[PATCH] screen: Update to version 5.0.1

[PATCH] screen: Update to version 5.0.1

[Adolf Belka]

- Update from version 5.0.0 to 5.0.1
- Update of rootfile
- 5 CVE fixes included in this version
- Changelog
    5.0.1
	Security fix
	    CVE-2025-46805: do NOT send signals with root privileges
	    CVE-2025-46804: avoid file existence test information leaks
	    CVE-2025-46803: apply safe PTY default mode of 0620
	    CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
	    CVE-2025-23395: reintroduce lf_secreopen() for logfile
	    buffer overflow due bad strncpy()
	    uninitialized variables warnings
	    typos
	    combining char handling that could lead to a segfault

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/screen | 3 +--
 lfs/screen                     | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
index 3442bff2b..e8b72aaa2 100644
--- a/config/rootfiles/common/screen
+++ b/config/rootfiles/common/screen
@@ -1,7 +1,6 @@
 etc/screenrc
 usr/bin/screen
-usr/bin/screen-5.0.0
-#usr/share/info/screen.info
+usr/bin/screen-5.0.1
 #usr/share/man/man1/screen.1
 #usr/share/screen
 #usr/share/screen/utf8encodings
diff --git a/lfs/screen b/lfs/screen
index 6388002cf..d1c0380fb 100644
--- a/lfs/screen
+++ b/lfs/screen
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 5.0.0
+VER        = 5.0.1
 
 THISAPP    = screen-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
+$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
 
 install : $(TARGET)
 
-- 
2.49.0

Re: [PATCH] screen: Update to version 5.0.1

[Michael Tremer]

Hello Adolf,

Thank you for this patch. I had merged this into next, but I will revert this again.

screen seems to ship binary objects in the source tarball:

root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
-rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
-rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
-rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
-rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
-rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
-rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
-rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
-rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
-rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
-rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
-rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
-rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
-rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
-rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
-rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
-rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
-rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
-rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
-rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
-rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
-rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
-rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
-rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
-rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
-rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
-rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
-rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
-rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
-rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
-rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
-rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
-rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
-rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
-rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
-rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
-rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
-rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
-rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
-rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o

They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.

-Michael

> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> - Update from version 5.0.0 to 5.0.1
> - Update of rootfile
> - 5 CVE fixes included in this version
> - Changelog
>    5.0.1
> Security fix
>    CVE-2025-46805: do NOT send signals with root privileges
>    CVE-2025-46804: avoid file existence test information leaks
>    CVE-2025-46803: apply safe PTY default mode of 0620
>    CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>    CVE-2025-23395: reintroduce lf_secreopen() for logfile
>    buffer overflow due bad strncpy()
>    uninitialized variables warnings
>    typos
>    combining char handling that could lead to a segfault
> 
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/common/screen | 3 +--
> lfs/screen                     | 6 +++---
> 2 files changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
> index 3442bff2b..e8b72aaa2 100644
> --- a/config/rootfiles/common/screen
> +++ b/config/rootfiles/common/screen
> @@ -1,7 +1,6 @@
> etc/screenrc
> usr/bin/screen
> -usr/bin/screen-5.0.0
> -#usr/share/info/screen.info
> +usr/bin/screen-5.0.1
> #usr/share/man/man1/screen.1
> #usr/share/screen
> #usr/share/screen/utf8encodings
> diff --git a/lfs/screen b/lfs/screen
> index 6388002cf..d1c0380fb 100644
> --- a/lfs/screen
> +++ b/lfs/screen
> @@ -1,7 +1,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 5.0.0
> +VER        = 5.0.1
> 
> THISAPP    = screen-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
> 
> install : $(TARGET)
> 
> -- 
> 2.49.0
> 
> 

Re: [PATCH] screen: Update to version 5.0.1

[Adolf Belka]

Hi Michael,

On 22/05/2025 17:37, Michael Tremer wrote:
> Hello Adolf,
> 
> Thank you for this patch. I had merged this into next, but I will revert this again.
> 
> screen seems to ship binary objects in the source tarball:

Oh wow!!!

> 
> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
> 
> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.

Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?

Regards,
Adolf.

> 
> -Michael
> 
>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> - Update from version 5.0.0 to 5.0.1
>> - Update of rootfile
>> - 5 CVE fixes included in this version
>> - Changelog
>>     5.0.1
>> Security fix
>>     CVE-2025-46805: do NOT send signals with root privileges
>>     CVE-2025-46804: avoid file existence test information leaks
>>     CVE-2025-46803: apply safe PTY default mode of 0620
>>     CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>     CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>     buffer overflow due bad strncpy()
>>     uninitialized variables warnings
>>     typos
>>     combining char handling that could lead to a segfault
>>
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>> config/rootfiles/common/screen | 3 +--
>> lfs/screen                     | 6 +++---
>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>> index 3442bff2b..e8b72aaa2 100644
>> --- a/config/rootfiles/common/screen
>> +++ b/config/rootfiles/common/screen
>> @@ -1,7 +1,6 @@
>> etc/screenrc
>> usr/bin/screen
>> -usr/bin/screen-5.0.0
>> -#usr/share/info/screen.info
>> +usr/bin/screen-5.0.1
>> #usr/share/man/man1/screen.1
>> #usr/share/screen
>> #usr/share/screen/utf8encodings
>> diff --git a/lfs/screen b/lfs/screen
>> index 6388002cf..d1c0380fb 100644
>> --- a/lfs/screen
>> +++ b/lfs/screen
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -24,7 +24,7 @@
>>
>> include Config
>>
>> -VER        = 5.0.0
>> +VER        = 5.0.1
>>
>> THISAPP    = screen-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>
>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>
>> install : $(TARGET)
>>
>> -- 
>> 2.49.0
>>
>>
> 

Re: [PATCH] screen: Update to version 5.0.1

[Michael Tremer]

Hello Adolf,

> On 22 May 2025, at 18:53, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 22/05/2025 17:37, Michael Tremer wrote:
>> Hello Adolf,
>> Thank you for this patch. I had merged this into next, but I will revert this again.
>> screen seems to ship binary objects in the source tarball:
> 
> Oh wow!!!
> 
>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
>> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
>> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
>> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
>> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
>> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
>> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
>> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
>> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
>> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
>> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
>> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
>> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
>> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
>> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
>> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
>> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
>> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
>> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
>> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
>> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
>> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
>> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
>> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
>> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
>> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
>> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
>> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
>> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
>> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
>> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
>> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
>> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
>> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
>> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
>> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
>> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
>> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
>> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
>> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
>> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.
> 
> Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?

I did not have time yesterday to look into this…

Where did you get this tarball from? The one that I can download from https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any binaries in it. Either it has been replaced or you have been given a malicious source tarball.

I cannot find any signatures that would verify the former tarball or the one that I just downloaded.

-Michael

> Regards,
> Adolf.
> 
>> -Michael
>>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> - Update from version 5.0.0 to 5.0.1
>>> - Update of rootfile
>>> - 5 CVE fixes included in this version
>>> - Changelog
>>>    5.0.1
>>> Security fix
>>>    CVE-2025-46805: do NOT send signals with root privileges
>>>    CVE-2025-46804: avoid file existence test information leaks
>>>    CVE-2025-46803: apply safe PTY default mode of 0620
>>>    CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>>    CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>>    buffer overflow due bad strncpy()
>>>    uninitialized variables warnings
>>>    typos
>>>    combining char handling that could lead to a segfault
>>> 
>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>> ---
>>> config/rootfiles/common/screen | 3 +--
>>> lfs/screen                     | 6 +++---
>>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>> 
>>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>>> index 3442bff2b..e8b72aaa2 100644
>>> --- a/config/rootfiles/common/screen
>>> +++ b/config/rootfiles/common/screen
>>> @@ -1,7 +1,6 @@
>>> etc/screenrc
>>> usr/bin/screen
>>> -usr/bin/screen-5.0.0
>>> -#usr/share/info/screen.info
>>> +usr/bin/screen-5.0.1
>>> #usr/share/man/man1/screen.1
>>> #usr/share/screen
>>> #usr/share/screen/utf8encodings
>>> diff --git a/lfs/screen b/lfs/screen
>>> index 6388002cf..d1c0380fb 100644
>>> --- a/lfs/screen
>>> +++ b/lfs/screen
>>> @@ -1,7 +1,7 @@
>>> ###############################################################################
>>> #                                                                             #
>>> # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>>> #                                                                             #
>>> # This program is free software: you can redistribute it and/or modify        #
>>> # it under the terms of the GNU General Public License as published by        #
>>> @@ -24,7 +24,7 @@
>>> 
>>> include Config
>>> 
>>> -VER        = 5.0.0
>>> +VER        = 5.0.1
>>> 
>>> THISAPP    = screen-$(VER)
>>> DL_FILE    = $(THISAPP).tar.gz
>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>> 
>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>> 
>>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>> 
>>> install : $(TARGET)
>>> 
>>> -- 
>>> 2.49.0
>>> 
>>> 
> 
> 

Re: [PATCH] screen: Update to version 5.0.1

[Adolf Belka]

Hi Michael,

On 23/05/2025 12:30, Michael Tremer wrote:
> Hello Adolf,
> 
>> On 22 May 2025, at 18:53, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi Michael,
>>
>> On 22/05/2025 17:37, Michael Tremer wrote:
>>> Hello Adolf,
>>> Thank you for this patch. I had merged this into next, but I will revert this again.
>>> screen seems to ship binary objects in the source tarball:
>>
>> Oh wow!!!
>>
>>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
>>> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
>>> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
>>> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
>>> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
>>> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
>>> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
>>> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
>>> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
>>> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
>>> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
>>> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
>>> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
>>> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
>>> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
>>> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
>>> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
>>> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
>>> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
>>> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
>>> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
>>> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
>>> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
>>> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
>>> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
>>> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
>>> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
>>> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
>>> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
>>> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
>>> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
>>> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
>>> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
>>> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
>>> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
>>> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
>>> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
>>> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
>>> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
>>> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
>>> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.
>>
>> Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?
> 
> I did not have time yesterday to look into this…
> 
> Where did you get this tarball from? The one that I can download from https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any binaries in it. Either it has been replaced or you have been given a malicious source tarball.

I downloaded it from the same url you gave - https://ftp.gnu.org/gnu/screen/ which I accessed from the screen-5.0.1 announcement.
https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html

I checked the same file from that download site yesterday and it still had the .o file in it.

However, I did write to Alex Naumov today at 11:50, mentioning that we had found the binary object files. Now I also find that the file at that location has no .o files in it and is much smaller (obviously). However the date and time of the files is still the original one of 2025-05-15 11:48 although I can't think how the file could be changed and still have the same date/time in the download site.

> 
> I cannot find any signatures that would verify the former tarball or the one that I just downloaded.

I still have the signature I used to confirm the original downloaded file and that is now different to the new one. That old one confirms a good signature from Alexander Naumov from that older previous file.

gpg: assuming signed data in 'screen-5.0.1.tar.gz'
gpg: Signature made Thu 15 May 2025 13:36:11 CEST
gpg:                using RSA key 7832918905C6D316DFB54313898D726C87C5AFE3
gpg: Good signature from "Alexander Naumov <alexander_naumov@opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7832 9189 05C6 D316 DFB5  4313 898D 726C 87C5 AFE3

So I don't understand what is happening here.

Could the file and its sig file on the download site be changed without changing the download date time?

Regards,
Adolf.


> 
> -Michael
> 
>> Regards,
>> Adolf.
>>
>>> -Michael
>>>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>
>>>> - Update from version 5.0.0 to 5.0.1
>>>> - Update of rootfile
>>>> - 5 CVE fixes included in this version
>>>> - Changelog
>>>>     5.0.1
>>>> Security fix
>>>>     CVE-2025-46805: do NOT send signals with root privileges
>>>>     CVE-2025-46804: avoid file existence test information leaks
>>>>     CVE-2025-46803: apply safe PTY default mode of 0620
>>>>     CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>>>     CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>>>     buffer overflow due bad strncpy()
>>>>     uninitialized variables warnings
>>>>     typos
>>>>     combining char handling that could lead to a segfault
>>>>
>>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>>> ---
>>>> config/rootfiles/common/screen | 3 +--
>>>> lfs/screen                     | 6 +++---
>>>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>>>> index 3442bff2b..e8b72aaa2 100644
>>>> --- a/config/rootfiles/common/screen
>>>> +++ b/config/rootfiles/common/screen
>>>> @@ -1,7 +1,6 @@
>>>> etc/screenrc
>>>> usr/bin/screen
>>>> -usr/bin/screen-5.0.0
>>>> -#usr/share/info/screen.info
>>>> +usr/bin/screen-5.0.1
>>>> #usr/share/man/man1/screen.1
>>>> #usr/share/screen
>>>> #usr/share/screen/utf8encodings
>>>> diff --git a/lfs/screen b/lfs/screen
>>>> index 6388002cf..d1c0380fb 100644
>>>> --- a/lfs/screen
>>>> +++ b/lfs/screen
>>>> @@ -1,7 +1,7 @@
>>>> ###############################################################################
>>>> #                                                                             #
>>>> # IPFire.org - A linux based firewall                                         #
>>>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>>>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>>>> #                                                                             #
>>>> # This program is free software: you can redistribute it and/or modify        #
>>>> # it under the terms of the GNU General Public License as published by        #
>>>> @@ -24,7 +24,7 @@
>>>>
>>>> include Config
>>>>
>>>> -VER        = 5.0.0
>>>> +VER        = 5.0.1
>>>>
>>>> THISAPP    = screen-$(VER)
>>>> DL_FILE    = $(THISAPP).tar.gz
>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>
>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>
>>>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>>>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>>>
>>>> install : $(TARGET)
>>>>
>>>> -- 
>>>> 2.49.0
>>>>
>>>>
>>
>>
> 

Re: [PATCH] screen: Update to version 5.0.1

[Adolf Belka]

Hi Michael,

On 23/05/2025 13:04, Adolf Belka wrote:
> Hi Michael,
> 
> On 23/05/2025 12:30, Michael Tremer wrote:
>> Hello Adolf,
>>
>>> On 22 May 2025, at 18:53, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>
>>> Hi Michael,
>>>
>>> On 22/05/2025 17:37, Michael Tremer wrote:
>>>> Hello Adolf,
>>>> Thank you for this patch. I had merged this into next, but I will revert this again.
>>>> screen seems to ship binary objects in the source tarball:
>>>
>>> Oh wow!!!
>>>
>>>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
>>>> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
>>>> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
>>>> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
>>>> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
>>>> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
>>>> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
>>>> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
>>>> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
>>>> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
>>>> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
>>>> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
>>>> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
>>>> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
>>>> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
>>>> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
>>>> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
>>>> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
>>>> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
>>>> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
>>>> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
>>>> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
>>>> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
>>>> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
>>>> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
>>>> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
>>>> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
>>>> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
>>>> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
>>>> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
>>>> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
>>>> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
>>>> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
>>>> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
>>>> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
>>>> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
>>>> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
>>>> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
>>>> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
>>>> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
>>>> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.
>>>
>>> Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?
>>
>> I did not have time yesterday to look into this…
>>
>> Where did you get this tarball from? The one that I can download from https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any binaries in it. Either it has been replaced or you have been given a malicious source tarball.
> 
> I downloaded it from the same url you gave - https://ftp.gnu.org/gnu/screen/ which I accessed from the screen-5.0.1 announcement.
> https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html
> 
> I checked the same file from that download site yesterday and it still had the .o file in it.
> 
> However, I did write to Alex Naumov today at 11:50, mentioning that we had found the binary object files. Now I also find that the file at that location has no .o files in it and is much smaller (obviously). However the date and time of the files is still the original one of 2025-05-15 11:48 although I can't think how the file could be changed and still have the same date/time in the download site.

I just got a reply from Alex Naumov and he is just asking for the sha256sum of the file I have. He hasn't mentioned about changing the file. Maybe I am not remembering right about testing the downloaded file from yesterday. Using the sig file that I have gives a date/time of 15 May 2025 13:36:11 CEST and the one that is now available has a date/time of Thu 15 May 2025 17:48:09 CEST and I downloaded the file and sig file at 2025-05-15 14:02:47 at my local time.

It looks to me like an incorrect file was uploaded and then identified and replaced relatively quickly but as I had been keeping an eye out for the new release I caught it with the old version because the current sig file has a time after when I downloaded the file and I am also at CEST.

I have had another reply from Alex Naumov saying that the sha256sum is different to the one he just downloaded from the download site.

I suspect there was some hiccup in what was uploaded and it was relatively quickly fixed but I caught it before the fix.

I am not sure there will be any further clarification with Alex Naumov.

I will remove the old file from the source directory and use the new file and sig file that I downloaded today and submit a v2 patch submission for screen-5.0.1

Sorry for all the hassle.

Regards,
Adolf.

> 
>>
>> I cannot find any signatures that would verify the former tarball or the one that I just downloaded.
> 
> I still have the signature I used to confirm the original downloaded file and that is now different to the new one. That old one confirms a good signature from Alexander Naumov from that older previous file.
> 
> gpg: assuming signed data in 'screen-5.0.1.tar.gz'
> gpg: Signature made Thu 15 May 2025 13:36:11 CEST
> gpg:                using RSA key 7832918905C6D316DFB54313898D726C87C5AFE3
> gpg: Good signature from "Alexander Naumov <alexander_naumov@opensuse.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 7832 9189 05C6 D316 DFB5  4313 898D 726C 87C5 AFE3
> 
> So I don't understand what is happening here.
> 
> Could the file and its sig file on the download site be changed without changing the download date time?
> 
> Regards,
> Adolf.
> 
> 
>>
>> -Michael
>>
>>> Regards,
>>> Adolf.
>>>
>>>> -Michael
>>>>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>>
>>>>> - Update from version 5.0.0 to 5.0.1
>>>>> - Update of rootfile
>>>>> - 5 CVE fixes included in this version
>>>>> - Changelog
>>>>>     5.0.1
>>>>> Security fix
>>>>>     CVE-2025-46805: do NOT send signals with root privileges
>>>>>     CVE-2025-46804: avoid file existence test information leaks
>>>>>     CVE-2025-46803: apply safe PTY default mode of 0620
>>>>>     CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>>>>     CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>>>>     buffer overflow due bad strncpy()
>>>>>     uninitialized variables warnings
>>>>>     typos
>>>>>     combining char handling that could lead to a segfault
>>>>>
>>>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>>>> ---
>>>>> config/rootfiles/common/screen | 3 +--
>>>>> lfs/screen                     | 6 +++---
>>>>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>>>>
>>>>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>>>>> index 3442bff2b..e8b72aaa2 100644
>>>>> --- a/config/rootfiles/common/screen
>>>>> +++ b/config/rootfiles/common/screen
>>>>> @@ -1,7 +1,6 @@
>>>>> etc/screenrc
>>>>> usr/bin/screen
>>>>> -usr/bin/screen-5.0.0
>>>>> -#usr/share/info/screen.info
>>>>> +usr/bin/screen-5.0.1
>>>>> #usr/share/man/man1/screen.1
>>>>> #usr/share/screen
>>>>> #usr/share/screen/utf8encodings
>>>>> diff --git a/lfs/screen b/lfs/screen
>>>>> index 6388002cf..d1c0380fb 100644
>>>>> --- a/lfs/screen
>>>>> +++ b/lfs/screen
>>>>> @@ -1,7 +1,7 @@
>>>>> ###############################################################################
>>>>> #                                                                             #
>>>>> # IPFire.org - A linux based firewall                                         #
>>>>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>>>>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>>>>> #                                                                             #
>>>>> # This program is free software: you can redistribute it and/or modify        #
>>>>> # it under the terms of the GNU General Public License as published by        #
>>>>> @@ -24,7 +24,7 @@
>>>>>
>>>>> include Config
>>>>>
>>>>> -VER        = 5.0.0
>>>>> +VER        = 5.0.1
>>>>>
>>>>> THISAPP    = screen-$(VER)
>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>>
>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>>
>>>>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>>>>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>>>>
>>>>> install : $(TARGET)
>>>>>
>>>>> -- 
>>>>> 2.49.0
>>>>>
>>>>>
>>>
>>>
>>
> 

Re: [PATCH] screen: Update to version 5.0.1

[Michael Tremer]

Hello Adolf,

> On 23 May 2025, at 13:17, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 23/05/2025 13:04, Adolf Belka wrote:
>> Hi Michael,
>> On 23/05/2025 12:30, Michael Tremer wrote:
>>> Hello Adolf,
>>> 
>>>> On 22 May 2025, at 18:53, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>> 
>>>> Hi Michael,
>>>> 
>>>> On 22/05/2025 17:37, Michael Tremer wrote:
>>>>> Hello Adolf,
>>>>> Thank you for this patch. I had merged this into next, but I will revert this again.
>>>>> screen seems to ship binary objects in the source tarball:
>>>> 
>>>> Oh wow!!!
>>>> 
>>>>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
>>>>> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
>>>>> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
>>>>> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
>>>>> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
>>>>> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
>>>>> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
>>>>> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
>>>>> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
>>>>> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
>>>>> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
>>>>> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
>>>>> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
>>>>> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
>>>>> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
>>>>> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
>>>>> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
>>>>> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
>>>>> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
>>>>> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
>>>>> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
>>>>> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
>>>>> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
>>>>> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
>>>>> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
>>>>> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
>>>>> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
>>>>> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
>>>>> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
>>>>> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
>>>>> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
>>>>> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
>>>>> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
>>>>> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
>>>>> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
>>>>> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
>>>>> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
>>>>> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
>>>>> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
>>>>> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
>>>>> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.
>>>> 
>>>> Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?
>>> 
>>> I did not have time yesterday to look into this…
>>> 
>>> Where did you get this tarball from? The one that I can download from https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any binaries in it. Either it has been replaced or you have been given a malicious source tarball.
>> I downloaded it from the same url you gave - https://ftp.gnu.org/gnu/screen/ which I accessed from the screen-5.0.1 announcement.
>> https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html
>> I checked the same file from that download site yesterday and it still had the .o file in it.
>> However, I did write to Alex Naumov today at 11:50, mentioning that we had found the binary object files. Now I also find that the file at that location has no .o files in it and is much smaller (obviously). However the date and time of the files is still the original one of 2025-05-15 11:48 although I can't think how the file could be changed and still have the same date/time in the download site.
> 
> I just got a reply from Alex Naumov and he is just asking for the sha256sum of the file I have. He hasn't mentioned about changing the file. Maybe I am not remembering right about testing the downloaded file from yesterday. Using the sig file that I have gives a date/time of 15 May 2025 13:36:11 CEST and the one that is now available has a date/time of Thu 15 May 2025 17:48:09 CEST and I downloaded the file and sig file at 2025-05-15 14:02:47 at my local time.
> 
> It looks to me like an incorrect file was uploaded and then identified and replaced relatively quickly but as I had been keeping an eye out for the new release I caught it with the old version because the current sig file has a time after when I downloaded the file and I am also at CEST.
> 
> I have had another reply from Alex Naumov saying that the sha256sum is different to the one he just downloaded from the download site.
> 
> I suspect there was some hiccup in what was uploaded and it was relatively quickly fixed but I caught it before the fix.
> 
> I am not sure there will be any further clarification with Alex Naumov.
> 
> I will remove the old file from the source directory and use the new file and sig file that I downloaded today and submit a v2 patch submission for screen-5.0.1
> 
> Sorry for all the hassle.

No need to be sorry.

Thank you for reaching out to Alex. At least they are now know and we can rule out at least a third party trying to compromise us here.

Yes, please send another patch. I will remove the file from the builders and then we can run another build.

-Michael

> Regards,
> Adolf.
> 
>>> 
>>> I cannot find any signatures that would verify the former tarball or the one that I just downloaded.
>> I still have the signature I used to confirm the original downloaded file and that is now different to the new one. That old one confirms a good signature from Alexander Naumov from that older previous file.
>> gpg: assuming signed data in 'screen-5.0.1.tar.gz'
>> gpg: Signature made Thu 15 May 2025 13:36:11 CEST
>> gpg:                using RSA key 7832918905C6D316DFB54313898D726C87C5AFE3
>> gpg: Good signature from "Alexander Naumov <alexander_naumov@opensuse.org>" [unknown]
>> gpg: WARNING: This key is not certified with a trusted signature!
>> gpg:          There is no indication that the signature belongs to the owner.
>> Primary key fingerprint: 7832 9189 05C6 D316 DFB5  4313 898D 726C 87C5 AFE3
>> So I don't understand what is happening here.
>> Could the file and its sig file on the download site be changed without changing the download date time?
>> Regards,
>> Adolf.
>>> 
>>> -Michael
>>> 
>>>> Regards,
>>>> Adolf.
>>>> 
>>>>> -Michael
>>>>>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>>> 
>>>>>> - Update from version 5.0.0 to 5.0.1
>>>>>> - Update of rootfile
>>>>>> - 5 CVE fixes included in this version
>>>>>> - Changelog
>>>>>>     5.0.1
>>>>>> Security fix
>>>>>>     CVE-2025-46805: do NOT send signals with root privileges
>>>>>>     CVE-2025-46804: avoid file existence test information leaks
>>>>>>     CVE-2025-46803: apply safe PTY default mode of 0620
>>>>>>     CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>>>>>     CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>>>>>     buffer overflow due bad strncpy()
>>>>>>     uninitialized variables warnings
>>>>>>     typos
>>>>>>     combining char handling that could lead to a segfault
>>>>>> 
>>>>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>>>>> ---
>>>>>> config/rootfiles/common/screen | 3 +--
>>>>>> lfs/screen                     | 6 +++---
>>>>>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>>>>> 
>>>>>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>>>>>> index 3442bff2b..e8b72aaa2 100644
>>>>>> --- a/config/rootfiles/common/screen
>>>>>> +++ b/config/rootfiles/common/screen
>>>>>> @@ -1,7 +1,6 @@
>>>>>> etc/screenrc
>>>>>> usr/bin/screen
>>>>>> -usr/bin/screen-5.0.0
>>>>>> -#usr/share/info/screen.info
>>>>>> +usr/bin/screen-5.0.1
>>>>>> #usr/share/man/man1/screen.1
>>>>>> #usr/share/screen
>>>>>> #usr/share/screen/utf8encodings
>>>>>> diff --git a/lfs/screen b/lfs/screen
>>>>>> index 6388002cf..d1c0380fb 100644
>>>>>> --- a/lfs/screen
>>>>>> +++ b/lfs/screen
>>>>>> @@ -1,7 +1,7 @@
>>>>>> ###############################################################################
>>>>>> #                                                                             #
>>>>>> # IPFire.org - A linux based firewall                                         #
>>>>>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>>>>>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>>>>>> #                                                                             #
>>>>>> # This program is free software: you can redistribute it and/or modify        #
>>>>>> # it under the terms of the GNU General Public License as published by        #
>>>>>> @@ -24,7 +24,7 @@
>>>>>> 
>>>>>> include Config
>>>>>> 
>>>>>> -VER        = 5.0.0
>>>>>> +VER        = 5.0.1
>>>>>> 
>>>>>> THISAPP    = screen-$(VER)
>>>>>> DL_FILE    = $(THISAPP).tar.gz
>>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>>> 
>>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>>> 
>>>>>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>>>>>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>>>>> 
>>>>>> install : $(TARGET)
>>>>>> 
>>>>>> -- 
>>>>>> 2.49.0