CVE-2020-9366: 
NixOS vulnerability analysis and mitigation

A buffer overflow vulnerability (CVE-2020-9366) was discovered in GNU Screen versions before 4.8.0. The vulnerability was found in the way GNU Screen treated the special escape OSC 49. The issue was present since at least version 4.2.0 and was fixed with the release of version 4.8.0 on February 5, 2020 (GNU Release).

The vulnerability occurs because the value 49 is divided by 10 and used as a table index, resulting in access to w_xtermosc[4], which is out of bounds as the table itself is size 4. The issue involves a potential memory overwrite of approximately 768 bytes. The vulnerability is exposed when GNU Screen is built with the '--enable-rxvt_osc' option, which is enabled by default in most distributions including Debian, Arch Linux, Fedora, and Gentoo (OSS Security). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

When exploited, this vulnerability could allow an attacker to corrupt memory and crash Screen or potentially have other unspecified impacts. The vulnerability affects the memory handling of the application, with the potential for memory corruption of a significant size (~768 bytes) (GNU Release, Gentoo Advisory).

The vulnerability was fixed in GNU Screen version 4.8.0. The fix involved increasing the size of the w_xtermosc table from 4 to 5 elements and increasing the permitted length of OSC from 768 to 2560 characters. Users are recommended to upgrade to version 4.8.0 or later. For systems that cannot be immediately upgraded, building Screen without the '--enable-rxvt_osc' option provides a workaround, though this may impact functionality (OSS Security).