main/screen: fix CVE-2020-9366

2 files changed, 52 insertions, 3 deletions

diff --git a/main/screen/APKBUILD b/main/screen/APKBUILD
index 89718aa3d3..35fe650db2 100644
--- a/main/screen/APKBUILD
+++ b/main/screen/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=screen
 pkgver=4.6.2
-pkgrel=0
+pkgrel=1
 pkgdesc="A window manager that multiplexes a physical terminal"
 url="http://ftp.gnu.org/gnu/screen/"
 arch="all"
@@ -10,9 +10,15 @@ license="GPL-3.0-or-later"
 options="!check"  # No test suite.
 makedepends="ncurses-dev ncurses"
 subpackages="$pkgname-doc"
-source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2020-9366.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   4.6.2-r1:
+#     - CVE-2020-9366
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -38,4 +44,5 @@ package() {
 	install -Dm644 etc/screenrc "$pkgdir"/etc/skel/.screenrc
 }
 
-sha512sums="224bd16ad5ae501d1b8bb7d2ba9cc19e6a0743de5a5b320109c2f6bf3b1ca564cc7094ed9211be13733d9d769cde77d13fe236341d448cad0518038ab1e85c99  screen-4.6.2.tar.gz"
+sha512sums="224bd16ad5ae501d1b8bb7d2ba9cc19e6a0743de5a5b320109c2f6bf3b1ca564cc7094ed9211be13733d9d769cde77d13fe236341d448cad0518038ab1e85c99  screen-4.6.2.tar.gz
+7cf69866a2c6e18a72b8df90550d12294c95245a39b1c16a5de9eb1dbaf732d1474af7e0f9d42941286911e136e437f8029cd134858c456eaabee6ef6cfce111  CVE-2020-9366.patch"
diff --git a/main/screen/CVE-2020-9366.patch b/main/screen/CVE-2020-9366.patch
new file mode 100644
index 0000000000..81b56b4bc5
--- /dev/null
+++ b/main/screen/CVE-2020-9366.patch
@@ -0,0 +1,42 @@
+From 68386dfb1fa33471372a8cd2e74686758a2f527b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+Date: Thu, 30 Jan 2020 17:56:27 +0100
+Subject: Fix out of bounds access when setting w_xtermosc after OSC 49
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+echo -e "\e]49\e;                                    \n\ec"
+crashes screen.
+
+This happens because 49 is divided by 10 and used as table index
+resulting in access to w_xtermosc[4], which is out of bounds with table
+itself being size 4. Increase size of table by 1 to 5, which is enough
+for all current uses.
+
+As this overwrites memory based on user input it is potential security
+issue.
+
+Reported-by: pippin@gimp.org
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+---
+ src/window.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/window.h b/src/window.h
+index fbe98dc..11d2a9e 100644
+--- a/window.h
++++ b/window.h
+@@ -237,7 +237,7 @@ struct win
+   char	 w_vbwait;
+   char	 w_norefresh;		/* dont redisplay when switching to that win */
+ #ifdef RXVT_OSC
+-  char	 w_xtermosc[4][MAXSTR];	/* special xterm/rxvt escapes */
++  char	 w_xtermosc[5][MAXSTR];	/* special xterm/rxvt escapes */
+ #endif
+   int    w_mouse;		/* mouse mode 0,9,1000 */
+   int    w_extmouse;		/* extended mouse mode 0,1006 */
+-- 
+cgit v1.2.1
+
+