NetBSD Problem Report #59417
From www@netbsd.org Mon May 12 14:57:13 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id EAEC41A9242
for <gnats-bugs@gnats.NetBSD.org>; Mon, 12 May 2025 14:57:12 +0000 (UTC)
Message-Id: <20250512145711.C650A1A9245@mollari.NetBSD.org>
Date: Mon, 12 May 2025 14:57:11 +0000 (UTC)
From: rbranco@suse.de
Reply-To: rbranco@suse.de
To: gnats-bugs@NetBSD.org
Subject: Multiple Security Issues in Screen
X-Send-Pr-Version: www-1.0
>Number: 59417
>Notify-List: riastradh@NetBSD.org
>Category: pkg
>Synopsis: Multiple Security Issues in Screen
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: needs-pullups
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 12 15:00:00 +0000 2025
>Closed-Date:
>Last-Modified: Fri May 16 16:05:01 +0000 2025
>Originator: Ricardo Branco
>Release: NetBSD 10.1
>Organization:
>Environment:
>Description:
https://security.opensuse.org/2025/05/12/screen-security-issues.html
>How-To-Repeat:
>Fix:
Remove setuid?
https://github.com/NetBSD/pkgsrc/blob/trunk/misc/screen/Makefile#L62
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Mon, 12 May 2025 17:24:46 +0000
State-Changed-Why:
Fixed by removing setuid bit and applying the patches
from the advisory. Thanks!
State-Changed-From-To: closed->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 12 May 2025 18:09:50 +0000
State-Changed-Why:
Surely this needs pullups to the quarterly branch?
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59417 CVS commit: [pkgsrc-2025Q1] pkgsrc/misc/screen
Date: Fri, 16 May 2025 14:14:45 +0000
Module Name: pkgsrc
Committed By: maya
Date: Fri May 16 14:14:45 UTC 2025
Modified Files:
pkgsrc/misc/screen [pkgsrc-2025Q1]: Makefile distinfo
pkgsrc/misc/screen/patches [pkgsrc-2025Q1]: patch-socket.c
Added Files:
pkgsrc/misc/screen/patches [pkgsrc-2025Q1]: patch-attacher.c
patch-configure patch-configure.ac patch-logfile.c patch-logfile.h
patch-process.c patch-screen.c patch-screen.h
Removed Files:
pkgsrc/misc/screen [pkgsrc-2025Q1]: MESSAGE
Log Message:
Pullup ticket #6964 - requested by bsiegert
misc/screen: Security fix (PR pkg/59417)
Revisions pulled up:
- misc/screen/MESSAGE deleted
- misc/screen/Makefile 1.128-1.129
- misc/screen/distinfo 1.67
- misc/screen/patches/patch-attacher.c 1.1
- misc/screen/patches/patch-configure 1.1
- misc/screen/patches/patch-configure.ac 1.1
- misc/screen/patches/patch-logfile.c 1.1
- misc/screen/patches/patch-logfile.h 1.1
- misc/screen/patches/patch-process.c 1.1
- misc/screen/patches/patch-screen.c 1.7
- misc/screen/patches/patch-screen.h 1.1
- misc/screen/patches/patch-socket.c 1.7
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon May 12 15:46:06 UTC 2025
Modified Files:
pkgsrc/misc/screen: Makefile
Removed Files:
pkgsrc/misc/screen: MESSAGE
Log Message:
screen: remove setuid bit because of security problems
Remove MESSAGE while here.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon May 12 16:03:20 UTC 2025
Modified Files:
pkgsrc/misc/screen: Makefile distinfo
pkgsrc/misc/screen/patches: patch-socket.c
Added Files:
pkgsrc/misc/screen/patches: patch-attacher.c patch-configure
patch-configure.ac patch-logfile.c patch-logfile.h
patch-process.c
patch-screen.c patch-screen.h
Log Message:
screen: add opensuse patches for security problems
For
https://security.opensuse.org/2025/05/12/screen-security-issues.html
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r0 pkgsrc/misc/screen/MESSAGE
cvs rdiff -u -r1.126 -r1.126.2.1 pkgsrc/misc/screen/Makefile
cvs rdiff -u -r1.66 -r1.66.2.1 pkgsrc/misc/screen/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/misc/screen/patches/patch-attacher.c \
pkgsrc/misc/screen/patches/patch-configure \
pkgsrc/misc/screen/patches/patch-configure.ac \
pkgsrc/misc/screen/patches/patch-logfile.c \
pkgsrc/misc/screen/patches/patch-logfile.h \
pkgsrc/misc/screen/patches/patch-process.c \
pkgsrc/misc/screen/patches/patch-screen.h
cvs rdiff -u -r0 -r1.7.2.2 pkgsrc/misc/screen/patches/patch-screen.c
cvs rdiff -u -r1.6 -r1.6.2.1 pkgsrc/misc/screen/patches/patch-socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59417 CVS commit: [pkgsrc-2025Q1] pkgsrc/misc/screen4
Date: Fri, 16 May 2025 14:17:48 +0000
Module Name: pkgsrc
Committed By: maya
Date: Fri May 16 14:17:48 UTC 2025
Modified Files:
pkgsrc/misc/screen4 [pkgsrc-2025Q1]: Makefile distinfo
pkgsrc/misc/screen4/patches [pkgsrc-2025Q1]: patch-screen.c
patch-socket.c
Added Files:
pkgsrc/misc/screen4/patches [pkgsrc-2025Q1]: patch-attacher.c
Removed Files:
pkgsrc/misc/screen4 [pkgsrc-2025Q1]: MESSAGE
Log Message:
Pullup ticket #6965 - requested by bsiegert
misc/screen4: Security fix (PR pkg/59417)
Revisions pulled up:
- misc/screen4/MESSAGE deleted
- misc/screen4/Makefile 1.3-1.4
- misc/screen4/distinfo 1.2
- misc/screen4/patches/patch-attacher.c 1.1
- misc/screen4/patches/patch-screen.c 1.2
- misc/screen4/patches/patch-socket.c 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon May 12 15:47:35 UTC 2025
Modified Files:
pkgsrc/misc/screen4: Makefile
Removed Files:
pkgsrc/misc/screen4: MESSAGE
Log Message:
screen4: remove setuid bit because of security problems.
Remove MESSAGE while here.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon May 12 15:58:01 UTC 2025
Modified Files:
pkgsrc/misc/screen4: Makefile distinfo
pkgsrc/misc/screen4/patches: patch-screen.c patch-socket.c
Added Files:
pkgsrc/misc/screen4/patches: patch-attacher.c
Log Message:
screen4: apply opensuse patches for
https://security.opensuse.org/2025/05/12/screen-security-issues.html
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r0 pkgsrc/misc/screen4/MESSAGE
cvs rdiff -u -r1.1 -r1.1.2.1 pkgsrc/misc/screen4/Makefile \
pkgsrc/misc/screen4/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/misc/screen4/patches/patch-attacher.c
cvs rdiff -u -r1.1 -r1.1.2.1 pkgsrc/misc/screen4/patches/patch-screen.c \
pkgsrc/misc/screen4/patches/patch-socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Taylor R Campbell <riastradh@NetBSD.org>
To: Ricardo Branco <rbranco@suse.de>
Cc: gnats-bugs@NetBSD.org, pkgsrc-bugs@NetBSD.org
Subject: Re: pkg/59417: Multiple Security Issues in Screen
Date: Fri, 16 May 2025 15:05:00 +0000
screen5 seems to be a total disaster and I don't think it should be
inflicted on users at all under the package name `screen' or the path
`misc/screen'.
I suggest we delete misc/screen altogether (add misc/screen5 if anyone
really wants it, which I doubt), and have misc/screen4 install a
package named screen4 with
SUPERSEDES+= screen-[0-9]*
so that users who had gotten screen-5.* under the misapprehension it
is a normal update over screen-4.* will have a chance to restore
sanity (except for the part where pkgin SUPERSEDES processing is
broken, sigh, but once it is fixed...).
That said, it is not clear from my skim of the the report which issues
apply to screen4 and whether -- aside from an abundance of caution --
dropping the set-user-id bit is necessary: it breaks useful
functionality that, e.g., we use internally at TNF to mitigate the
need for sudo all the time.
And it's difficult to track the issues from 4 to 5 because upstream
just reformatted all the code between screen4 and screen5, which
diverged a decade ago.
Next, I suggest screen require mandatory public review on tech-pkg for
updates, because it is so ubiquitous and important and upstream is
astonishingly sloppy at best, with, e.g., build artefacts in the
distfiles which were later updated in place
(https://www.openwall.com/lists/oss-security/2025/05/16/1).
From: Jonathan Perkin <jperkin@pkgsrc.org>
To: Taylor R Campbell <riastradh@NetBSD.org>
Cc: Ricardo Branco <rbranco@suse.de>, gnats-bugs@NetBSD.org,
pkgsrc-bugs@NetBSD.org
Subject: Re: pkg/59417: Multiple Security Issues in Screen
Date: Fri, 16 May 2025 16:24:18 +0100
* On 2025-05-16 at 16:05 BST, Taylor R Campbell wrote:
>screen5 seems to be a total disaster and I don't think it should be
>inflicted on users at all under the package name `screen' or the path
>`misc/screen'.
FWIW I fully agree, it drops support for illumos, causes regressions,
and has no discernible improvements over screen 4. I don't understand
why it was "upgraded".
>I suggest we delete misc/screen altogether (add misc/screen5 if anyone
>really wants it, which I doubt), and have misc/screen4 install a
>package named screen4 with
>
>SUPERSEDES+= screen-[0-9]*
>
>so that users who had gotten screen-5.* under the misapprehension it
>is a normal update over screen-4.* will have a chance to restore
>sanity (except for the part where pkgin SUPERSEDES processing is
>broken, sigh, but once it is fixed...).
I'd rather misc/screen was restored to 4.x, 5.x moved to misc/screen5,
and then perhaps in the future when 5.x is actually an improvement over
4.x it can just be updated normally. All this PKGPATH messing around
just breaks binary package upgrades.
That said, I have some incoming fixes for pkgin SUPERSEDES support that
are able to handle the php renames, and would likely handle this too.
--
Jonathan Perkin pkgsrc.smartos.org
Open Source Complete Cloud www.tritondatacenter.com
From: Taylor R Campbell <riastradh@NetBSD.org>
To: Jonathan Perkin <jperkin@pkgsrc.org>
Cc: Ricardo Branco <rbranco@suse.de>, gnats-bugs@NetBSD.org, pkgsrc-bugs@NetBSD.org
Subject: Re: pkg/59417: Multiple Security Issues in Screen
Date: Fri, 16 May 2025 15:31:14 +0000
> Date: Fri, 16 May 2025 16:24:18 +0100
> From: Jonathan Perkin <jperkin@pkgsrc.org>
>
> * On 2025-05-16 at 16:05 BST, Taylor R Campbell wrote:
>
> >I suggest we delete misc/screen altogether (add misc/screen5 if anyone
> >really wants it, which I doubt), and have misc/screen4 install a
> >package named screen4 with
> >
> >SUPERSEDES+= screen-[0-9]*
> >
> >so that users who had gotten screen-5.* under the misapprehension it
> >is a normal update over screen-4.* will have a chance to restore
> >sanity (except for the part where pkgin SUPERSEDES processing is
> >broken, sigh, but once it is fixed...).
>
> I'd rather misc/screen was restored to 4.x, 5.x moved to misc/screen5,
> and then perhaps in the future when 5.x is actually an improvement over
> 4.x it can just be updated normally. All this PKGPATH messing around
> just breaks binary package upgrades.
OK, how about:
misc/screen has PKGNAME screen4-..., SUPERSEDES+= screen-[0-9]*
misc/screen5 (if anyone wants it) has PKGNAME screen5-...
This way:
1. Anyone who installs path `misc/screen' (e.g., with pkg_chk or
whatever) gets screen 4.x.
2. Anyone who had `screen' installed as a binary package in 2024Q4 or
earlier gets it updated to screen 4.x on transition to 2025Q1.
3. Anyone who had `screen' installed as a binary package in 2024Q4 or
earlier _and already updated to 2025Q1_, so they inadvertently had
screen 5.x inflicted on them, will _also_ get `updated' back to
screen 4.x.
4. Those who want screen 5 can install PKGPATH misc/screen5 or PKGNAME
screen5-*.
> That said, I have some incoming fixes for pkgin SUPERSEDES support that
> are able to handle the php renames, and would likely handle this too.
Great!
From: Jonathan Perkin <jperkin@pkgsrc.org>
To: Taylor R Campbell <riastradh@NetBSD.org>
Cc: Ricardo Branco <rbranco@suse.de>, gnats-bugs@NetBSD.org,
pkgsrc-bugs@NetBSD.org
Subject: Re: pkg/59417: Multiple Security Issues in Screen
Date: Fri, 16 May 2025 16:42:25 +0100
* On 2025-05-16 at 16:31 BST, Taylor R Campbell wrote:
>> Date: Fri, 16 May 2025 16:24:18 +0100
>> From: Jonathan Perkin <jperkin@pkgsrc.org>
>>
>> * On 2025-05-16 at 16:05 BST, Taylor R Campbell wrote:
>>
>> >I suggest we delete misc/screen altogether (add misc/screen5 if anyone
>> >really wants it, which I doubt), and have misc/screen4 install a
>> >package named screen4 with
>> >
>> >SUPERSEDES+= screen-[0-9]*
>> >
>> >so that users who had gotten screen-5.* under the misapprehension it
>> >is a normal update over screen-4.* will have a chance to restore
>> >sanity (except for the part where pkgin SUPERSEDES processing is
>> >broken, sigh, but once it is fixed...).
>>
>> I'd rather misc/screen was restored to 4.x, 5.x moved to misc/screen5,
>> and then perhaps in the future when 5.x is actually an improvement over
>> 4.x it can just be updated normally. All this PKGPATH messing around
>> just breaks binary package upgrades.
>
>OK, how about:
>
>misc/screen has PKGNAME screen4-..., SUPERSEDES+= screen-[0-9]*
To achieve 1-4 below there's no need to do this, just revert misc/screen
back to 4.x. Saves confusion and avoids the wart of it being called
screenN-* forever.
>misc/screen5 (if anyone wants it) has PKGNAME screen5-...
>
>This way:
>
>1. Anyone who installs path `misc/screen' (e.g., with pkg_chk or
> whatever) gets screen 4.x.
>
>2. Anyone who had `screen' installed as a binary package in 2024Q4 or
> earlier gets it updated to screen 4.x on transition to 2025Q1.
>
>3. Anyone who had `screen' installed as a binary package in 2024Q4 or
> earlier _and already updated to 2025Q1_, so they inadvertently had
> screen 5.x inflicted on them, will _also_ get `updated' back to
> screen 4.x.
>
>4. Those who want screen 5 can install PKGPATH misc/screen5 or PKGNAME
> screen5-*.
>
>> That said, I have some incoming fixes for pkgin SUPERSEDES support that
>> are able to handle the php renames, and would likely handle this too.
>
>Great!
If you want to test this at all I've just pushed it to GitHub, though
will not cut a release for it until it has been thoroughly verified.
--
Jonathan Perkin pkgsrc.smartos.org
Open Source Complete Cloud www.tritondatacenter.com
From: Thomas Klausner <wiz@NetBSD.org>
To: NetBSD bugtracking <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: pkg/59417: Multiple Security Issues in Screen
Date: Fri, 16 May 2025 18:03:09 +0200
On Fri, May 16, 2025 at 03:45:02PM +0000, Jonathan Perkin via gnats wrote:
> To achieve 1-4 below there's no need to do this, just revert misc/screen
> back to 4.x. Saves confusion and avoids the wart of it being called
> screenN-* forever.
Perhaps it will work for pkgin, but for pkg_add, a binary package of
screen-5.x will be preferred to one for screen-4.x.
Or am I missing something?
Thomas
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home