From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b3hJT2pLVz30Jq for ; Fri, 23 May 2025 10:30:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b3hJP6TpBz30Hh for ; Fri, 23 May 2025 10:30:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4b3hJP10cszld; Fri, 23 May 2025 10:30:45 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1747996245; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n5jErzNveSfweIm8KOHauxDTLP8/m6itBBeIEXy4oGA=; b=QY7gwfTMim+ZQ4r93xpeNu+piA3c7eRlRa4hbNYfSFFpzPhfXfRfzQwNnpSbXRiUw3knDA EzTm9sNxGFg9hODQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1747996245; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n5jErzNveSfweIm8KOHauxDTLP8/m6itBBeIEXy4oGA=; b=nkggNF6C4BlFSsmTFj16MFIHCjIjPXDjPcOWZOhlLKa7OmOhHuOaJTAfNTCmXlXjhoejdd aiYK3/DNodw/nUz+4nfea/V/UPGHhT9Afnylomj+BP26p88iP+3WrMD6jXbUc1VKRFN6GT tmqGVKDXBcPJ6ZCxtXtKME2PIHfgmbxtbKKztUQQAVk+3/8dodqo4tyHh6Wd/1plWpg+mX 5xqR3JeSnsPD0TAjrvIN8Z5AHFn4dSzIuaqUNIaN2Lmb3TtTOobdLydBf3FOD6dxYeBL/P NlHFl+gWZSRElhTzOJ18k2dFNcYHaf+3ePezZ/VgtaHalfcyujfrSebAM8DGTA== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH] screen: Update to version 5.0.1 From: Michael Tremer In-Reply-To: <7d7601f4-e864-47db-8bc8-ae95be1861cd@ipfire.org> Date: Fri, 23 May 2025 11:30:44 +0100 Cc: development@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20250515162525.3301332-1-adolf.belka@ipfire.org> <98828B86-5323-4EFA-9278-6BB578AB77E2@ipfire.org> <7d7601f4-e864-47db-8bc8-ae95be1861cd@ipfire.org> To: Adolf Belka Hello Adolf, > On 22 May 2025, at 18:53, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 22/05/2025 17:37, Michael Tremer wrote: >> Hello Adolf, >> Thank you for this patch. I had merged this into next, but I will = revert this again. >> screen seems to ship binary objects in the source tarball: >=20 > Oh wow!!! >=20 >> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz = | grep \.o$ >> -rw-rw-r-- alex/alex 16712 2025-05-12 11:59 screen-5.0.1/sched.o >> -rw-rw-r-- alex/alex 43808 2025-05-12 11:59 = screen-5.0.1/backtick.o >> -rw-rw-r-- alex/alex 9080 2025-05-12 11:59 = screen-5.0.1/winmsgcond.o >> -rw-rw-r-- alex/alex 81728 2025-05-12 11:59 screen-5.0.1/canvas.o >> -rw-rw-r-- alex/alex 50680 2025-05-12 11:59 screen-5.0.1/search.o >> -rw-rw-r-- alex/alex 32752 2025-05-12 11:59 = screen-5.0.1/winmsgbuf.o >> -rw-rw-r-- alex/alex 11888 2025-05-12 11:59 screen-5.0.1/term.o >> -rw-rw-r-- alex/alex 2800 2025-05-12 11:59 screen-5.0.1/telnet.o >> -rw-rw-r-- alex/alex 54224 2025-05-12 11:59 screen-5.0.1/layout.o >> -rw-rw-r-- alex/alex 107776 2025-05-12 11:59 screen-5.0.1/mark.o >> -rw-rw-r-- alex/alex 58640 2025-05-12 11:59 = screen-5.0.1/list_generic.o >> -rw-rw-r-- alex/alex 55912 2025-05-12 11:59 screen-5.0.1/input.o >> -rw-rw-r-- alex/alex 97520 2025-05-12 11:59 screen-5.0.1/winmsg.o >> -rw-rw-r-- alex/alex 108256 2025-05-12 11:59 screen-5.0.1/layer.o >> -rw-rw-r-- alex/alex 50344 2025-05-12 11:59 screen-5.0.1/misc.o >> -rw-rw-r-- alex/alex 166432 2025-05-12 11:59 screen-5.0.1/window.o >> -rw-rw-r-- alex/alex 72440 2025-05-12 11:59 screen-5.0.1/help.o >> -rw-rw-r-- alex/alex 154704 2025-05-12 11:59 = screen-5.0.1/termcap.o >> -rw-rw-r-- alex/alex 300672 2025-05-12 11:59 = screen-5.0.1/display.o >> -rw-rw-r-- alex/alex 73432 2025-05-12 11:59 = screen-5.0.1/list_window.o >> -rw-rw-r-- alex/alex 85392 2025-05-12 11:59 screen-5.0.1/resize.o >> -rw-rw-r-- alex/alex 650104 2025-05-12 11:59 = screen-5.0.1/process.o >> -rw-rw-r-- alex/alex 218400 2025-05-12 11:59 screen-5.0.1/ansi.o >> -rw-rw-r-- alex/alex 6704 2025-05-12 11:59 = screen-5.0.1/kmapdef.o >> -rw-rw-r-- alex/alex 27016 2025-05-12 11:59 = screen-5.0.1/logfile.o >> -rw-rw-r-- alex/alex 6760 2025-05-12 11:59 screen-5.0.1/pty.o >> -rw-rw-r-- alex/alex 42704 2025-05-12 11:59 = screen-5.0.1/list_display.o >> -rw-rw-r-- alex/alex 14160 2025-05-12 11:59 screen-5.0.1/comm.o >> -rw-rw-r-- alex/alex 231600 2025-05-12 12:08 = screen-5.0.1/doc/screen.texinfo >> -rw-rw-r-- alex/alex 42936 2025-05-12 11:59 = screen-5.0.1/list_license.o >> -rw-rw-r-- alex/alex 146368 2025-05-12 11:59 screen-5.0.1/socket.o >> -rw-rw-r-- alex/alex 4176 2025-05-12 11:59 screen-5.0.1/utmp.o >> -rw-rw-r-- alex/alex 78792 2025-05-12 11:59 screen-5.0.1/acls.o >> -rw-rw-r-- alex/alex 53560 2025-05-12 11:59 = screen-5.0.1/attacher.o >> -rw-rw-r-- alex/alex 237472 2025-05-12 11:59 screen-5.0.1/screen.o >> -rw-rw-r-- alex/alex 101016 2025-05-12 11:59 screen-5.0.1/fileio.o >> -rw-rw-r-- alex/alex 98056 2025-05-12 11:59 = screen-5.0.1/encoding.o >> -rw-rw-r-- alex/alex 29592 2025-05-12 11:59 = screen-5.0.1/viewport.o >> -rw-rw-r-- alex/alex 77104 2025-05-12 11:59 screen-5.0.1/tty.o >> They seem to be x86_64, and so the build fails on ARM. This is = however either a mistake or I would consider this a way to ship any = backdoored software. I have no time to investigate so I am going to = assume the latter for now and will be *very* careful. >=20 > Due to the CVE's open with screen-5.0.0 should I now go back and look = at the patches from that person and make a new patch submission using = those? I did not have time yesterday to look into this=E2=80=A6 Where did you get this tarball from? The one that I can download from = https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any = binaries in it. Either it has been replaced or you have been given a = malicious source tarball. I cannot find any signatures that would verify the former tarball or the = one that I just downloaded. -Michael > Regards, > Adolf. >=20 >> -Michael >>> On 15 May 2025, at 17:25, Adolf Belka = wrote: >>>=20 >>> - Update from version 5.0.0 to 5.0.1 >>> - Update of rootfile >>> - 5 CVE fixes included in this version >>> - Changelog >>> 5.0.1 >>> Security fix >>> CVE-2025-46805: do NOT send signals with root privileges >>> CVE-2025-46804: avoid file existence test information leaks >>> CVE-2025-46803: apply safe PTY default mode of 0620 >>> CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher >>> CVE-2025-23395: reintroduce lf_secreopen() for logfile >>> buffer overflow due bad strncpy() >>> uninitialized variables warnings >>> typos >>> combining char handling that could lead to a segfault >>>=20 >>> Signed-off-by: Adolf Belka >>> --- >>> config/rootfiles/common/screen | 3 +-- >>> lfs/screen | 6 +++--- >>> 2 files changed, 4 insertions(+), 5 deletions(-) >>>=20 >>> diff --git a/config/rootfiles/common/screen = b/config/rootfiles/common/screen >>> index 3442bff2b..e8b72aaa2 100644 >>> --- a/config/rootfiles/common/screen >>> +++ b/config/rootfiles/common/screen >>> @@ -1,7 +1,6 @@ >>> etc/screenrc >>> usr/bin/screen >>> -usr/bin/screen-5.0.0 >>> -#usr/share/info/screen.info >>> +usr/bin/screen-5.0.1 >>> #usr/share/man/man1/screen.1 >>> #usr/share/screen >>> #usr/share/screen/utf8encodings >>> diff --git a/lfs/screen b/lfs/screen >>> index 6388002cf..d1c0380fb 100644 >>> --- a/lfs/screen >>> +++ b/lfs/screen >>> @@ -1,7 +1,7 @@ >>> = ##########################################################################= ##### >>> # = # >>> # IPFire.org - A linux based firewall = # >>> -# Copyright (C) 2007-2024 IPFire Team = # >>> +# Copyright (C) 2007-2025 IPFire Team = # >>> # = # >>> # This program is free software: you can redistribute it and/or = modify # >>> # it under the terms of the GNU General Public License as published = by # >>> @@ -24,7 +24,7 @@ >>>=20 >>> include Config >>>=20 >>> -VER =3D 5.0.0 >>> +VER =3D 5.0.1 >>>=20 >>> THISAPP =3D screen-$(VER) >>> DL_FILE =3D $(THISAPP).tar.gz >>> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >>>=20 >>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >>>=20 >>> -$(DL_FILE)_BLAKE2 =3D = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a= 5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39 >>> +$(DL_FILE)_BLAKE2 =3D = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95= d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220 >>>=20 >>> install : $(TARGET) >>>=20 >>> --=20 >>> 2.49.0 >>>=20 >>>=20 >=20 >=20