Hi, On Tue, May 13, 2025 at 03:48:31PM -0700, Mark Esler wrote: > Cheers for the report Matthias and SUSE Security!
thanks! > Could you please comment on the affectedness of upstream screen 5.0.1? > > https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=464c8d8f945f53f8cbb854517279349e09d74756 > > This version was released ~an hour before your initial oss post. It appears > that upstream landed the patches, which may be worth mentioning in your > timeline. Indeed, this is the bugfix release announced by upstream here: https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html We just updated our blog post to reflect what we could find out about the upstream bugfixes: https://security.opensuse.org/2025/05/12/screen-security-issues.html#8-upstream-bugfixes For screen 4.9.1 bugfixes landed on the upstream screen-v4 branch, but it seems no release is planned here. We reviewed the following bugfixes: - commit 049b26b22e1 [1]: fixes the PTY mode issue (item 3.b, CVE-2025-46802). - commit e0eef5aac45 [2]: fixes the file existence test issue (item 3.d, CVE-2025-46804). - commit 161f85b98b7 [3]: fixes the signal sending issue (item 3.e, CVE-2025-46805). For screen 5.0.0 the 5.0.1 bugfix release has been announced. Patches landed on the upstream screen-v5 branch. We reviewed the following bugfixes: - commit e894caeff [4] fixes the logfile reopen issue (item 3.a, CVE-2025-23395) - commit d10eb5b2f [5] fixes the PTY mode issue (item 3.b, CVE-2025-46802). - commit d5d7bf43f [6] fixes the default PTY mode issue (item 3.c, CVE-2025-46803) - commit 710cda5c7 [7] fixes the file existence test issue (item 3.d, CVE-2025-46804). - commit a17b0da26 [8] fixes the signal sending issue (item 3.e, CVE-2025-46805). - commit 2bdebfc98 [9] fixes the strncpy related crashes (item 3.f). The last time we checked no screen 5.0.1 release tarballs could be found in the GNU Screen download area yet. [1]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=049b26b22e197ba3be9c46e5c193032e01a4724a [2]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=e0eef5aac453fa98a2664416a56c50ad1d00cb30 [3]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4 [4]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=e894caeffccdb62f9c644989a936dc7ec83cc747 [5]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=d10eb5b2f7eebaa347f09c010bd391373fdd1695 [6]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=d5d7bf43f3842e8b62d5f34eb4b031de7c8098c1 [7]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=710cda5c71cacfed201b5659e04a83815313d8e6 [8]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=a17b0da26494856640bd9d52a03fc1b575400170 [9]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=2bdebfc9837cfd3cea0645030e626b08bb6bc2d0 Best Regards Matthias -- Matthias Gerstner <matthias.gerst...@suse.de> Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich
signature.asc
Description: PGP signature
