Hello Adolf, > On 23 May 2025, at 13:17, Adolf Belka <[email protected]> wrote: > > Hi Michael, > > On 23/05/2025 13:04, Adolf Belka wrote: >> Hi Michael, >> On 23/05/2025 12:30, Michael Tremer wrote: >>> Hello Adolf, >>> >>>> On 22 May 2025, at 18:53, Adolf Belka <[email protected]> wrote: >>>> >>>> Hi Michael, >>>> >>>> On 22/05/2025 17:37, Michael Tremer wrote: >>>>> Hello Adolf, >>>>> Thank you for this patch. I had merged this into next, but I will revert >>>>> this again. >>>>> screen seems to ship binary objects in the source tarball: >>>> >>>> Oh wow!!! >>>> >>>>> root@arm64-01:/build/ipfire-2.x# tar tvfa cache/screen-5.0.1.tar.gz | >>>>> grep \.o$ >>>>> -rw-rw-r-- alex/alex 16712 2025-05-12 11:59 screen-5.0.1/sched.o >>>>> -rw-rw-r-- alex/alex 43808 2025-05-12 11:59 screen-5.0.1/backtick.o >>>>> -rw-rw-r-- alex/alex 9080 2025-05-12 11:59 screen-5.0.1/winmsgcond.o >>>>> -rw-rw-r-- alex/alex 81728 2025-05-12 11:59 screen-5.0.1/canvas.o >>>>> -rw-rw-r-- alex/alex 50680 2025-05-12 11:59 screen-5.0.1/search.o >>>>> -rw-rw-r-- alex/alex 32752 2025-05-12 11:59 screen-5.0.1/winmsgbuf.o >>>>> -rw-rw-r-- alex/alex 11888 2025-05-12 11:59 screen-5.0.1/term.o >>>>> -rw-rw-r-- alex/alex 2800 2025-05-12 11:59 screen-5.0.1/telnet.o >>>>> -rw-rw-r-- alex/alex 54224 2025-05-12 11:59 screen-5.0.1/layout.o >>>>> -rw-rw-r-- alex/alex 107776 2025-05-12 11:59 screen-5.0.1/mark.o >>>>> -rw-rw-r-- alex/alex 58640 2025-05-12 11:59 >>>>> screen-5.0.1/list_generic.o >>>>> -rw-rw-r-- alex/alex 55912 2025-05-12 11:59 screen-5.0.1/input.o >>>>> -rw-rw-r-- alex/alex 97520 2025-05-12 11:59 screen-5.0.1/winmsg.o >>>>> -rw-rw-r-- alex/alex 108256 2025-05-12 11:59 screen-5.0.1/layer.o >>>>> -rw-rw-r-- alex/alex 50344 2025-05-12 11:59 screen-5.0.1/misc.o >>>>> -rw-rw-r-- alex/alex 166432 2025-05-12 11:59 screen-5.0.1/window.o >>>>> -rw-rw-r-- alex/alex 72440 2025-05-12 11:59 screen-5.0.1/help.o >>>>> -rw-rw-r-- alex/alex 154704 2025-05-12 11:59 screen-5.0.1/termcap.o >>>>> -rw-rw-r-- alex/alex 300672 2025-05-12 11:59 screen-5.0.1/display.o >>>>> -rw-rw-r-- alex/alex 73432 2025-05-12 11:59 screen-5.0.1/list_window.o >>>>> -rw-rw-r-- alex/alex 85392 2025-05-12 11:59 screen-5.0.1/resize.o >>>>> -rw-rw-r-- alex/alex 650104 2025-05-12 11:59 screen-5.0.1/process.o >>>>> -rw-rw-r-- alex/alex 218400 2025-05-12 11:59 screen-5.0.1/ansi.o >>>>> -rw-rw-r-- alex/alex 6704 2025-05-12 11:59 screen-5.0.1/kmapdef.o >>>>> -rw-rw-r-- alex/alex 27016 2025-05-12 11:59 screen-5.0.1/logfile.o >>>>> -rw-rw-r-- alex/alex 6760 2025-05-12 11:59 screen-5.0.1/pty.o >>>>> -rw-rw-r-- alex/alex 42704 2025-05-12 11:59 >>>>> screen-5.0.1/list_display.o >>>>> -rw-rw-r-- alex/alex 14160 2025-05-12 11:59 screen-5.0.1/comm.o >>>>> -rw-rw-r-- alex/alex 231600 2025-05-12 12:08 >>>>> screen-5.0.1/doc/screen.texinfo >>>>> -rw-rw-r-- alex/alex 42936 2025-05-12 11:59 >>>>> screen-5.0.1/list_license.o >>>>> -rw-rw-r-- alex/alex 146368 2025-05-12 11:59 screen-5.0.1/socket.o >>>>> -rw-rw-r-- alex/alex 4176 2025-05-12 11:59 screen-5.0.1/utmp.o >>>>> -rw-rw-r-- alex/alex 78792 2025-05-12 11:59 screen-5.0.1/acls.o >>>>> -rw-rw-r-- alex/alex 53560 2025-05-12 11:59 screen-5.0.1/attacher.o >>>>> -rw-rw-r-- alex/alex 237472 2025-05-12 11:59 screen-5.0.1/screen.o >>>>> -rw-rw-r-- alex/alex 101016 2025-05-12 11:59 screen-5.0.1/fileio.o >>>>> -rw-rw-r-- alex/alex 98056 2025-05-12 11:59 screen-5.0.1/encoding.o >>>>> -rw-rw-r-- alex/alex 29592 2025-05-12 11:59 screen-5.0.1/viewport.o >>>>> -rw-rw-r-- alex/alex 77104 2025-05-12 11:59 screen-5.0.1/tty.o >>>>> They seem to be x86_64, and so the build fails on ARM. This is however >>>>> either a mistake or I would consider this a way to ship any backdoored >>>>> software. I have no time to investigate so I am going to assume the >>>>> latter for now and will be *very* careful. >>>> >>>> Due to the CVE's open with screen-5.0.0 should I now go back and look at >>>> the patches from that person and make a new patch submission using those? >>> >>> I did not have time yesterday to look into this… >>> >>> Where did you get this tarball from? The one that I can download from >>> https://ftp.gnu.org/gnu/screen/screen-5.0.1.tar.gz does not have any >>> binaries in it. Either it has been replaced or you have been given a >>> malicious source tarball. >> I downloaded it from the same url you gave - https://ftp.gnu.org/gnu/screen/ >> which I accessed from the screen-5.0.1 announcement. >> https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html >> I checked the same file from that download site yesterday and it still had >> the .o file in it. >> However, I did write to Alex Naumov today at 11:50, mentioning that we had >> found the binary object files. Now I also find that the file at that >> location has no .o files in it and is much smaller (obviously). However the >> date and time of the files is still the original one of 2025-05-15 11:48 >> although I can't think how the file could be changed and still have the same >> date/time in the download site. > > I just got a reply from Alex Naumov and he is just asking for the sha256sum > of the file I have. He hasn't mentioned about changing the file. Maybe I am > not remembering right about testing the downloaded file from yesterday. Using > the sig file that I have gives a date/time of 15 May 2025 13:36:11 CEST and > the one that is now available has a date/time of Thu 15 May 2025 17:48:09 > CEST and I downloaded the file and sig file at 2025-05-15 14:02:47 at my > local time. > > It looks to me like an incorrect file was uploaded and then identified and > replaced relatively quickly but as I had been keeping an eye out for the new > release I caught it with the old version because the current sig file has a > time after when I downloaded the file and I am also at CEST. > > I have had another reply from Alex Naumov saying that the sha256sum is > different to the one he just downloaded from the download site. > > I suspect there was some hiccup in what was uploaded and it was relatively > quickly fixed but I caught it before the fix. > > I am not sure there will be any further clarification with Alex Naumov. > > I will remove the old file from the source directory and use the new file and > sig file that I downloaded today and submit a v2 patch submission for > screen-5.0.1 > > Sorry for all the hassle.
No need to be sorry. Thank you for reaching out to Alex. At least they are now know and we can rule out at least a third party trying to compromise us here. Yes, please send another patch. I will remove the file from the builders and then we can run another build. -Michael > Regards, > Adolf. > >>> >>> I cannot find any signatures that would verify the former tarball or the >>> one that I just downloaded. >> I still have the signature I used to confirm the original downloaded file >> and that is now different to the new one. That old one confirms a good >> signature from Alexander Naumov from that older previous file. >> gpg: assuming signed data in 'screen-5.0.1.tar.gz' >> gpg: Signature made Thu 15 May 2025 13:36:11 CEST >> gpg: using RSA key 7832918905C6D316DFB54313898D726C87C5AFE3 >> gpg: Good signature from "Alexander Naumov <[email protected]>" >> [unknown] >> gpg: WARNING: This key is not certified with a trusted signature! >> gpg: There is no indication that the signature belongs to the owner. >> Primary key fingerprint: 7832 9189 05C6 D316 DFB5 4313 898D 726C 87C5 AFE3 >> So I don't understand what is happening here. >> Could the file and its sig file on the download site be changed without >> changing the download date time? >> Regards, >> Adolf. >>> >>> -Michael >>> >>>> Regards, >>>> Adolf. >>>> >>>>> -Michael >>>>>> On 15 May 2025, at 17:25, Adolf Belka <[email protected]> wrote: >>>>>> >>>>>> - Update from version 5.0.0 to 5.0.1 >>>>>> - Update of rootfile >>>>>> - 5 CVE fixes included in this version >>>>>> - Changelog >>>>>> 5.0.1 >>>>>> Security fix >>>>>> CVE-2025-46805: do NOT send signals with root privileges >>>>>> CVE-2025-46804: avoid file existence test information leaks >>>>>> CVE-2025-46803: apply safe PTY default mode of 0620 >>>>>> CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher >>>>>> CVE-2025-23395: reintroduce lf_secreopen() for logfile >>>>>> buffer overflow due bad strncpy() >>>>>> uninitialized variables warnings >>>>>> typos >>>>>> combining char handling that could lead to a segfault >>>>>> >>>>>> Signed-off-by: Adolf Belka <[email protected]> >>>>>> --- >>>>>> config/rootfiles/common/screen | 3 +-- >>>>>> lfs/screen | 6 +++--- >>>>>> 2 files changed, 4 insertions(+), 5 deletions(-) >>>>>> >>>>>> diff --git a/config/rootfiles/common/screen >>>>>> b/config/rootfiles/common/screen >>>>>> index 3442bff2b..e8b72aaa2 100644 >>>>>> --- a/config/rootfiles/common/screen >>>>>> +++ b/config/rootfiles/common/screen >>>>>> @@ -1,7 +1,6 @@ >>>>>> etc/screenrc >>>>>> usr/bin/screen >>>>>> -usr/bin/screen-5.0.0 >>>>>> -#usr/share/info/screen.info >>>>>> +usr/bin/screen-5.0.1 >>>>>> #usr/share/man/man1/screen.1 >>>>>> #usr/share/screen >>>>>> #usr/share/screen/utf8encodings >>>>>> diff --git a/lfs/screen b/lfs/screen >>>>>> index 6388002cf..d1c0380fb 100644 >>>>>> --- a/lfs/screen >>>>>> +++ b/lfs/screen >>>>>> @@ -1,7 +1,7 @@ >>>>>> ############################################################################### >>>>>> # >>>>>> # >>>>>> # IPFire.org - A linux based firewall >>>>>> # >>>>>> -# Copyright (C) 2007-2024 IPFire Team <[email protected]> >>>>>> # >>>>>> +# Copyright (C) 2007-2025 IPFire Team <[email protected]> >>>>>> # >>>>>> # >>>>>> # >>>>>> # This program is free software: you can redistribute it and/or modify >>>>>> # >>>>>> # it under the terms of the GNU General Public License as published by >>>>>> # >>>>>> @@ -24,7 +24,7 @@ >>>>>> >>>>>> include Config >>>>>> >>>>>> -VER = 5.0.0 >>>>>> +VER = 5.0.1 >>>>>> >>>>>> THISAPP = screen-$(VER) >>>>>> DL_FILE = $(THISAPP).tar.gz >>>>>> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >>>>>> >>>>>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >>>>>> >>>>>> -$(DL_FILE)_BLAKE2 = >>>>>> 5ff218afc1692ae201776f759ff2217a51dcf02202e4ba5d12de50a768df83e0e2a7a3511a5f85a3b21362892f31a4fd90d6444918915165ae12a8c0c2b3af39 >>>>>> +$(DL_FILE)_BLAKE2 = >>>>>> f33f985bb9855a5335b72f93b3e8cf8fccddc7c18d3db3fd7493da2825b17002d798e6cf95d35fc39194eb6933018be96efa0b4f6aa4894657ab258f86002220 >>>>>> >>>>>> install : $(TARGET) >>>>>> >>>>>> -- >>>>>> 2.49.0
