From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-476-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4b3j3T5fPxz336X
	for <archive@lists.ipfire.org>; Fri, 23 May 2025 11:04:37 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4b3j3Q2QSrz30Hh
	for <development@lists.ipfire.org>; Fri, 23 May 2025 11:04:34 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4b3j3P1LnMz87;
	Fri, 23 May 2025 11:04:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1747998273;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=xC2usDPWWyc5DdOLHzEA/QpAFd+hj+QEernGjV79hwQ=;
	b=u3h/rra9QrGa68a1cLFwtjrDLELrRi0tvgP3cyDKjBVKUtTKFUBlMjyGpXBe3XWllPm7wP
	91XxJiI3DJdY5KxEcUkO/YQFFLnYqEi98iHZsuNpnAfpG4vdc6bL+XXsrBbf3YqCOm90Cp
	z3n+zrEp0cokbGJt/7M5k97zwxhABQ7vmJoLFOU3sGIqAAQhZ/yxTD9A1ESiLvUvgTPCvF
	yHrq6tjVqGlrEacdXmgvE+VhE+M7WLt74+BG+NRme0dRyu/guLCKe7Foz7qo/rI3Q+WC7d
	p7FwLWDPg8mfRIucOrEATQdTAeY0HvlrBc0hS0/0z3gxmBxMVzXnf/jstcVI/w==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1747998273;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=xC2usDPWWyc5DdOLHzEA/QpAFd+hj+QEernGjV79hwQ=;
	b=6EHulrg332MmSq0YAOZHl6k8W5lfkx9h213D+SmVCg66LsD+yCN7OveJvdXCTRWFKj5OrD
	y6OzHAOJ1wCZzrAw==
Message-ID: <a1e8395d-de18-411d-ba2e-fbaf7a7fa74e@ipfire.org>
Date: Fri, 23 May 2025 13:04:26 +0200
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Subject: Re: [PATCH] screen: Update to version 5.0.1
To: Michael Tremer <michael.tremer@ipfire.org>
Cc: development@lists.ipfire.org
References: <20250515162525.3301332-1-adolf.belka@ipfire.org>
 <98828B86-5323-4EFA-9278-6BB578AB77E2@ipfire.org>
 <7d7601f4-e864-47db-8bc8-ae95be1861cd@ipfire.org>
 <AE8B20B3-FF6A-4916-B1BB-D07AADBD649E@ipfire.org>
Content-Language: en-GB
From: Adolf Belka <adolf.belka@ipfire.org>
In-Reply-To: <AE8B20B3-FF6A-4916-B1BB-D07AADBD649E@ipfire.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Michael,

On 23/05/2025 12:30, Michael Tremer wrote:
> Hello Adolf,
> 
>> On 22 May 2025, at 18:53, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi Michael,
>>
>> On 22/05/2025 17:37, Michael Tremer wrote:
>>> Hello Adolf,
>>> Thank you for this patch. I had merged this into next, but I will revert this again.
>>> screen seems to ship binary objects in the source tarball:
>>
>> Oh wow!!!
>>
>>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz  | grep \.o$
>>> -rw-rw-r-- alex/alex     16712 2025-05-12 11:59 screen-5.0.1/sched.o
>>> -rw-rw-r-- alex/alex     43808 2025-05-12 11:59 screen-5.0.1/backtick.o
>>> -rw-rw-r-- alex/alex      9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o
>>> -rw-rw-r-- alex/alex     81728 2025-05-12 11:59 screen-5.0.1/canvas.o
>>> -rw-rw-r-- alex/alex     50680 2025-05-12 11:59 screen-5.0.1/search.o
>>> -rw-rw-r-- alex/alex     32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o
>>> -rw-rw-r-- alex/alex     11888 2025-05-12 11:59 screen-5.0.1/term.o
>>> -rw-rw-r-- alex/alex      2800 2025-05-12 11:59 screen-5.0.1/telnet.o
>>> -rw-rw-r-- alex/alex     54224 2025-05-12 11:59 screen-5.0.1/layout.o
>>> -rw-rw-r-- alex/alex    107776 2025-05-12 11:59 screen-5.0.1/mark.o
>>> -rw-rw-r-- alex/alex     58640 2025-05-12 11:59 screen-5.0.1/list_generic.o
>>> -rw-rw-r-- alex/alex     55912 2025-05-12 11:59 screen-5.0.1/input.o
>>> -rw-rw-r-- alex/alex     97520 2025-05-12 11:59 screen-5.0.1/winmsg.o
>>> -rw-rw-r-- alex/alex    108256 2025-05-12 11:59 screen-5.0.1/layer.o
>>> -rw-rw-r-- alex/alex     50344 2025-05-12 11:59 screen-5.0.1/misc.o
>>> -rw-rw-r-- alex/alex    166432 2025-05-12 11:59 screen-5.0.1/window.o
>>> -rw-rw-r-- alex/alex     72440 2025-05-12 11:59 screen-5.0.1/help.o
>>> -rw-rw-r-- alex/alex    154704 2025-05-12 11:59 screen-5.0.1/termcap.o
>>> -rw-rw-r-- alex/alex    300672 2025-05-12 11:59 screen-5.0.1/display.o
>>> -rw-rw-r-- alex/alex     73432 2025-05-12 11:59 screen-5.0.1/list_window.o
>>> -rw-rw-r-- alex/alex     85392 2025-05-12 11:59 screen-5.0.1/resize.o
>>> -rw-rw-r-- alex/alex    650104 2025-05-12 11:59 screen-5.0.1/process.o
>>> -rw-rw-r-- alex/alex    218400 2025-05-12 11:59 screen-5.0.1/ansi.o
>>> -rw-rw-r-- alex/alex      6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o
>>> -rw-rw-r-- alex/alex     27016 2025-05-12 11:59 screen-5.0.1/logfile.o
>>> -rw-rw-r-- alex/alex      6760 2025-05-12 11:59 screen-5.0.1/pty.o
>>> -rw-rw-r-- alex/alex     42704 2025-05-12 11:59 screen-5.0.1/list_display.o
>>> -rw-rw-r-- alex/alex     14160 2025-05-12 11:59 screen-5.0.1/comm.o
>>> -rw-rw-r-- alex/alex    231600 2025-05-12 12:08 screen-5.0.1/doc/screen.texinfo
>>> -rw-rw-r-- alex/alex     42936 2025-05-12 11:59 screen-5.0.1/list_license.o
>>> -rw-rw-r-- alex/alex    146368 2025-05-12 11:59 screen-5.0.1/socket.o
>>> -rw-rw-r-- alex/alex      4176 2025-05-12 11:59 screen-5.0.1/utmp.o
>>> -rw-rw-r-- alex/alex     78792 2025-05-12 11:59 screen-5.0.1/acls.o
>>> -rw-rw-r-- alex/alex     53560 2025-05-12 11:59 screen-5.0.1/attacher.o
>>> -rw-rw-r-- alex/alex    237472 2025-05-12 11:59 screen-5.0.1/screen.o
>>> -rw-rw-r-- alex/alex    101016 2025-05-12 11:59 screen-5.0.1/fileio.o
>>> -rw-rw-r-- alex/alex     98056 2025-05-12 11:59 screen-5.0.1/encoding.o
>>> -rw-rw-r-- alex/alex     29592 2025-05-12 11:59 screen-5.0.1/viewport.o
>>> -rw-rw-r-- alex/alex     77104 2025-05-12 11:59 screen-5.0.1/tty.o
>>> They seem to be x86_64, and so the build fails on ARM. This is however either a mistake or I would consider this a way to ship any backdoored software. I have no time to investigate so I am going to assume the latter for now and will be *very* careful.
>>
>> Due to the CVE's open with screen-5.0.0 should I now go back and look at the patches from that person and make a new patch submission using those?
> 
> I did not have time yesterday to look into this…
> 
> Where did you get this tarball from? The one that I can download from https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any binaries in it. Either it has been replaced or you have been given a malicious source tarball.

I downloaded it from the same url you gave - https://ftp.gnu.org/gnu/screen/ which I accessed from the screen-5.0.1 announcement.
https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html

I checked the same file from that download site yesterday and it still had the .o file in it.

However, I did write to Alex Naumov today at 11:50, mentioning that we had found the binary object files. Now I also find that the file at that location has no .o files in it and is much smaller (obviously). However the date and time of the files is still the original one of 2025-05-15 11:48 although I can't think how the file could be changed and still have the same date/time in the download site.

> 
> I cannot find any signatures that would verify the former tarball or the one that I just downloaded.

I still have the signature I used to confirm the original downloaded file and that is now different to the new one. That old one confirms a good signature from Alexander Naumov from that older previous file.

gpg: assuming signed data in 'screen-5.0.1.tar.gz'
gpg: Signature made Thu 15 May 2025 13:36:11 CEST
gpg:                using RSA key 7832918905C6D316DFB54313898D726C87C5AFE3
gpg: Good signature from "Alexander Naumov <alexander_naumov@opensuse.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7832 9189 05C6 D316 DFB5  4313 898D 726C 87C5 AFE3

So I don't understand what is happening here.

Could the file and its sig file on the download site be changed without changing the download date time?

Regards,
Adolf.


> 
> -Michael
> 
>> Regards,
>> Adolf.
>>
>>> -Michael
>>>> On 15 May 2025, at 17:25, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>
>>>> - Update from version 5.0.0 to 5.0.1
>>>> - Update of rootfile
>>>> - 5 CVE fixes included in this version
>>>> - Changelog
>>>>     5.0.1
>>>> Security fix
>>>>     CVE-2025-46805: do NOT send signals with root privileges
>>>>     CVE-2025-46804: avoid file existence test information leaks
>>>>     CVE-2025-46803: apply safe PTY default mode of 0620
>>>>     CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
>>>>     CVE-2025-23395: reintroduce lf_secreopen() for logfile
>>>>     buffer overflow due bad strncpy()
>>>>     uninitialized variables warnings
>>>>     typos
>>>>     combining char handling that could lead to a segfault
>>>>
>>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>>>> ---
>>>> config/rootfiles/common/screen | 3 +--
>>>> lfs/screen                     | 6 +++---
>>>> 2 files changed, 4 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/config/rootfiles/common/screen b/config/rootfiles/common/screen
>>>> index 3442bff2b..e8b72aaa2 100644
>>>> --- a/config/rootfiles/common/screen
>>>> +++ b/config/rootfiles/common/screen
>>>> @@ -1,7 +1,6 @@
>>>> etc/screenrc
>>>> usr/bin/screen
>>>> -usr/bin/screen-5.0.0
>>>> -#usr/share/info/screen.info
>>>> +usr/bin/screen-5.0.1
>>>> #usr/share/man/man1/screen.1
>>>> #usr/share/screen
>>>> #usr/share/screen/utf8encodings
>>>> diff --git a/lfs/screen b/lfs/screen
>>>> index 6388002cf..d1c0380fb 100644
>>>> --- a/lfs/screen
>>>> +++ b/lfs/screen
>>>> @@ -1,7 +1,7 @@
>>>> ###############################################################################
>>>> #                                                                             #
>>>> # IPFire.org - A linux based firewall                                         #
>>>> -# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
>>>> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
>>>> #                                                                             #
>>>> # This program is free software: you can redistribute it and/or modify        #
>>>> # it under the terms of the GNU General Public License as published by        #
>>>> @@ -24,7 +24,7 @@
>>>>
>>>> include Config
>>>>
>>>> -VER        = 5.0.0
>>>> +VER        = 5.0.1
>>>>
>>>> THISAPP    = screen-$(VER)
>>>> DL_FILE    = $(THISAPP).tar.gz
>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>>>>
>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>>>
>>>> -$(DL_FILE)_BLAKE2 = 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39
>>>> +$(DL_FILE)_BLAKE2 = f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220
>>>>
>>>> install : $(TARGET)
>>>>
>>>> -- 
>>>> 2.49.0
>>>>
>>>>
>>
>>
>