[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 713/06 - Gentoo Linux Security Advisory: GLSA 200611-01 - Screen: UTF-8 character handling vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
UNIRAS (UK Government CERT) Briefing - 713/06 dated 06.11.06 time 14:55
UNIRAS is part of NISCC (the UK National Infrastructure Security
Co-ordination Centre)
______________________________________________________________________________
UNIRAS material is available from the NISCC website at www.niscc.gov.uk
______________________________________________________________________________
Title
=====
Gentoo Linux Security Advisory: GLSA 200611-01 - Screen: UTF-8 character handling
vulnerability
Detail
======
cstone and Richard Felker discovered a flaw in Screen's UTF-8 combining
character handling.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200611-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Screen: UTF-8 character handling vulnerability
Date: November 03, 2006
Bugs: #152770
ID: 200611-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Screen contains an error in its UTF-8 character handling code that
would allow a remote Denial of Service or possibly the remote execution
of arbitrary code.
Background
==========
Screen is a full-screen window manager that multiplexes a physical
terminal between several processes, typically interactive shells.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-misc/screen < 4.0.3 >= 4.0.3
Description
===========
cstone and Richard Felker discovered a flaw in Screen's UTF-8 combining
character handling.
Impact
======
The vulnerability can be exploited by writing a special string of
characters to a Screen window. A remote attacker could cause a Denial
of Service or possibly execute arbitrary code with the privileges of
the user running Screen through a program being run inside a Screen
session, such as an IRC client or a mail client.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Screen users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-misc/screen-4.0.3"
References
==========
[ 1 ] CVE-2006-4573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4573
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200611-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@xxxxxxxxxx or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
______________________________________________________________________________
NISCC values your feedback.
1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)
Very useful:__ Useful:__ Not useful:__
2. If you did not find it useful, why not?
3. Any other comments? How could we improve our briefings?
Thank you for your contribution.
______________________________________________________________________________
For additional information or assistance, please contact our help desk
by telephone. You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx
Office hours:
Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749
On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts
______________________________________________________________________________
UNIRAS wishes to acknowledge the contributions of Gentoo for the
information contained in this briefing.
______________________________________________________________________________
This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.
Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this
notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
______________________________________________________________________________
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBRU9LnGl7oeQsXfKvEQJ+egCfYpF7Klr4YeS7V7uT7wMlrNtdumUAoMCn
MWeIAPhkkkAoJBY0jLCTQsn0
=aKt9
-----END PGP SIGNATURE-----
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________