XPost: linux.debian.maint.boot, linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.


Package: release.debian.org
Severity: normal
X-Debbugs-Cc: screen@packages.debian.org, Axel Beckert (Debian Developer) <abe@debian.org>, Christian Hofstaedtler <zeha@debian.org>, debian-boot@lists.debian.org, kibi@debian.org, carnil@debian.org
Control: affects -1 + src:screen
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release team,

[Cc'ing as well debian-boot and Cyril, as screen produces a udeb and
needs an ack for d-i, additionally we are freezing udebs for the d-i preparation]

Please unblock package screen

screen as announced in [oss-security] is affected by several
vulnerabilities, furtunately by default in Debian screen is not
installed setuid. We think that having fixes for those (and later
maybe via point release in bookworm as well) might be sensible.

The concrete CVEs are CVE-2025-46802, CVE-2025-46804 and
CVE-2025-46805.

[oss-security]: <https://www.openwall.com/lists/oss-security/2025/05/12/1>

One very important remark for the CVE-2025-46802 patches, from the
finding:
| Shortly before the publication of this report it was pointed out to us
| that this patch likely breaks some reattach use cases [12] in screen.
| We can confirm this problem, but at the same time found out that this
| specific use case was obviously already broken before, even in Screen
| 4.9.1 [13]. For this reason we decided not to move the publication
| date again or to adjust this patch in a hurry with uncertain results.
| The patch still fixes the security issue and upstream can now fix this
| regression, that already seems to have existed earlier, in the open.

Additionally there is an Upload from Chris Hofstaedtler
<zeha@debian.org> which has not yet migrated to testing (but would if
the additional time would pass without RC report).

Talking with Chris he would be fine to have additional time to wait
for his change to go in and so the we can either wait for the second
upload and first make 4.9.1-2 go to testing or override the upload.

Currently with the udeb freeze it cannot move anyway.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
Talking to Axel, I might not do the actual upload but the upload might
come from the maintainer himself (very welcome, thanks Axel!) so there
would be the making it a maintainer upload.

unblock screen/4.9.1-2.1

Let us know if you need anything else for clarification.

Regards,
Salvatore

diff -Nru screen-4.9.1/debian/changelog screen-4.9.1/debian/changelog
--- screen-4.9.1/debian/changelog 2025-05-10 22:28:23.000000000 +0200
+++ screen-4.9.1/debian/changelog 2025-05-16 17:46:51.000000000 +0200
@@ -1,3 +1,13 @@
+screen (4.9.1-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload (with maintainers approval)
+ * attacher.c - prevent temporary 0666 mode on PTYs (CVE-2025-46802)
+ (Closes: #1105191)
+ * avoid file existence test information leaks (CVE-2025-46804)
+ * socket.c - don't send signals with root privileges (CVE-2025-46805)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 16 May 2025 17:46:51 +0200 +
screen (4.9.1-2) unstable; urgency=medium

* Team upload (debian/ namespace).
diff -Nru screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-temporary-0666.patch screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-temporary-0666.patch
--- screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-temporary-0666.patch 1970-01-01 01:00:00.000000000 +0100
+++ screen-4.9.1/debian/patches/fix-C

XPost: linux.debian.maint.boot, linux.debian.devel.release

Hi,

Salvatore Bonaccorso <carnil@debian.org> (2025-05-16):

[Cc'ing as well debian-boot and Cyril, as screen produces a udeb and
needs an ack for d-i, additionally we are freezing udebs for the d-i preparation]

[…]

Additionally there is an Upload from Chris Hofstaedtler
<zeha@debian.org> which has not yet migrated to testing (but would if
the additional time would pass without RC report).

Talking with Chris he would be fine to have additional time to wait
for his change to go in and so the we can either wait for the second
upload and first make 4.9.1-2 go to testing or override the upload.

Skimming over the -2's changelog, I had decided we didn't need it in
RC 1 but no objection to having it migrate when it's ready, and/or to
-2.1's being considered.

(I didn't dive into the specifics and I'm not planning on performing any runtime tests in a d-i context anytime soon, but that shouldn't stop
anyone.)

Currently with the udeb freeze it cannot move anyway.

Lifted earlier (even if not broadly announced). ;)


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmgntu4ACgkQ/5FK8MKz VSDmvA//YGqZHJUillUPU8GQbI6PohYOJMPKaWL1ZR2iolhy3jxdSFzOikztL6x4 OKlZz995cKD2C7iCqNxjKDrZdVK/m/4PAKSXrLuTlFs6slD66dtfp6M7iHWkI211 eHfEXz/pNqgKN9zSjqVZ96YlTDB8JPiqLqNaRBUpx6nhWD/+OQ1BVildj/vgMX7v OW6OotQntxYpDh13XdMhcWf+RKQiw9+kWpEiMdhHPjSg8OynsYrw/chPJLu4qZiv ykjxDmMCfY/B90BIBFcqfqUUxCoT0PzhdmkeYJItB46tvYByIfVfKUasVO0SppaX LvOurh13T+Kk//I5GUcpPxSFJ2KL+Z0+/GwYXYrh/3CiQGYv8StURHUdsTLaMVTh o5PshAnTdTmEwS9jgNdQw3nqc8u+unG8f4Mg5Nv7f1nUuIle6t7lYBdELOG5nT3b 4jZOBEvVXW3qdwbRdMT6vpdTMFwwD2LCq0dJeAlWsBSEclH/pzsVQMJF+AHnSJoR 9rup/fQyCZBfmXiadryZnalKVzIzelqEkbU0VFFiYsDYMcOBo1nZPUzyISJATAjw 4+EuU+R5tfMVsIo0YVNDu1Kup6gneOs/wVS/mTgl3hYCt6e92m1/tsXT8+p5JVeU oCfzLQawtITND+wWL+mcvT4jzp/ZU+FwU3xdnupG6oFIv9kYevE=
=EsRJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.devel.release

Control: tags -1 confirmed

On 2025-05-16 18:34:31 +0200, Salvatore Bonaccorso wrote:

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: screen@packages.debian.org, Axel Beckert (Debian Developer) <abe@debian.org>, Christian Hofstaedtler <zeha@debian.org>, debian-boot@lists.debian.org, kibi@debian.org, carnil@debian.org
Control: affects -1 + src:screen
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release team,

[Cc'ing as well debian-boot and Cyril, as screen produces a udeb and
needs an ack for d-i, additionally we are freezing udebs for the d-i preparation]

Please unblock package screen

screen as announced in [oss-security] is affected by several
vulnerabilities, furtunately by default in Debian screen is not
installed setuid. We think that having fixes for those (and later
maybe via point release in bookworm as well) might be sensible.

The concrete CVEs are CVE-2025-46802, CVE-2025-46804 and
CVE-2025-46805.

[oss-security]: <https://www.openwall.com/lists/oss-security/2025/05/12/1>

One very important remark for the CVE-2025-46802 patches, from the
finding:
| Shortly before the publication of this report it was pointed out to us
| that this patch likely breaks some reattach use cases [12] in screen.
| We can confirm this problem, but at the same time found out that this
| specific use case was obviously already broken before, even in Screen
| 4.9.1 [13]. For this reason we decided not to move the publication
| date again or to adjust this patch in a hurry with uncertain results.
| The patch still fixes the security issue and upstream can now fix this
| regression, that already seems to have existed earlier, in the open.

Additionally there is an Upload from Chris Hofstaedtler
<zeha@debian.org> which has not yet migrated to testing (but would if
the additional time would pass without RC report).

Talking with Chris he would be fine to have additional time to wait
for his change to go in and so the we can either wait for the second
upload and first make 4.9.1-2 go to testing or override the upload.

I aged -2 and it migrated. Please go ahead.

Cheers
--
Sebastian Ramacher

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Hi,

Salvatore Bonaccorso wrote:

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
Talking to Axel, I might not do the actual upload but the upload might
come from the maintainer himself (very welcome, thanks Axel!) so there
would be the making it a maintainer upload.

Indeed. Thanks for the patches and asking for pre-approval!

unblock screen/4.9.1-2.1

Full debdiff attached again, sole changes compared to Salvatore's
debdiff are in debian/changelog (NMU → MU).

So please

unblock screen/4.9.1-3

instead.

Sebastian Ramacher wrote:

I aged -2 and it migrated. Please go ahead.

Thanks. Did so.

Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Axel Beckert wrote:

Full debdiff attached again, sole changes compared to Salvatore's
debdiff are in debian/changelog (NMU → MU).

Forgot the attachment. Here is it.

Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE

diff -Nru screen-4.9.1/debian/changelog screen-4.9.1/debian/changelog
--- screen-4.9.1/debian/changelog 2025-05-10 22:28:23.000000000 +0200
+++ screen-4.9.1/debian/changelog 2025-05-19 00:42:42.000000000 +0200
@@ -1,3 +1,13 @@
+screen (4.9.1-3) unstable; urgency=medium
+
+ [ Salvatore Bonaccorso ]
+ * attacher.c - prevent temporary 0666 mode on PTYs (CVE-2025-46802)
+ (Closes: #1105191)
+ * avoid file existence test information leaks (CVE-2025-46804)
+ * socket.c - don't send signals with root privileges (CVE-2025-46805)
+
+ -- Axel Beckert <abe@debian.org> Mon, 19 May 2025 00:42:42 +0200
+
screen (4.9.1-2) unstable; urgency=medium

* Team upload (debian/ namespace).
diff -Nru screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-temporary-0666.patch screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-temporary-0666.patch
--- screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-temporary-0666.patch 1970-01-01 01:00:00.000000000 +0100
+++ screen-4.9.1/debian/patches/fix-CVE-2025-46802-attacher.c-prevent-tempora