| Name | CVE-2020-9366 |
| Description | A buffer overflow was found in the way GNU Screen before 4.8.0 treated the special escape OSC 49. Specially crafted output, or a special program, could corrupt memory and crash Screen or possibly have unspecified other impact. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 950896 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| screen (PTS) | jessie, jessie (lts) | 4.2.1-3+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 4.5.0-6+deb9u1 | fixed |
| buster (security), buster, buster (lts) | 4.6.2-3+deb10u1 | fixed |
| bullseye | 4.8.0-6 | fixed |
| bookworm | 4.9.0-4 | fixed |
| sid, trixie | 4.9.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| screen | source | wheezy | (unfixed) | end-of-life | | |
| screen | source | jessie | (not affected) | | | |
| screen | source | stretch | (not affected) | | | |
| screen | source | buster | (not affected) | | | |
| screen | source | (unstable) | 4.8.0-1 | | | 950896 |
Notes
[buster] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
[stretch] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
[jessie] - screen <not-affected> (Vulnerable code introduced in v4.7.0)
https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
https://www.openwall.com/lists/oss-security/2020/02/06/3
Fixed by: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=68386dfb1fa33471372a8cd2e74686758a2f527b (v4.8.0)
Follow-up: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=0dd53533e20d2948351a99ec5336fbc9b82b226a (v4.8.0)
Introduced due to: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=c5db181b6e017cfccb8d7842ce140e59294d9f62 (v4.7.0)