Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)

Christian Perrier Fri, 27 Oct 2006 23:11:59 -0700

tags 395225 patch pending
thanks

Quoting Adam Lazur ([EMAIL PROTECTED]):
> Christian Perrier ([EMAIL PROTECTED]) said:
> > While working on the l10n NMU campaign, I went on this bug which seems
> > really easy to fix by building the new 4.0.3 version.
> > 
> > Unless someone else also wants to work on it, I will upload a 4.0.3
> > NMU ASAP.
> > 
> > It will also include the pending debconf l10n things which the
> > maintainer seems to not care about.
> 
> If you have an NMU ready to go, please go ahead and upload it. I won't
> have time to work on the screen package until Sunday evening, and by
> then I'll just be duping your efforts.



The NMU is ready and will be uploaded.

Attached are two patches:

screen.patch is the patch for the debian/ directory between 4.0.2-4.1
and 4.0.3-0.1 for unstable. Please note that it includes the debconf
translation updates which were pending and were indeed my initial
reason to look at the package. They are *very* safe as they are only
file additions.

upstream.patch is the patch between upstream versions 4.0.2 and
4.0.3. It should be reviewed by the stable security team and probably
applied in sarge (please note that sarge, testing and unstable
versions are the same versions).

diff -Nru screen-4.0.2/debian/changelog screen-4.0.3/debian/changelog
--- screen-4.0.2/debian/changelog       2006-10-27 20:44:37.000000000 +0200
+++ screen-4.0.3/debian/changelog       2006-10-28 07:37:20.806413864 +0200
@@ -1,3 +1,17 @@
+screen (4.0.3-0.1) unstable; urgency=high
+
+  * Non-maintainer upload to fix a security issue
+  * New upstream version fixing utf8 combining characters handling. The
+    bugs could be used to crash/hang screen by writing a special string
+    to a window (CVE-2006-4573). Closes: #395225
+  * Debconf translation updates:
+    - Finnish added. Closes: #303818
+    - Swedish added. Closes: #331583
+    - Portuguese added. Closes: #345059
+    - Italian updated. Closes: #358160
+
+ -- Christian Perrier <[EMAIL PROTECTED]>  Sat, 28 Oct 2006 07:35:57 +0200
+
 screen (4.0.2-4.1) unstable; urgency=low
 
   * Non-maintainer upload
diff -Nru screen-4.0.2/debian/po/fi.po screen-4.0.3/debian/po/fi.po
--- screen-4.0.2/debian/po/fi.po        1970-01-01 01:00:00.000000000 +0100
+++ screen-4.0.3/debian/po/fi.po        2006-10-28 07:34:41.161187206 +0200
@@ -0,0 +1,46 @@
+#
+#    Translators, if you are not familiar with the PO format, gettext
+#    documentation is worth reading, especially sections dedicated to
+#    this format, e.g. by running:
+#         info -n '(gettext)PO Files'
+#         info -n '(gettext)Header Entry'
+#
+#    Some information specific to po-debconf are available at
+#            /usr/share/doc/po-debconf/README-trans
+#         or http://www.debian.org/intl/l10n/po-debconf/README-trans
+#
+#    Developers do not need to manually edit POT or PO files.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: screen\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2003-07-23 07:08+0200\n"
+"PO-Revision-Date: 2005-04-09 01:57+0300\n"
+"Last-Translator: Matti Pöllä <[EMAIL PROTECTED]>\n"
+"Language-Team: Finnish <debian-l10n-finnish@lists.debian.org>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Description
+#: ../templates:4
+msgid "You may lose currently running screen sessions. Continue the install?"
+msgstr "Yhteys käynnissä oleviin screen-istuntoihin voi katketa. Jatketaanko 
asennusta?"
+
+#. Description
+#: ../templates:4
+msgid ""
+"This version of screen is incompatible with all versions before 3.9.5-5."
+msgstr ""
+"Tämä screen:in versio on yhteensopimaton kaikkien versiota 3.9.5-5\n"
+"edeltävien versioiden kanssa."
+
+#. Description
+#: ../templates:4
+msgid ""
+"If you continue with the installation, you will not be able to access "
+"currently running screen sessions."
+msgstr ""
+"Jos jatkat asennusta, menetät yhteyden käynnissä oleviin\n"
+"screen-istuntoihin."
diff -Nru screen-4.0.2/debian/po/it.po screen-4.0.3/debian/po/it.po
--- screen-4.0.2/debian/po/it.po        2006-10-27 20:44:37.000000000 +0200
+++ screen-4.0.3/debian/po/it.po        2006-10-28 07:35:34.193594510 +0200
@@ -1,45 +1,40 @@
-# Translators, if you are not familiar with the PO format, gettext
-# documentation is worth reading, especially sections dedicated to
-# this format, e.g. by running:
-# info -n '(gettext)PO Files'
-# info -n '(gettext)Header Entry'
-# Some information specific to po-debconf are available at
-# /usr/share/doc/po-debconf/README-trans
-# or http://www.debian.org/intl/l10n/po-debconf/README-trans
-# Developers do not need to manually edit POT or PO files.
-# 
+# screen - Italian Debconf messages
+#
+# This file is distributed under the same license as the screen package.
+# Andrea Bolognani <[EMAIL PROTECTED]>, 2006.
+
 msgid ""
 msgstr ""
 "Project-Id-Version: screen 4.0.2\n"
-"POT-Creation-Date: 2003-07-23 07:08+0200\n"
-"PO-Revision-Date: 2003-12-18 10:30+0100\n"
-"Last-Translator: Fabio Pani <[EMAIL PROTECTED]>\n"
-"Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2006-03-10 07:38-0700\n"
+"PO-Revision-Date: 2005-03-21 10:46+0100\n"
+"Last-Translator: Andrea Bolognani <[EMAIL PROTECTED]>\n"
+"Language-Team: LANGUAGE <[EMAIL PROTECTED]>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=ISO-8859-1\n"
 "Content-Transfer-Encoding: 8bit\n"
 
+#. Type: boolean
 #. Description
 #: ../templates:4
 msgid "You may lose currently running screen sessions. Continue the install?"
-msgstr ""
-"Si possono perdere le sessioni di screen attualmente aperte. Continuare "
+msgstr "Potresti perdere le sessioni correnti di screen. Proseguire con "
 "l'installazione?"
 
+#. Type: boolean
 #. Description
 #: ../templates:4
 msgid ""
 "This version of screen is incompatible with all versions before 3.9.5-5."
-msgstr ""
-"Questa versione di screen � incompatibile con tutte le versioni precedenti "
-"alla 3.9.5-5."
+msgstr "Questa versione di screen � incompatibile con tutte le versioni "
+"precedenti la 3.9.5-5."
 
+#. Type: boolean
 #. Description
 #: ../templates:4
 msgid ""
 "If you continue with the installation, you will not be able to access "
 "currently running screen sessions."
-msgstr ""
-"Se si continua con l'installazione, non sar� possibile accedere alle sessioni 
"
-"di screen attualmente aperte."
-
+msgstr "Se prosegui con l'installazione, non sarai in grado di accedere alle "
+"sessioni correnti di screen."
diff -Nru screen-4.0.2/debian/po/pt.po screen-4.0.3/debian/po/pt.po
--- screen-4.0.2/debian/po/pt.po        1970-01-01 01:00:00.000000000 +0100
+++ screen-4.0.3/debian/po/pt.po        2006-10-28 07:35:12.157425245 +0200
@@ -0,0 +1,41 @@
+# Portuguese translation for screen's debconf messages.
+# 2005, Miguel Figueiredo <[EMAIL PROTECTED]>
+#
+# 2005-12-24 - Initial translation
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: screen 4.0.2-4.1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2005-12-10 10:06-0700\n"
+"PO-Revision-Date: 2005-12-28 18:23+0000\n"
+"Last-Translator: Miguel Figueiredo <[EMAIL PROTECTED]>\n"
+"Language-Team: Portuguese <[EMAIL PROTECTED]>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../templates:4
+msgid "You may lose currently running screen sessions. Continue the install?"
+msgstr "Pode perder sessões de screen que estão actualmente a correr. "
+"Continuar a instalação?"
+
+#. Type: boolean
+#. Description
+#: ../templates:4
+msgid ""
+"This version of screen is incompatible with all versions before 3.9.5-5."
+msgstr ""
+"Esta versão de screen é incompatível com todas as versões anteriores a 
3.9.5-5."
+
+#. Type: boolean
+#. Description
+#: ../templates:4
+msgid ""
+"If you continue with the installation, you will not be able to access "
+"currently running screen sessions."
+msgstr ""
+"Se continuar com a instalação, não poderá aceder a sessões de screen "
+"actualmente a correr"
diff -Nru screen-4.0.2/debian/po/sv.po screen-4.0.3/debian/po/sv.po
--- screen-4.0.2/debian/po/sv.po        1970-01-01 01:00:00.000000000 +0100
+++ screen-4.0.3/debian/po/sv.po        2006-10-28 07:34:58.041316831 +0200
@@ -0,0 +1,44 @@
+# Translators, if you are not familiar with the PO format, gettext
+# documentation is worth reading, especially sections dedicated to
+# this format, e.g. by running:
+# info -n '(gettext)PO Files'
+# info -n '(gettext)Header Entry'
+# Some information specific to po-debconf are available at
+# /usr/share/doc/po-debconf/README-trans
+# or http://www.debian.org/intl/l10n/po-debconf/README-trans
+# Developers do not need to manually edit POT or PO files.
+# , fuzzy
+# 
+# 
+msgid ""
+msgstr ""
+"Project-Id-Version: screen 4.0.2-4.1\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2003-07-23 07:08+0200\n"
+"PO-Revision-Date: 2005-10-05 05:36+0200\n"
+"Last-Translator: Daniel Nylander <[EMAIL PROTECTED]>\n"
+"Language-Team: Swedish <[EMAIL PROTECTED]>\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=iso-8859-1\n"
+"Content-Transfer-Encoding: 8bit"
+
+#. Description
+#: ../templates:4
+msgid "You may lose currently running screen sessions. Continue the install?"
+msgstr "Du kan f�rlora screen som k�rs f�r n�rvarande. Forts�tta 
installationen?"
+
+#. Description
+#: ../templates:4
+msgid ""
+"This version of screen is incompatible with all versions before 3.9.5-5."
+msgstr ""
+"Denna version av screen �r inte kompatibel med alla versioner f�re 3.9.5-5."
+
+#. Description
+#: ../templates:4
+msgid ""
+"If you continue with the installation, you will not be able to access "
+"currently running screen sessions."
+msgstr ""
+"Om du forts�tter med installationen kommer du inte kunna h�mta upp nuvarande 
screen-sessioner som k�rs."
+

diff -Nru screen-4.0.2/encoding.c screen-4.0.3/encoding.c
--- screen-4.0.2/encoding.c     2003-09-08 16:25:23.000000000 +0200
+++ screen-4.0.3/encoding.c     2006-10-23 14:58:14.000000000 +0200
@@ -995,8 +995,16 @@
     {
       /* full, recycle old entry */
       if (c1 >= 0xd800 && c1 < 0xe000)
-        comb_tofront(root, c1);
+        comb_tofront(root, c1 - 0xd800);
       i = combchars[root]->prev;
+      if (c1 == i + 0xd800) 
+       {
+         /* completely full, can't recycle */
+         debug("utf8_handle_comp: completely full!\n");
+         mc->image = '?';
+         mc->font  = 0;
+         return;
+       }
       /* FIXME: delete old char from all buffers */
     }
   else if (!combchars[i])
diff -Nru screen-4.0.2/patchlevel.h screen-4.0.3/patchlevel.h
--- screen-4.0.2/patchlevel.h   2003-12-05 14:48:34.000000000 +0100
+++ screen-4.0.3/patchlevel.h   2006-10-23 15:04:11.000000000 +0200
@@ -519,11 +519,14 @@
  * 05.12.2003  4.00.02 fixed a bug in the ansi parser. fixed execs
  *                     on ttys. fixed hardstatus line on blanked screen.
  *                     -- DISTRIBUTED
+ * 23.10.2006  4.00.03 fixed two bug in combining characters handling
+ *                     (cstone & Rich Felker).
+ *                     -- DISTRIBUTED
  */
 
 #define ORIGIN "FAU"
 #define REV 4
 #define VERS 0
-#define PATCHLEVEL 2
-#define DATE "5-Dec-03"
+#define PATCHLEVEL 3
+#define DATE "23-Oct-06"
 #define STATE ""

signature.asc
Description: Digital signature

Bug#395225: Intent to NMU screen to fix this (and fix debconf l10n issues)

Reply via email to