Bug#858403: unblock: screen/4.5.0-4 (pre-approval)

Axel Beckert Wed, 22 Mar 2017 15:39:24 -0700

Hi,

Niels Thykier wrote:
> > In the Debian Installer https://bugs.debian.org/857808 popped up and
> > Samuel Thibault found a patch for a workaround. See the upstream bug
> > at https://savannah.gnu.org/bugs/?50588 for an explanation how the
> > patch works.
> > 
> > I've prepared, but not yet uploaded version 4.5.0-4 of Debian's screen
> > package to address this. The package is prepared in the branch
> > "stretch":
> > https://anonscm.debian.org/cgit/collab-maint/screen.git/log/?h=stretch
[...]
> Please go ahead.  It will also need a d-i ack, but we will deal with
> that after the upload.


Uploaded. Full final debdiff attached.

There's one minor and no-op change compared to the git diff I posted
initially:

diff --git a/debian/patches/series b/debian/patches/series
index 7c90770..c1d448c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,8 +11,8 @@
 60-screen-4.2.1-debian4.1.0-compatibility.patch
 61-default-PATH_MAX-if-undefined-for-hurd.patch
 62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
-# 80-99: experimental patches, new features etc.
 63-fix-garbage-on-serial-terminal.patch
+# 80-99: experimental patches, new features etc.
 80_session_creation_docs.patch
 81_session_creation_util.patch
 82_session_creation_core.patch

i.e. I moved that comment back to the right position as the patch was
added behind that comment by quilt..

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

diff -Nru screen-4.5.0/debian/changelog screen-4.5.0/debian/changelog
--- screen-4.5.0/debian/changelog       2017-01-24 22:57:44.000000000 +0100
+++ screen-4.5.0/debian/changelog       2017-03-22 01:13:07.000000000 +0100
@@ -1,8 +1,17 @@
+screen (4.5.0-4) unstable; urgency=low
+
+  * Add CVE-ID to previous changelog entry and
+    62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch.
+  * Apply patch by Samuel Thibault to fix terminal garbage in Debian
+    Installer over serial line. (Closes: #857808)
+
+ -- Axel Beckert <a...@debian.org>  Wed, 22 Mar 2017 01:13:07 +0100
+
 screen (4.5.0-3) unstable; urgency=medium
 
   * Add patch to revert upstream commit 5460f5d2 ("adding permissions
     check for the logfile name") which caused a privilege escalation.
-    (Closes: #852484)
+    (CVE-2017-5618, Closes: #852484)
 
  -- Axel Beckert <a...@debian.org>  Tue, 24 Jan 2017 22:57:44 +0100
 
diff -Nru 
screen-4.5.0/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
 
screen-4.5.0/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
--- 
screen-4.5.0/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
       2017-01-24 22:48:04.000000000 +0100
+++ 
screen-4.5.0/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
       2017-03-22 01:13:07.000000000 +0100
@@ -1,7 +1,7 @@
-Description: Fix privilege escalation by reverting upstream commit 5460f5d2
+Description: [CVE-2017-5618] Fix privilege escalation by reverting upstream 
commit 5460f5d2
 Author: Axel Beckert <a...@debian.org>
 Bug-Debian: https://bugs.debian.org/852484
-Bug-CVE: http://www.openwall.com/lists/oss-security/2017/01/24/10
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618
 Bug: https://savannah.gnu.org/bugs/?50142
      https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
 
diff -Nru screen-4.5.0/debian/patches/63-fix-garbage-on-serial-terminal.patch 
screen-4.5.0/debian/patches/63-fix-garbage-on-serial-terminal.patch
--- screen-4.5.0/debian/patches/63-fix-garbage-on-serial-terminal.patch 
1970-01-01 01:00:00.000000000 +0100
+++ screen-4.5.0/debian/patches/63-fix-garbage-on-serial-terminal.patch 
2017-03-22 01:13:07.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Fix terminal garbage in Debian Installer over serial line
+Author: Samuel Thibault <sthiba...@debian.org>
+Reviewed-By: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
+Bug-Debian: https://bugs.debian.org/857808
+Bug: https://savannah.gnu.org/bugs/?50588
+
+--- a/termcap.c
++++ b/termcap.c
+@@ -486,6 +486,8 @@
+ 
+   D_tcinited = 1;
+   MakeTermcap(0);
++  /* Make sure libterm uses external term properties for our tputs() calls.  
*/
++  e_tgetent(tbuf, D_termname);
+ #ifdef MAPKEYS
+   CheckEscape();
+ #endif
diff -Nru screen-4.5.0/debian/patches/series screen-4.5.0/debian/patches/series
--- screen-4.5.0/debian/patches/series  2017-01-24 22:46:11.000000000 +0100
+++ screen-4.5.0/debian/patches/series  2017-03-22 01:13:07.000000000 +0100
@@ -11,6 +11,7 @@
 60-screen-4.2.1-debian4.1.0-compatibility.patch
 61-default-PATH_MAX-if-undefined-for-hurd.patch
 62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
+63-fix-garbage-on-serial-terminal.patch
 # 80-99: experimental patches, new features etc.
 80_session_creation_docs.patch
 81_session_creation_util.patch

signature.asc
Description: Digital signature

Bug#858403: unblock: screen/4.5.0-4 (pre-approval)

Reply via email to