commit: 5020a4047f9bf00b7cc9423e86ababb049511069 Author: Sven Wegener <swegener <AT> gentoo <DOT> org> AuthorDate: Mon Apr 10 19:25:32 2023 +0000 Commit: Sven Wegener <swegener <AT> gentoo <DOT> org> CommitDate: Mon Apr 10 19:57:04 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5020a404
app-misc/screen: revbump, security bug #904039 (CVE-2023-24626) Bug: https://bugs.gentoo.org/904039 Signed-off-by: Sven Wegener <swegener <AT> gentoo.org> .../screen/files/screen-4.9.0-CVE-2023-24626.patch | 33 +++++ app-misc/screen/screen-4.9.0-r2.ebuild | 147 +++++++++++++++++++++ 2 files changed, 180 insertions(+) diff --git a/app-misc/screen/files/screen-4.9.0-CVE-2023-24626.patch b/app-misc/screen/files/screen-4.9.0-CVE-2023-24626.patch new file mode 100644 index 000000000000..07dec8ecdd28 --- /dev/null +++ b/app-misc/screen/files/screen-4.9.0-CVE-2023-24626.patch @@ -0,0 +1,33 @@ +From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001 +From: Alexander Naumov <alexander_nau...@opensuse.org> +Date: Mon, 30 Jan 2023 17:22:25 +0200 +Subject: fix: missing signal sending permission check on failed query messages + +Signed-off-by: Alexander Naumov <alexander_nau...@opensuse.org> +--- + socket.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/socket.c b/socket.c +index 147dc54..54d8cb8 100644 +--- a/socket.c ++++ b/socket.c +@@ -1285,11 +1285,16 @@ ReceiveMsg() + else + queryflag = -1; + +- Kill(m.m.command.apid, ++ if (CheckPid(m.m.command.apid)) { ++ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid); ++ } ++ else { ++ Kill(m.m.command.apid, + (queryflag >= 0) + ? SIGCONT + : SIG_BYE); /* Send SIG_BYE if an error happened */ +- queryflag = -1; ++ queryflag = -1; ++ } + } + break; + case MSG_COMMAND: diff --git a/app-misc/screen/screen-4.9.0-r2.ebuild b/app-misc/screen/screen-4.9.0-r2.ebuild new file mode 100644 index 000000000000..bd3ba7101992 --- /dev/null +++ b/app-misc/screen/screen-4.9.0-r2.ebuild @@ -0,0 +1,147 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools flag-o-matic pam tmpfiles + +DESCRIPTION="screen manager with VT100/ANSI terminal emulation" +HOMEPAGE="https://www.gnu.org/software/screen/"; + +if [[ ${PV} != 9999 ]] ; then + SRC_URI="mirror://gnu/${PN}/${P}.tar.gz" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +else + inherit git-r3 + EGIT_REPO_URI="https://git.savannah.gnu.org/git/screen.git"; + EGIT_CHECKOUT_DIR="${WORKDIR}/${P}" # needed for setting S later on + S="${WORKDIR}"/${P}/src +fi + +LICENSE="GPL-3+" +SLOT="0" +IUSE="debug nethack pam selinux multiuser" + +DEPEND=">=sys-libs/ncurses-5.2:= + virtual/libcrypt:= + pam? ( sys-libs/pam )" +RDEPEND="${DEPEND} + acct-group/utmp + selinux? ( sec-policy/selinux-screen )" +BDEPEND="sys-apps/texinfo" + +PATCHES=( + # Don't use utempter even if it is found on the system. + "${FILESDIR}"/${PN}-4.3.0-no-utempter.patch + "${FILESDIR}"/${PN}-4.6.2-utmp-exit.patch + "${FILESDIR}"/${PN}-4.9.0-configure-implicit-function-decls.patch + "${FILESDIR}"/${P}-CVE-2023-24626.patch +) + +src_prepare() { + default + + # sched.h is a system header and causes problems with some C libraries + mv sched.h _sched.h || die + sed -i '/include/ s:sched.h:_sched.h:' screen.h || die + + # Fix manpage + sed -i \ + -e "s:/usr/local/etc/screenrc:${EPREFIX}/etc/screenrc:g" \ + -e "s:/usr/local/screens:${EPREFIX}/tmp/screen:g" \ + -e "s:/local/etc/screenrc:${EPREFIX}/etc/screenrc:g" \ + -e "s:/etc/utmp:${EPREFIX}/var/run/utmp:g" \ + -e "s:/local/screens/S\\\-:${EPREFIX}/tmp/screen/S\\\-:g" \ + doc/screen.1 || die + + if [[ ${CHOST} == *-darwin* ]] || use elibc_musl; then + sed -i -e '/^#define UTMPOK/s/define/undef/' acconfig.h || die + fi + + # disable musl dummy headers for utmp[x] + use elibc_musl && append-cppflags "-D_UTMP_H -D_UTMPX_H" + + # reconfigure + eautoreconf +} + +src_configure() { + append-cppflags "-DMAXWIN=${MAX_SCREEN_WINDOWS:-100}" + + if [[ ${CHOST} == *-solaris* ]]; then + # enable msg_header by upping the feature standard compatible + # with c99 mode + append-cppflags -D_XOPEN_SOURCE=600 + fi + + use nethack || append-cppflags "-DNONETHACK" + use debug && append-cppflags "-DDEBUG" + + local myeconfargs=( + --with-socket-dir="${EPREFIX}/tmp/${PN}" + --with-sys-screenrc="${EPREFIX}/etc/screenrc" + --with-pty-mode=0620 + --with-pty-group=5 + --enable-rxvt_osc + --enable-telnet + --enable-colors256 + $(use_enable pam) + ) + econf "${myeconfargs[@]}" +} + +src_compile() { + LC_ALL=POSIX emake comm.h term.h + emake osdef.h + + emake -C doc screen.info + default +} + +src_install() { + local DOCS=( + README ChangeLog INSTALL TODO NEWS* patchlevel.h + doc/{FAQ,README.DOTSCREEN,fdpat.ps,window_to_display.ps} + ) + + emake DESTDIR="${D}" SCREEN="${P}" install + + local tmpfiles_perms tmpfiles_group + + if use multiuser || use prefix ; then + fperms 4755 /usr/bin/${P} + tmpfiles_perms="0755" + tmpfiles_group="root" + else + fowners root:utmp /usr/bin/${P} + fperms 2755 /usr/bin/${P} + tmpfiles_perms="0775" + tmpfiles_group="utmp" + fi + + newtmpfiles - screen.conf <<<"d /tmp/screen ${tmpfiles_perms} root ${tmpfiles_group}" + + insinto /usr/share/${PN} + doins terminfo/{screencap,screeninfo.src} + + insinto /etc + doins "${FILESDIR}"/screenrc + + if use pam; then + pamd_mimic_system screen auth + fi + + dodoc "${DOCS[@]}" +} + +pkg_postinst() { + if [[ -z ${REPLACING_VERSIONS} ]]; then + elog "Some dangerous key bindings have been removed or changed to more safe values." + elog "We enable some xterm hacks in our default screenrc, which might break some" + elog "applications. Please check /etc/screenrc for information on these changes." + fi + + tmpfiles_process screen.conf + + ewarn "This revision changes the screen socket location to ${EROOT}/tmp/${PN}" +}
