Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <35a41210-9cd1-4845-bc6d-fdbff2d0c407@gentoo.org>
Date: Fri, 16 May 2025 14:07:16 -0400
From: Eli Schwartz <eschwartz@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: screen: Multiple Security Issues in Screen (mostly
 affecting release 5.0.0 and setuid-root installations)

On 5/16/25 12:31 PM, Taylor R Campbell wrote:
> It is not nonsensical, and it is not the inconsequential pedantry you
> are suggesting.  Please consider avoiding sarcastic disparagement when
> publicly discussing the factual matters of security reports.
> 
> The report says that `NetBSD 10.1' is affected.  This is not quite
> right, _and it matters_ even if you set aside the fact that NetBSD
> 10.1 itself (which does ship tmux!) does not ship screen, because:


NetBSD 10.1 (and earlier) is affected (if you use its package manager to
install screen).


Arch Linux is affected (if you use its package manager to install screen).

Debian 12.10 (but this is not quite right!!!1!11!!!oneoneeleven. The
same packages are available on e.g. Debian 13, 11, etc) is affected (if
you use its package manager to install screen).

Ubuntu 24.04.10 (but this is not quite right!!!1!11!!!oneoneeleven. The
same packages are available on e.g. Ubuntu 22.04, 24.10, 25.04, 25.10)
is affected (if you use its package manager to install screen).

Gentoo (but this is not quite right!!!1!11!!!oneoneeleven. The same
packages are available on e.g. macOS Prefix) is affected (if you use its
package manager to install screen).


> (a) the same pkgsrc packages are available on, e.g., NetBSD 9.x (which
>     is not EOL); and
> 
> (b) pkgsrc is used on platforms other than NetBSD, including macOS,
>     SmartOS, and various Linux distributions (e.g., for unprivileged
>     use on HPC clusters where it is more flexible and up-to-date than
>     the Linux distribution's package manager).
> 
> That is why it would be more accurate for the report to say
> `pkgsrc-2025Q1', not `NetBSD 10.1'.


I strongly dispute this. It should instead list both, as both are
affected. (Again, b is the same distinction as "Gentoo, but also
portage-20250508, are both affected".)


But the list of affected distributions wasn't complete, and likely
wasn't intended to be. Nor was its list of distribution *versions*. It
didn't list affected versions for Adelie, Alpine, CRUX, Exherbo, Guix,
Homebrew, Mageia, Mandriva, Solus, Void Linux...


I'll reiterate that claiming NetBSD is "not affected" because "the base
installation doesn't preinstall it" is nonsensical, and highly
reminiscent of, erm, a different BSD that uses similar logic to conclude
that "the base installation" does not need useless bloat such as TrustedBSD.


I encourage you to relax and stop feeling like the honor of NetBSD is at
stake if you fail to prove that "NetBSD 10.1" was exempt from the same
issue all other distributors had.

It's no embarrassment for an operating system to have the builtin
capability to install software, you can just *not* treat it like an
unwanted and uninvited guest tracking mud all over the kitchen that
needs to be disavowed.


-- 
Eli Schwartz


Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.