CVE-2020-9366

NameCVE-2020-9366
DescriptionA buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs950896

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
screen (PTS)stretch4.5.0-6fixed
stretch (security)4.5.0-6+deb9u1fixed
buster, buster (security)4.6.2-3+deb10u1fixed
bullseye4.8.0-6fixed
bookworm, sid4.8.0-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
screensourcejessie(not affected)
screensourcestretch(not affected)
screensourcebuster(not affected)
screensource(unstable)4.8.0-1950896

Notes

[buster] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
[stretch] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
[jessie] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
https://www.openwall.com/lists/oss-security/2020/02/06/3
Fixed by: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=68386dfb1fa33471372a8cd2e74686758a2f527b (v4.8.0)
Follow-up: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=0dd53533e20d2948351a99ec5336fbc9b82b226a (v4.8.0)
Introduced due to: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=c5db181b6e017cfccb8d7842ce140e59294d9f62 (v4.7.0)

Search for package or bug name: Reporting problems