From: Michael Tremer <michael.tremer@ipfire.org>
To: Adolf Belka <adolf.belka@ipfire.org>
Cc: development@lists.ipfire.org
Subject: Re: [PATCH] screen: Update to version 5.0.1
Date: Fri, 23 May 2025 11:30:44 +0100 [thread overview]
Message-ID: <AE8B20B3-FF6A-4916-B1BB-D07AADBD649E@ipfire.org> (raw)
In-Reply-To: <7d7601f4-e864-47db-8bc8-ae95be1861cd@ipfire.org>
Hello Adolf,
> On 22 May 2025, at 18:53, Adolf Belka <adolf.belka@ipfire.org> wrote:
>
> Hi Michael,
>
> On 22/05/2025 17:37, Michael Tremer wrote:
>> Hello Adolf,
>> Thank you for this patch. I had merged this into next, but I will revert this again.
>> screen seems to ship binary objects in the source tarball:
>
> Oh wow!!!
>
>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz | grep \.o$
>> -rw-rw-r-- alex/alex 16712 2025-05-12 11:59 screen-5.0.1/sched.o
>> -rw-rw-r-- alex/alex 43808 2025-05-12 11:59 screen-5.0.1/backtick.o
>> -rw-rw-r-- alex/alex 9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
>> -rw-rw-r-- alex/alex 81728 2025-05-12 11:59 screen-5.0.1/canvas.o
>> -rw-rw-r-- alex/alex 50680 2025-05-12 11:59 screen-5.0.1/search.o
>> -rw-rw-r-- alex/alex 32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
>> -rw-rw-r-- alex/alex 11888 2025-05-12 11:59 screen-5.0.1/term.o
>> -rw-rw-r-- alex/alex 2800 2025-05-12 11:59 screen-5.0.1/telnet.o
>> -rw-rw-r-- alex/alex 54224 2025-05-12 11:59 screen-5.0.1/layout.o
>> -rw-rw-r-- alex/alex 107776 2025-05-12 11:59 screen-5.0.1/mark.o
>> -rw-rw-r-- alex/alex 58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
>> -rw-rw-r-- alex/alex 55912 2025-05-12 11:59 screen-5.0.1/input.o
>> -rw-rw-r-- alex/alex 97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
>> -rw-rw-r-- alex/alex 108256 2025-05-12 11:59 screen-5.0.1/layer.o
>> -rw-rw-r-- alex/alex 50344 2025-05-12 11:59 screen-5.0.1/misc.o
>> -rw-rw-r-- alex/alex 166432 2025-05-12 11:59 screen-5.0.1/window.o
>> -rw-rw-r-- alex/alex 72440 2025-05-12 11:59 screen-5.0.1/help.o
>> -rw-rw-r-- alex/alex 154704 2025-05-12 11:59 screen-5.0.1/termcap.o
>> -rw-rw-r-- alex/alex 300672 2025-05-12 11:59 screen-5.0.1/display.o
>> -rw-rw-r-- alex/alex 73432 2025-05-12 11:59 screen-5.0.1/list_window.o
>> -rw-rw-r-- alex/alex 85392 2025-05-12 11:59 screen-5.0.1/resize.o
>> -rw-rw-r-- alex/alex 650104 2025-05-12 11:59 screen-5.0.1/process.o
>> -rw-rw-r-- alex/alex 218400 2025-05-12 11:59 screen-5.0.1/ansi.o
>> -rw-rw-r-- alex/alex 6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
>> -rw-rw-r-- alex/alex 27016 2025-05-12 11:59 screen-5.0.1/logfile.o
>> -rw-rw-r-- alex/alex 6760 2025-05-12 11:59 screen-5.0.1/pty.o
>> -rw-rw-r-- alex/alex 42704 2025-05-12 11:59 screen-5.0.1/list_display.o
>> -rw-rw-r-- alex/alex 14160 2025-05-12 11:59 screen-5.0.1/comm.o
>> -rw-rw-r-- alex/alex 231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
>> -rw-rw-r-- alex/alex 42936 2025-05-12 11:59 screen-5.0.1/list_license.o
>> -rw-rw-r-- alex/alex 146368 2025-05-12 11:59 screen-5.0.1/socket.o
>> -rw-rw-r-- alex/alex 4176 2025-05-12 11:59 screen-5.0.1/utmp.o
>> -rw-rw-r-- alex/alex 78792 2025-05-12 11:59 screen-5.0.1/acls.o
>> -rw-rw-r-- alex/alex 53560 2025-05-12 11:59 screen-5.0.1/attacher.o
>> -rw-rw-r-- alex/alex 237472 2025-05-12 11:59 screen-5.0.1/screen.o
>> -rw-rw-r-- alex/alex 101016 2025-05-12 11:59 screen-5.0.1/fileio.o
>> -rw-rw-r-- alex/alex 98056 2025-05-12 11:59 screen-5.0.1/encoding.o
>> -rw-rw-r-- alex/alex 29592 2025-05-12 11:59 screen-5.0.1/viewport.o
>> -rw-rw-r-- alex/alex 77104 2025-05-12 11:59 screen-5.0.1/tty.o
>> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.
>
> Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?
I did not have time yesterday to look into this…
Where did you get this tarball from? The one that I can download from https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any binaries in it. Either it has been replaced or you have been given a malicious source tarball.
I cannot find any signatures that would verify the former tarball or the one that I just downloaded.
-Michael
> Regards,
> Adolf.
>
>> -Michael
>>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>
>>> - Update from version 5.0.0 to 5.0.1
>>> - Update of rootfile
>>> - 5 CVE fixes included in this version
>>> - Changelog
>>> 5.0.1
>>> Security fix
>>> CVE-2025-46805: do NOT send signals with root privileges
>>> CVE-2025-46804: avoid file existence test information leaks
>>> CVE-2025-46803: apply safe PTY default mode of 0620
>>> CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>> CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>> buffer overflow due bad strncpy()
>>> uninitialized variables warnings
>>> typos
>>> combining char handling that could lead to a segfault
>>>
>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>> ---
>>> config/rootfiles/common/screen | 3 +--
>>> lfs/screen | 6 +++---
>>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>>> index 3442bff2b..e8b72aaa2 100644
>>> --- a/config/rootfiles/common/screen
>>> +++ b/config/rootfiles/common/screen
>>> @@ -1,7 +1,6 @@
>>> etc/screenrc
>>> usr/bin/screen
>>> -usr/bin/screen-5.0.0
>>> -#usr/share/info/screen.info
>>> +usr/bin/screen-5.0.1
>>> #usr/share/man/man1/screen.1
>>> #usr/share/screen
>>> #usr/share/screen/utf8encodings
>>> diff --git a/lfs/screen b/lfs/screen
>>> index 6388002cf..d1c0380fb 100644
>>> --- a/lfs/screen
>>> +++ b/lfs/screen
>>> @@ -1,7 +1,7 @@
>>> ###############################################################################
>>> # #
>>> # IPFire.org - A linux based firewall #
>>> -# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
>>> +# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
>>> # #
>>> # This program is free software: you can redistribute it and/or modify #
>>> # it under the terms of the GNU General Public License as published by #
>>> @@ -24,7 +24,7 @@
>>>
>>> include Config
>>>
>>> -VER = 5.0.0
>>> +VER = 5.0.1
>>>
>>> THISAPP = screen-$(VER)
>>> DL_FILE = $(THISAPP).tar.gz
>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>
>>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>>
>>> install : $(TARGET)
>>>
>>> --
>>> 2.49.0
>>>
>>>
>
>
next prev parent reply other threads:[~2025-05-23 10:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-15 16:25 Adolf Belka
2025-05-22 15:37 ` Michael Tremer
2025-05-22 17:53 ` Adolf Belka
2025-05-23 10:30 ` Michael Tremer [this message]
2025-05-23 11:04 ` Adolf Belka
2025-05-23 12:17 ` Adolf Belka
2025-05-23 14:28 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AE8B20B3-FF6A-4916-B1BB-D07AADBD649E@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox