Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aCR-A6lIgS2h8efj@kasco.suse.de>
Date: Wed, 14 May 2025 13:26:59 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: screen: Multiple Security Issues in Screen
 (mostly affecting release 5.0.0 and setuid-root installations)

Hi,

On Tue, May 13, 2025 at 03:48:31PM -0700, Mark Esler wrote:
> Cheers for the report Matthias and SUSE Security!

thanks!

> Could you please comment on the affectedness of upstream screen 5.0.1?
> 
> https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=464c8d8f945f53f8cbb854517279349e09d74756
> 
> This version was released ~an hour before your initial oss post. It appears
> that upstream landed the patches, which may be worth mentioning in your
> timeline.

Indeed, this is the bugfix release announced by upstream here:

https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html

We just updated our blog post to reflect what we could find out about
the upstream bugfixes:

https://security.opensuse.org/2025/05/12/screen-security-issues.html#8-upstream-bugfixes

For screen 4.9.1 bugfixes landed on the upstream screen-v4 branch, but
it seems no release is planned here. We reviewed the following bugfixes:

- commit 049b26b22e1 [1]: fixes the PTY mode issue (item 3.b, CVE-2025-46802).
- commit e0eef5aac45 [2]: fixes the file existence test issue (item 3.d, CVE-2025-46804).
- commit 161f85b98b7 [3]: fixes the signal sending issue (item 3.e, CVE-2025-46805).

For screen 5.0.0 the 5.0.1 bugfix release has been announced. Patches
landed on the upstream screen-v5 branch. We reviewed the following
bugfixes:

- commit e894caeff [4] fixes the logfile reopen issue (item 3.a, CVE-2025-23395)
- commit d10eb5b2f [5] fixes the PTY mode issue (item 3.b, CVE-2025-46802).
- commit d5d7bf43f [6] fixes the default PTY mode issue (item 3.c, CVE-2025-46803)
- commit 710cda5c7 [7] fixes the file existence test issue (item 3.d, CVE-2025-46804).
- commit a17b0da26 [8] fixes the signal sending issue (item 3.e, CVE-2025-46805).
- commit 2bdebfc98 [9] fixes the strncpy related crashes (item 3.f).

The last time we checked no screen 5.0.1 release tarballs could be found
in the GNU Screen download area yet.

[1]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=049b26b22e197ba3be9c46e5c193032e01a4724a
[2]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=e0eef5aac453fa98a2664416a56c50ad1d00cb30
[3]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4

[4]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=e894caeffccdb62f9c644989a936dc7ec83cc747
[5]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=d10eb5b2f7eebaa347f09c010bd391373fdd1695
[6]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=d5d7bf43f3842e8b62d5f34eb4b031de7c8098c1
[7]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=710cda5c71cacfed201b5659e04a83815313d8e6
[8]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=a17b0da26494856640bd9d52a03fc1b575400170
[9]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=2bdebfc9837cfd3cea0645030e626b08bb6bc2d0

Best Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.