CVE-2023-24626: GNU Screen OSC 83 escape sequence command injection

CVE-2023-24626 — GNU Screen v4.9.0 contains a command-injection flaw in its terminal escape-sequence dispatcher. In src/ansi.c StringEnd(), when an OSC (Operating System Command) sequence with type 83 ('S') is received (ESC ] 83 ; cmd BEL), the payload after the semicolon is parsed by Parse() and dispatched directly to DoCommand(), which executes arbitrary screen commands ('exec', 'screen', 'source', etc.) in the foreground window's context. Because the bytes that drive this path come from whatever the window's child process writes to its PTY — the same channel used for the message-line PM/GM string types in the same switch — any program that can emit bytes to a screen-attached tty (cat'ing a malicious file, reading a log, downloading a page, ssh banner, etc.) can execute arbitrary screen commands and from there spawn a shell. The intended ACL gate (FindUserPtr(":window:")) is not sufficient: the :window: pseudo-user is created on demand whenever multiuser support is compiled in, and the default ACL grants the rights needed to call exec/screen/source. The PM/GM cases in the same switch send attacker-controlled bytes through MakeStatus() to the message line, and OSC 83 turns that "draw stuff in the message line" channel into RCE. Affects screen <= 4.9.0.