pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2025Q1] pkgsrc/misc/screen4
Module Name: pkgsrc
Committed By: maya
Date: Fri May 16 14:17:48 UTC 2025
Modified Files:
pkgsrc/misc/screen4 [pkgsrc-2025Q1]: Makefile distinfo
pkgsrc/misc/screen4/patches [pkgsrc-2025Q1]: patch-screen.c
patch-socket.c
Added Files:
pkgsrc/misc/screen4/patches [pkgsrc-2025Q1]: patch-attacher.c
Removed Files:
pkgsrc/misc/screen4 [pkgsrc-2025Q1]: MESSAGE
Log Message:
Pullup ticket #6965 - requested by bsiegert
misc/screen4: Security fix (PR pkg/59417)
Revisions pulled up:
- misc/screen4/MESSAGE deleted
- misc/screen4/Makefile 1.3-1.4
- misc/screen4/distinfo 1.2
- misc/screen4/patches/patch-attacher.c 1.1
- misc/screen4/patches/patch-screen.c 1.2
- misc/screen4/patches/patch-socket.c 1.2
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon May 12 15:47:35 UTC 2025
Modified Files:
pkgsrc/misc/screen4: Makefile
Removed Files:
pkgsrc/misc/screen4: MESSAGE
Log Message:
screen4: remove setuid bit because of security problems.
Remove MESSAGE while here.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon May 12 15:58:01 UTC 2025
Modified Files:
pkgsrc/misc/screen4: Makefile distinfo
pkgsrc/misc/screen4/patches: patch-screen.c patch-socket.c
Added Files:
pkgsrc/misc/screen4/patches: patch-attacher.c
Log Message:
screen4: apply opensuse patches for
https://security.opensuse.org/2025/05/12/screen-security-issues.html
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r0 pkgsrc/misc/screen4/MESSAGE
cvs rdiff -u -r1.1 -r1.1.2.1 pkgsrc/misc/screen4/Makefile \
pkgsrc/misc/screen4/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/misc/screen4/patches/patch-attacher.c
cvs rdiff -u -r1.1 -r1.1.2.1 pkgsrc/misc/screen4/patches/patch-screen.c \
pkgsrc/misc/screen4/patches/patch-socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/misc/screen4/Makefile
diff -u pkgsrc/misc/screen4/Makefile:1.1 pkgsrc/misc/screen4/Makefile:1.1.2.1
--- pkgsrc/misc/screen4/Makefile:1.1 Fri Feb 7 03:15:05 2025
+++ pkgsrc/misc/screen4/Makefile Fri May 16 14:17:47 2025
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.1 2025/02/07 03:15:05 ryoon Exp $
+# $NetBSD: Makefile,v 1.1.2.1 2025/05/16 14:17:47 maya Exp $
DISTNAME= screen-4.9.1
+PKGREVISION= 2
CATEGORIES= misc shells
MASTER_SITES= ${MASTER_SITE_GNU:=screen/}
@@ -59,9 +60,11 @@ post-install: screen-terminfo
INSTALLATION_DIRS+= share/examples/screen
-.if ${UNPRIVILEGED:U:tl} != yes
-SPECIAL_PERMS+= bin/${DISTNAME} ${SETUID_ROOT_PERMS}
-.endif
+# possible security problems
+# https://security.opensuse.org/2025/05/12/screen-security-issues.html
+#.if ${UNPRIVILEGED:U:tl} != yes
+#SPECIAL_PERMS+= bin/${DISTNAME} ${SETUID_ROOT_PERMS}
+#.endif
pre-configure:
cd ${WRKSRC} && autoreconf -i
Index: pkgsrc/misc/screen4/distinfo
diff -u pkgsrc/misc/screen4/distinfo:1.1 pkgsrc/misc/screen4/distinfo:1.1.2.1
--- pkgsrc/misc/screen4/distinfo:1.1 Fri Feb 7 03:15:05 2025
+++ pkgsrc/misc/screen4/distinfo Fri May 16 14:17:47 2025
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.1 2025/02/07 03:15:05 ryoon Exp $
+$NetBSD: distinfo,v 1.1.2.1 2025/05/16 14:17:47 maya Exp $
BLAKE2s (screen-4.9.1.tar.gz) = 5632587a76908410b4b1af70c729e01521970c72693fa78ec9b62d907fefbc8c
SHA512 (screen-4.9.1.tar.gz) = 1f278313528815f4246bb162ced611c5d77321d11055e8d853168dc804c75d5f78568056a23e46db0640e1605e5cad4a5ce05e95e50cf02bb322cb6f57e5a126
@@ -13,8 +13,9 @@ SHA1 (patch-am) = a721e311e7dde7938de0e9
SHA1 (patch-an) = bda6c65148410a6c9a13afd8ad34f93e33731552
SHA1 (patch-ao) = a45ae3186cd9bddeb915bad890f1be5abc315dd3
SHA1 (patch-ap) = 4aab542045a0abe55e82d91851b94c3cb569139f
+SHA1 (patch-attacher.c) = ffb6d7b668e25d4b9b37e0081f9e599f74cb6076
SHA1 (patch-doc_screen.texinfo) = 18d959580fd03731c7e7dbc683970f80b4245840
-SHA1 (patch-screen.c) = de5d8468100ab88cbdb842e21b04b00221e798b8
-SHA1 (patch-socket.c) = 290a6a1113a9100bea0748406374ec3d835f5ba7
+SHA1 (patch-screen.c) = 66ea42fd92fb03ee6d6f8bbb461431dcd73ef720
+SHA1 (patch-socket.c) = 32e689cbe1952812d526d99a1e00f59a291b0382
SHA1 (patch-tty.sh) = 6a818b7a4d70e55878ee69605e53300eabcb525f
SHA1 (patch-window.h) = 84dc5a2c24ff77147b416c05f897536c0cfddf31
Index: pkgsrc/misc/screen4/patches/patch-screen.c
diff -u pkgsrc/misc/screen4/patches/patch-screen.c:1.1 pkgsrc/misc/screen4/patches/patch-screen.c:1.1.2.1
--- pkgsrc/misc/screen4/patches/patch-screen.c:1.1 Fri Feb 7 03:15:06 2025
+++ pkgsrc/misc/screen4/patches/patch-screen.c Fri May 16 14:17:47 2025
@@ -1,9 +1,12 @@
-$NetBSD: patch-screen.c,v 1.1 2025/02/07 03:15:06 ryoon Exp $
+$NetBSD: patch-screen.c,v 1.1.2.1 2025/05/16 14:17:47 maya Exp $
Use standard headers.
---- screen.c.orig 2017-07-10 19:26:25.000000000 +0000
-+++ screen.c 2017-07-18 22:40:56.000000000 +0000
+Also:
+https://security.opensuse.org/2025/05/12/screen-security-issues.html
+
+--- screen.c.orig 2023-08-16 00:29:26.000000000 +0000
++++ screen.c
@@ -95,6 +95,8 @@
# include <langinfo.h>
#endif
@@ -13,3 +16,110 @@ Use standard headers.
#include "screen.h"
#ifdef HAVE_BRAILLE
# include "braille.h"
+@@ -230,8 +232,6 @@ char *multi_home;
+ int multi_uid;
+ int own_uid;
+ int multiattach;
+-int tty_mode;
+-int tty_oldmode = -1;
+ #endif
+
+ char HostName[MAXSTR];
+@@ -1009,9 +1009,6 @@ int main(int ac, char** av)
+
+ /* ttyname implies isatty */
+ SetTtyname(true, &st);
+-#ifdef MULTIUSER
+- tty_mode = (int)st.st_mode & 0777;
+-#endif
+
+ fl = fcntl(0, F_GETFL, 0);
+ if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR)
+@@ -1127,15 +1124,28 @@ int main(int ac, char** av)
+ #endif
+ }
+
+- if (stat(SockPath, &st) == -1)
+- Panic(errno, "Cannot access %s", SockPath);
+- else
+- if (!S_ISDIR(st.st_mode))
++ if (stat(SockPath, &st) == -1) {
++ if (eff_uid == real_uid) {
++ Panic(errno, "Cannot access %s", SockPath);
++ } else {
++ Panic(0, "Error accessing %s", SockPath);
++ }
++ } else if (!S_ISDIR(st.st_mode)) {
++ if (eff_uid == real_uid || st.st_uid == real_uid) {
+ Panic(0, "%s is not a directory.", SockPath);
++ } else {
++ Panic(0, "Error accessing %s", SockPath);
++ }
++ }
+ #ifdef MULTIUSER
+ if (multi) {
+- if ((int)st.st_uid != multi_uid)
+- Panic(0, "%s is not the owner of %s.", multi, SockPath);
++ if ((int)st.st_uid != multi_uid) {
++ if (eff_uid == real_uid || st.st_uid == real_uid) {
++ Panic(0, "%s is not the owner of %s.", multi, SockPath);
++ } else {
++ Panic(0, "Error accessing %s", SockPath);
++ }
++ }
+ }
+ else
+ #endif
+@@ -1150,8 +1160,13 @@ int main(int ac, char** av)
+ #endif
+ }
+
+- if ((st.st_mode & 0777) != 0700)
+- Panic(0, "Directory %s must have mode 700.", SockPath);
++ if ((st.st_mode & 0777) != 0700) {
++ if (eff_uid == real_uid || st.st_uid == real_uid) {
++ Panic(0, "Directory %s must have mode 700.", SockPath);
++ } else {
++ Panic(0, "Error accessing %s", SockPath);
++ }
++ }
+ if (SockMatch && index(SockMatch, '/'))
+ Panic(0, "Bad session name '%s'", SockMatch);
+ SockName = SockPath + strlen(SockPath) + 1;
+@@ -1189,8 +1204,13 @@ int main(int ac, char** av)
+ else
+ exit(9 + (fo || oth ? 1 : 0) + fo);
+ }
+- if (fo == 0)
+- Panic(0, "No Sockets found in %s.\n", SockPath);
++ if (fo == 0) {
++ if (eff_uid == real_uid || st.st_uid == real_uid) {
++ Panic(0, "No Sockets found in %s.\n", SockPath);
++ } else {
++ Panic(0, "Error accessing %s", SockPath);
++ }
++ }
+ Msg(0, "%d Socket%s in %s.", fo, fo > 1 ? "s" : "", SockPath);
+ eexit(0);
+ }
+@@ -2170,20 +2190,6 @@ DEFINE_VARARGS_FN(Panic)
+ if (D_userpid)
+ Kill(D_userpid, SIG_BYE);
+ }
+-#ifdef MULTIUSER
+- if (tty_oldmode >= 0) {
+-
+-# ifdef USE_SETEUID
+- if (setuid(own_uid))
+- xseteuid(own_uid); /* may be a loop. sigh. */
+-# else
+- setuid(own_uid);
+-# endif
+-
+- debug1("Panic: changing back modes from %s\n", attach_tty);
+- chmod(attach_tty, tty_oldmode);
+- }
+-#endif
+ eexit(1);
+ }
+
Index: pkgsrc/misc/screen4/patches/patch-socket.c
diff -u pkgsrc/misc/screen4/patches/patch-socket.c:1.1 pkgsrc/misc/screen4/patches/patch-socket.c:1.1.2.1
--- pkgsrc/misc/screen4/patches/patch-socket.c:1.1 Fri Feb 7 03:15:06 2025
+++ pkgsrc/misc/screen4/patches/patch-socket.c Fri May 16 14:17:47 2025
@@ -1,9 +1,12 @@
-$NetBSD: patch-socket.c,v 1.1 2025/02/07 03:15:06 ryoon Exp $
+$NetBSD: patch-socket.c,v 1.1.2.1 2025/05/16 14:17:47 maya Exp $
Include <uio.h> for iovec.
---- socket.c.orig 2017-07-10 19:26:25.000000000 +0000
-+++ socket.c 2017-07-18 22:35:40.000000000 +0000
+Also:
+https://security.opensuse.org/2025/05/12/screen-security-issues.html
+
+--- socket.c.orig 2023-08-16 00:29:26.000000000 +0000
++++ socket.c
@@ -34,9 +34,7 @@
#include <sys/stat.h>
#include <fcntl.h>
@@ -15,3 +18,98 @@ Include <uio.h> for iovec.
# include <sys/un.h>
#ifndef SIGINT
+@@ -169,8 +167,13 @@ bool *is_sock;
+ xsetegid(real_gid);
+ #endif
+
+- if ((dirp = opendir(SockPath)) == 0)
+- Panic(errno, "Cannot opendir %s", SockPath);
++ if ((dirp = opendir(SockPath)) == 0) {
++ if (eff_uid == real_uid) {
++ Panic(errno, "Cannot opendir %s", SockPath);
++ } else {
++ Panic(0, "Error accessing %s", SockPath);
++ }
++ }
+
+ slist = 0;
+ slisttail = &slist;
+@@ -826,6 +829,11 @@ int pid;
+ return UserStatus();
+ }
+
++static void KillUnpriv(pid_t pid, int sig) {
++ UserContext();
++ UserReturn(kill(pid, sig));
++}
++
+ #ifdef hpux
+ /*
+ * From: "F. K. Bruner" <napalm%ugcs.caltech.edu@localhost>
+@@ -911,14 +919,14 @@ struct win *wi;
+ {
+ Msg(errno, "Could not perform necessary sanity checks on pts device.");
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ if (strcmp(ttyname_in_ns, m->m_tty))
+ {
+ Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ /* m->m_tty so far contains the actual name of the pts device in the
+@@ -935,19 +943,19 @@ struct win *wi;
+ {
+ Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ }
+ else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0)
+ {
+ Msg(errno, "Attach: Could not open %s!", m->m_tty);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ #ifdef MULTIUSER
+ if (attach)
+- Kill(pid, SIGCONT);
++ KillUnpriv(pid, SIGCONT);
+ #endif
+
+ #if defined(ultrix) || defined(pyr) || defined(NeXT)
+@@ -960,7 +968,7 @@ struct win *wi;
+ {
+ write(i, "Attaching from inside of screen?\n", 33);
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ Msg(0, "Attach msg ignored: coming from inside.");
+ return -1;
+ }
+@@ -971,7 +979,7 @@ struct win *wi;
+ {
+ write(i, "Access to session denied.\n", 26);
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ Msg(0, "Attach: access denied for user %s.", user);
+ return -1;
+ }
+@@ -1289,7 +1297,7 @@ ReceiveMsg()
+ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
+ }
+ else {
+- Kill(m.m.command.apid,
++ KillUnpriv(m.m.command.apid,
+ (queryflag >= 0)
+ ? SIGCONT
+ : SIG_BYE); /* Send SIG_BYE if an error happened */
Added files:
Index: pkgsrc/misc/screen4/patches/patch-attacher.c
diff -u /dev/null pkgsrc/misc/screen4/patches/patch-attacher.c:1.1.2.2
--- /dev/null Fri May 16 14:17:48 2025
+++ pkgsrc/misc/screen4/patches/patch-attacher.c Fri May 16 14:17:47 2025
@@ -0,0 +1,75 @@
+$NetBSD: patch-attacher.c,v 1.1.2.2 2025/05/16 14:17:47 maya Exp $
+
+https://security.opensuse.org/2025/05/12/screen-security-issues.html
+
+--- attacher.c.orig 2023-08-16 00:29:26.000000000 +0000
++++ attacher.c
+@@ -73,7 +73,6 @@ extern int MasterPid, attach_fd;
+ #ifdef MULTIUSER
+ extern char *multi;
+ extern int multiattach, multi_uid, own_uid;
+-extern int tty_mode, tty_oldmode;
+ # ifndef USE_SETEUID
+ static int multipipe[2];
+ # endif
+@@ -160,9 +159,6 @@ int how;
+
+ if (pipe(multipipe))
+ Panic(errno, "pipe");
+- if (chmod(attach_tty, 0666))
+- Panic(errno, "chmod %s", attach_tty);
+- tty_oldmode = tty_mode;
+ eff_uid = -1; /* make UserContext fork */
+ real_uid = multi_uid;
+ if ((ret = UserContext()) <= 0)
+@@ -174,11 +170,6 @@ int how;
+ Panic(errno, "UserContext");
+ close(multipipe[1]);
+ read(multipipe[0], &dummy, 1);
+- if (tty_oldmode >= 0)
+- {
+- chmod(attach_tty, tty_oldmode);
+- tty_oldmode = -1;
+- }
+ ret = UserStatus();
+ #ifdef LOCK
+ if (ret == SIG_LOCK)
+@@ -224,9 +215,6 @@ int how;
+ xseteuid(multi_uid);
+ xseteuid(own_uid);
+ #endif
+- if (chmod(attach_tty, 0666))
+- Panic(errno, "chmod %s", attach_tty);
+- tty_oldmode = tty_mode;
+ }
+ # endif /* USE_SETEUID */
+ #endif /* MULTIUSER */
+@@ -423,13 +411,6 @@ int how;
+ ContinuePlease = 0;
+ # ifndef USE_SETEUID
+ close(multipipe[1]);
+-# else
+- xseteuid(own_uid);
+- if (tty_oldmode >= 0)
+- if (chmod(attach_tty, tty_oldmode))
+- Panic(errno, "chmod %s", attach_tty);
+- tty_oldmode = -1;
+- xseteuid(real_uid);
+ # endif
+ }
+ #endif
+@@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG
+ close(s);
+ }
+ }
+-#ifdef MULTIUSER
+- if (tty_oldmode >= 0)
+- {
+- if (setuid(own_uid))
+- Panic(errno, "setuid");
+- chmod(attach_tty, tty_oldmode);
+- }
+-#endif
+ exit(0);
+ SIGRETURN;
+ }
Home |
Main Index |
Thread Index |
Old Index