| Name | CVE-2020-9366 |
| Description | A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 950896 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| screen (PTS) | buster, buster (security) | 4.6.2-3+deb10u1 | fixed |
| bullseye | 4.8.0-6 | fixed | |
| bookworm | 4.9.0-4 | fixed | |
| sid, trixie | 4.9.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| screen | source | jessie | (not affected) | |||
| screen | source | stretch | (not affected) | |||
| screen | source | buster | (not affected) | |||
| screen | source | (unstable) | 4.8.0-1 | 950896 |
[buster] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
[stretch] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
[jessie] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
https://www.openwall.com/lists/oss-security/2020/02/06/3
Fixed by: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=68386dfb1fa33471372a8cd2e74686758a2f527b (v4.8.0)
Follow-up: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=0dd53533e20d2948351a99ec5336fbc9b82b226a (v4.8.0)
Introduced due to: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=c5db181b6e017cfccb8d7842ce140e59294d9f62 (v4.7.0)