[PATCH] screen: Update to version 5.0.1

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH] screen: Update to version 5.0.1
@ 2025-05-15 16:25 Adolf Belka
  2025-05-22 15:37 ` Michael Tremer
  0 siblings, 1 reply; 3+ messages in thread
From: Adolf Belka @ 2025-05-15 16:25 UTC (permalink / raw)
  To: development; +Cc: Adolf Belka

- Update from version 5.0.0 to 5.0.1
- Update of rootfile
- 5 CVE fixes included in this version
- Changelog
    5.0.1
	Security fix
	    CVE-2025-46805: do NOT send signals with root privileges
	    CVE-2025-46804: avoid file existence test information leaks
	    CVE-2025-46803: apply safe PTY default mode of 0620
	    CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
	    CVE-2025-23395: reintroduce lf_secreopen() for logfile
	    buffer overflow due bad strncpy()
	    uninitialized variables warnings
	    typos
	    combining char handling that could lead to a segfault

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/screen | 3 +--
 lfs/screen                     | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
index 3442bff2b..e8b72aaa2 100644
--- a/config/rootfiles/common/screen
+++ b/config/rootfiles/common/screen
@@ -1,7 +1,6 @@
 etc/screenrc
 usr/bin/screen
-usr/bin/screen-5.0.0
-#usr/share/info/screen.info
+usr/bin/screen-5.0.1
 #usr/share/man/man1/screen.1
 #usr/share/screen
 #usr/share/screen/utf8encodings
diff --git a/lfs/screen b/lfs/screen
index 6388002cf..d1c0380fb 100644
--- a/lfs/screen
+++ b/lfs/screen
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.0.0
+VER        = 5.0.1
 
 THISAPP    = screen-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
+$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
 
 install : $(TARGET)
 
-- 
2.49.0



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] screen: Update to version 5.0.1
  2025-05-15 16:25 [PATCH] screen: Update to version 5.0.1 Adolf Belka
@ 2025-05-22 15:37 ` Michael Tremer
  2025-05-22 17:53   ` Adolf Belka
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Tremer @ 2025-05-22 15:37 UTC (permalink / raw)
  To: Adolf Belka; +Cc: development

Hello Adolf,

Thank you for this patch. I had merged this into next, but I will revert this again.

screen seems to ship binary objects in the source tarball:

root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
-rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
-rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
-rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
-rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
-rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
-rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
-rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
-rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
-rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
-rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
-rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
-rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
-rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
-rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
-rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
-rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
-rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
-rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
-rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
-rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
-rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
-rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
-rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
-rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
-rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
-rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
-rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
-rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
-rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
-rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
-rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
-rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
-rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
-rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
-rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
-rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
-rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
-rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
-rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o

They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.

-Michael

> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> - Update from version 5.0.0 to 5.0.1
> - Update of rootfile
> - 5 CVE fixes included in this version
> - Changelog
>    5.0.1
> Security fix
>    CVE-2025-46805: do NOT send signals with root privileges
>    CVE-2025-46804: avoid file existence test information leaks
>    CVE-2025-46803: apply safe PTY default mode of 0620
>    CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>    CVE-2025-23395: reintroduce lf_secreopen() for logfile
>    buffer overflow due bad strncpy()
>    uninitialized variables warnings
>    typos
>    combining char handling that could lead to a segfault
> 
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/common/screen | 3 +--
> lfs/screen                     | 6 +++---
> 2 files changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
> index 3442bff2b..e8b72aaa2 100644
> --- a/config/rootfiles/common/screen
> +++ b/config/rootfiles/common/screen
> @@ -1,7 +1,6 @@
> etc/screenrc
> usr/bin/screen
> -usr/bin/screen-5.0.0
> -#usr/share/info/screen.info
> +usr/bin/screen-5.0.1
> #usr/share/man/man1/screen.1
> #usr/share/screen
> #usr/share/screen/utf8encodings
> diff --git a/lfs/screen b/lfs/screen
> index 6388002cf..d1c0380fb 100644
> --- a/lfs/screen
> +++ b/lfs/screen
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 5.0.0
> +VER        = 5.0.1
> 
> THISAPP    = screen-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
> 
> install : $(TARGET)
> 
> -- 
> 2.49.0
> 
> 



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] screen: Update to version 5.0.1
  2025-05-22 15:37 ` Michael Tremer
@ 2025-05-22 17:53   ` Adolf Belka
  0 siblings, 0 replies; 3+ messages in thread
From: Adolf Belka @ 2025-05-22 17:53 UTC (permalink / raw)
  To: Michael Tremer; +Cc: development

Hi Michael,

On 22/05/2025 17:37, Michael Tremer wrote:
> Hello Adolf,
> 
> Thank you for this patch. I had merged this into next, but I will revert this again.
> 
> screen seems to ship binary objects in the source tarball:

Oh wow!!!

> 
> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
> 
> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.

Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?

Regards,
Adolf.

> 
> -Michael
> 
>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> - Update from version 5.0.0 to 5.0.1
>> - Update of rootfile
>> - 5 CVE fixes included in this version
>> - Changelog
>>     5.0.1
>> Security fix
>>     CVE-2025-46805: do NOT send signals with root privileges
>>     CVE-2025-46804: avoid file existence test information leaks
>>     CVE-2025-46803: apply safe PTY default mode of 0620
>>     CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>     CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>     buffer overflow due bad strncpy()
>>     uninitialized variables warnings
>>     typos
>>     combining char handling that could lead to a segfault
>>
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>> config/rootfiles/common/screen | 3 +--
>> lfs/screen                     | 6 +++---
>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>> index 3442bff2b..e8b72aaa2 100644
>> --- a/config/rootfiles/common/screen
>> +++ b/config/rootfiles/common/screen
>> @@ -1,7 +1,6 @@
>> etc/screenrc
>> usr/bin/screen
>> -usr/bin/screen-5.0.0
>> -#usr/share/info/screen.info
>> +usr/bin/screen-5.0.1
>> #usr/share/man/man1/screen.1
>> #usr/share/screen
>> #usr/share/screen/utf8encodings
>> diff --git a/lfs/screen b/lfs/screen
>> index 6388002cf..d1c0380fb 100644
>> --- a/lfs/screen
>> +++ b/lfs/screen
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER        = 5.0.0
>> +VER        = 5.0.1
>>
>> THISAPP    = screen-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>
>> install : $(TARGET)
>>
>> -- 
>> 2.49.0
>>
>>
> 



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-05-22 17:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-05-15 16:25 [PATCH] screen: Update to version 5.0.1 Adolf Belka
2025-05-22 15:37 ` Michael Tremer
2025-05-22 17:53   ` Adolf Belka

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox