sec mailing list archives

Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49"

From: Amadeusz Sławiński <amade () asmblr net>
Date: Thu, 6 Feb 2020 17:24:57 +0100

Hi,


The fix commit is:

---
commit 68386dfb1fa33471372a8cd2e74686758a2f527b
Author: Amadeusz Slawinski <amade () asmblr net>
Date:   Thu Jan 30 17:56:27 2020 +0100

    Fix out of bounds access when setting w_xtermosc after OSC 49
    
    echo -e "\e]49\e;                                    \n\ec"
    crashes screen.
    
    This happens because 49 is divided by 10 and used as table index
    resulting in access to w_xtermosc[4], which is out of bounds with table
    itself being size 4. Increase size of table by 1 to 5, which is enough
    for all current uses.
    
    As this overwrites memory based on user input it is potential security
    issue.
    
    Reported-by: pippin () gimp org
    Signed-off-by: Amadeusz Slawinski <amade () asmblr net>
---

This is followed by another related commit:

---
commit 0dd53533e20d2948351a99ec5336fbc9b82b226a
Author: Amadeusz Slawinski <amade () asmblr net>
Date:   Wed Feb 5 21:05:28 2020 +0100

    Increase permitted length of OSC
    
    hyperlink feature used by some terminals requires lots of characters
    https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda#length-limits
    mentions around 2083 characters, set it to a bit more.
    
    Bug: 57718
    
    Signed-off-by: Amadeusz Slawinski <amade () asmblr net>
---

Combined, these two commits change:

  char   w_xtermosc[4][MAXSTR]; /* special xterm/rxvt escapes */

(where MAXSTR is 768) to:

  char   w_xtermosc[5][2560];   /* special xterm/rxvt escapes */


The report which resulted in second commit just happened to be reported
at similar time and is not related to the issue at hand apart from same
location in source code.

These are as seen on the screen-v4 branch.  On that branch, and thus in
all screen releases so far, the bug appears to be exposed only when
building with the "--enable-rxvt_osc" option.  Builds and packages made
without that option appear to be safe.  Amadeusz, can you confirm this?


Yes builds without this option should be safe, however do note that
as far as I know most distributions do enable it (I checked Debian,
Arch Linux, Fedora and Gentoo).


On master branch, the functionality is always enabled (and the option is
dropped), thus (not too ancient) builds from that branch are vulnerable
(until the above fixes, which were also made to that branch).


Yes, however do note that all v4 releases are done from screen-v4 branch.

Amadeusz

Current thread:

GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Solar Designer (Feb 06)
- Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Amadeusz Sławiński (Feb 06)
  - Re: Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Cedric Buissart (Feb 24)
    - Re: Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Cedric Buissart (Feb 24)
- Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Salvatore Bonaccorso (Feb 25)
  - Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Amadeusz Sławiński (Feb 25)