Re: pkg/59417: Multiple Security Issues in Screen

["Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR pkg/59417; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: Ricardo Branco <rbranco%suse.de@localhost>
Cc: gnats-bugs%NetBSD.org@localhost, pkgsrc-bugs%NetBSD.org@localhost
Subject: Re: pkg/59417: Multiple Security Issues in Screen
Date: Fri, 16 May 2025 15:05:00 +0000

 screen5 seems to be a total disaster and I don't think it should be
 inflicted on users at all under the package name `screen' or the path
 `misc/screen'.
 
 I suggest we delete misc/screen altogether (add misc/screen5 if anyone
 really wants it, which I doubt), and have misc/screen4 install a
 package named screen4 with
 
 SUPERSEDES+=	screen-[0-9]*
 
 so that users who had gotten screen-5.* under the misapprehension it
 is a normal update over screen-4.* will have a chance to restore
 sanity (except for the part where pkgin SUPERSEDES processing is
 broken, sigh, but once it is fixed...).
 
 That said, it is not clear from my skim of the the report which issues
 apply to screen4 and whether -- aside from an abundance of caution --
 dropping the set-user-id bit is necessary: it breaks useful
 functionality that, e.g., we use internally at TNF to mitigate the
 need for sudo all the time.
 
 And it's difficult to track the issues from 4 to 5 because upstream
 just reformatted all the code between screen4 and screen5, which
 diverged a decade ago.
 
 Next, I suggest screen require mandatory public review on tech-pkg for
 updates, because it is so ubiquitous and important and upstream is
 astonishingly sloppy at best, with, e.g., build artefacts in the
 distfiles which were later updated in place
 (https://www.openwall.com/lists/oss-security/2025/05/16/1).