Sebastian Jaenicke <tsa@jaenicke.org>:

Fix a buffer overflow in screen that allows local privilege escalation.


git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@1875 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc

Documentation/Developers/CHANGELOG-RENE

@@ -8,6 +8,7 @@
                    updated autoconf, automake, ccache, curl, file, gsl,
                    ifhp, jfsutils, lsof, lvm, nfs-utils, prelink, procps,
                    uudeview, whois and zlib
+ - Sebastian Jaenicke: fixed screen security issue
 
 *) 2003-11-27 (2.0.0-rc3 - 2.0.0-rc4)
 

package/base/screen/windowheight.patch

@@ -0,0 +1,33 @@
+diff -Nur screen-3.9.15.orig/ansi.c screen-3.9.15/ansi.c
+--- screen-3.9.15.orig/ansi.c	2003-03-13 12:14:53.000000000 +0100
++++ screen-3.9.15/ansi.c	2003-11-28 18:42:24.000000000 +0100
+@@ -581,7 +581,7 @@
+ 	    {
+ 	    case '0': case '1': case '2': case '3': case '4':
+ 	    case '5': case '6': case '7': case '8': case '9':
+-	      if (curr->w_NumArgs < MAXARGS)
++	      if (curr->w_NumArgs >= 0 && curr->w_NumArgs < MAXARGS)
+ 		{
+ 		  if (curr->w_args[curr->w_NumArgs] < 100000000)
+ 		    curr->w_args[curr->w_NumArgs] =
+diff -Nur screen-3.9.15.orig/resize.c screen-3.9.15/resize.c
+--- screen-3.9.15.orig/resize.c	2002-11-08 17:31:51.000000000 +0100
++++ screen-3.9.15/resize.c	2003-11-28 18:42:45.000000000 +0100
+@@ -680,6 +680,17 @@
+   if (wi == 0)
+     he = hi = 0;
+ 
++  if (wi > 1000)
++    {
++      Msg(0, "Window width too large, truncated");
++      wi = 1000;
++    }
++  if (he > 1000)
++    {
++      Msg(0, "Window height too large, truncated");
++      he = 1000;
++    }
++
+   if (p->w_width == wi && p->w_height == he && p->w_histheight == hi)
+     {
+       debug("ChangeWindowSize: No change.\n");