Bug 1182092 - (CVE-2021-26937) VUL-0: CVE-2021-26937: screen: crash when processing combining chars
(CVE-2021-26937)
VUL-0: CVE-2021-26937: screen: crash when processing combining chars
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michael Schröder
Security Team bot
https://smash.suse.de/issue/277539/
CVSSv3.1:SUSE:CVE-2021-26937:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-11 06:59 UTC by Marcus Meissner
Modified: 2022-02-26 11:16 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2021-02-12 13:28:26 UTC
QA REPRODUCER:

open a screen 
run

curl https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html

BAD:
screen will segfault with signal11.

GOOD: 
screen will proceed to work
Comment 2 Michael Schröder 2021-02-12 15:15:23 UTC
(SLE-11 is not affected)
Comment 3 Michael Schröder 2021-02-12 15:40:47 UTC
Fixed packages submitted.
Comment 5 OBSbugzilla Bot 2021-02-12 16:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (1182092) was mentioned in
https://build.opensuse.org/request/show/871482 Factory / screen
Comment 6 Swamp Workflow Management 2021-02-17 11:16:47 UTC
SUSE-SU-2021:0491-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1182092
CVE References: CVE-2021-26937
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    screen-4.0.4-23.6.1
SUSE OpenStack Cloud Crowbar 8 (src):    screen-4.0.4-23.6.1
SUSE OpenStack Cloud 9 (src):    screen-4.0.4-23.6.1
SUSE OpenStack Cloud 8 (src):    screen-4.0.4-23.6.1
SUSE OpenStack Cloud 7 (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    screen-4.0.4-23.6.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    screen-4.0.4-23.6.1
HPE Helion Openstack 8 (src):    screen-4.0.4-23.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-02-17 14:17:49 UTC
SUSE-SU-2021:0492-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1182092
CVE References: CVE-2021-26937
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    screen-4.6.2-5.3.1
SUSE Manager Retail Branch Server 4.0 (src):    screen-4.6.2-5.3.1
SUSE Manager Proxy 4.0 (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Server for SAP 15 (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Server 15-LTSS (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    screen-4.6.2-5.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    screen-4.6.2-5.3.1
SUSE Enterprise Storage 6 (src):    screen-4.6.2-5.3.1
SUSE CaaS Platform 4.0 (src):    screen-4.6.2-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-02-18 11:18:17 UTC
openSUSE-SU-2021:0304-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1182092
CVE References: CVE-2021-26937
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    screen-4.6.2-lp152.6.3.1
Comment 9 Roger Whittaker 2021-03-25 11:45:53 UTC
comment#2 above states that "(SLE-11 is not affected)", but https://www.suse.com/security/cve/CVE-2021-26937/ shows SLES 11 SP4 LTSS as "Affected".  Which is correct? (Asking because my customer is asking for PTF).
Comment 10 Michael Schröder 2021-03-25 14:30:05 UTC
I don't think it can be affected, as the code that caused the bug was not in screen at that time. But you could certainly try it out and double check if it is affected or not.
Comment 11 Roger Whittaker 2021-03-25 14:48:23 UTC
I've tried testing on SLES 11 SP4 using the curl command in comment#1 to download the text that triggers the issue.

But so far I've failed with ssl / tls errors:

sles11sp4:~ # curl https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

sles11sp4:~ # curl -1 https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

sles11sp4:~ # curl -2 https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
curl: (59) failed setting cipher list: DEFAULT_SUSE, setting cipher list HIGH also failed

sles11sp4:~ # curl -3 https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Comment 12 Roger Whittaker 2021-03-25 14:57:07 UTC
OK:

curl.openssl1 https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html

works and I don't see a segfault.

Can I tell my customer that the vulnerability definitely does not exist in their version of screen?

And can the SUSE CVE page at https://www.suse.com/security/cve/CVE-2021-26937/ be changed to reflect that?
Comment 13 Marcus Meissner 2021-03-25 14:59:41 UTC
i made teh change to the CVE data, page will be refreshed in a bit.
Comment 14 Roger Whittaker 2021-03-25 15:04:15 UTC
Thanks.  I'll tell my customer they are not affected.
Comment 15 Marcus Meissner 2021-03-25 15:25:29 UTC
is fixed
Comment 16 Andreas Stieger 2022-02-26 11:16:05 UTC
The upstream fixed is contained in 4.9
https://savannah.gnu.org/forum/forum.php?forum_id=10107

> CVE-2021-26937: possible denial of service via a crafted UTF-8 character sequence (bug #60030)