https://security.opensuse.org/2025/05/12/screen-security-issues.html
5.0.1 fixes the CVEs. Will need to apply the patches to 4.9.1. Probably a good time to switch over to 5.0.1, even though it severely breaks hardstatus. Also, looks like 5.0.1 was just released today. Will need to wait for a tarball.
I see the upstream git repo also has patches applied but there is no git tag for it. My options are to rebase both ports on upstream git hashes or wait. I'll probably rebase. I also see that screen-devel (master branch) has no fixes applied. My guess is he will probably refactor or completely rewrite the patches for master.
If installed with MULTIUSER=off, it wouldn't be affected, since that would turn off the setuid bit, right?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ef4ccfa93a10bc7ed0d4bf87f3968dd92ff63516 commit ef4ccfa93a10bc7ed0d4bf87f3968dd92ff63516 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-05-12 21:35:07 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-05-12 21:38:12 +0000 sysutils/screen49: Update to unversioned 4.9.1 with CVE fixes As the tarball is not availalble from the normal download sites, rebase to the upstream git repo. This includes secuity fixes documented at https://security.opensuse.org/2025/05/12/screen-security-issues.html PR: 286743 MFH: 2025Q2 sysutils/screen49/Makefile | 31 ++++++++++++++++++++++--------- sysutils/screen49/distinfo | 6 +++--- 2 files changed, 25 insertions(+), 12 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=184ca6958aeaa95bf62c04c68dca2be4236b1bd6 commit 184ca6958aeaa95bf62c04c68dca2be4236b1bd6 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-05-12 21:22:30 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-05-12 21:38:11 +0000 sysutils/screen50: Update to 5.0.1 As the tarball is not availalble from the normal download sites, rebase to the upstream git repo. This includes secuity fixes documented at https://security.opensuse.org/2025/05/12/screen-security-issues.html PR: 286743 MFH: 2025Q2 sysutils/screen50/Makefile | 31 +++++++++++++++++++---------- sysutils/screen50/distinfo | 6 +++--- sysutils/screen50/files/patch-misc.h (gone) | 12 ----------- sysutils/screen50/pkg-plist | 2 +- 4 files changed, 25 insertions(+), 26 deletions(-)
(In reply to FiLiS from comment #3) That addresses only one of the CVEs. It would still be vulnerable to the others.
(In reply to Cy Schubert from comment #6) I will wait a while before pushing this to quarterly in case it breaks something.
I was asked to revert the screen 4.9.1 port update. It is now flagged FORBIDDEN due the the security exposure. It is now deprecated and scheduled for removal on May 31. People are advised to use screen 5.0.1. It has a hardstatus regression that upstream has partially fixed.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2b43a2f9c82119732a8202f847bf438402c644da commit 2b43a2f9c82119732a8202f847bf438402c644da Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-05-13 15:05:50 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-05-13 15:51:00 +0000 sysutils/screen49: Apply patches to multiple CVEs Apply patches to multple CVEs. Upstream has not released a new point release of the 4.9 branch. This is a best effort attempt to keep screen 4.9 in ports, for now. Any future CVEs will result in its removal. PR: 286743 Requested by: danfe sysutils/screen49/Makefile | 2 +- sysutils/screen49/files/patch-attacher.c | 79 +++++++++- sysutils/screen49/files/patch-configure.ac | 14 +- sysutils/screen49/files/patch-doc__Makefile.in | 12 +- sysutils/screen49/files/patch-misc.c | 4 +- sysutils/screen49/files/patch-os.h | 8 +- sysutils/screen49/files/patch-osdef.h.in | 6 +- sysutils/screen49/files/patch-resize.c | 10 +- sysutils/screen49/files/patch-screen.c | 115 ++++++++++++++- sysutils/screen49/files/patch-socket.c | 169 ++++++++++++---------- sysutils/screen49/files/patch-termcap.c | 6 +- sysutils/screen49/files/patch-terminfo__checktc.c | 8 +- sysutils/screen49/files/patch-utmp.c | 22 +-- 13 files changed, 323 insertions(+), 132 deletions(-)
After this update, screen-5.0.1 hangs when trying to connect to my running screen49 session (was running before the update). I haven't debugged it much yet. Happens with out without setuid-root on /usr/local/bin/screen-5.0.1. ktrace shows it trying to connect to the same socket file as screen-4.9.1 (which I installed as a temporary workaround for the moment). This is probably a separate bug entry, of course, but I just wanted to add a note here before creating a separate bug.
(In reply to John Hein from comment #10) This is not a bug. It's expected. You must exit all existing screen sessions before upgrading.
(In reply to Cy Schubert from comment #11) Can there be something in /usr/ports/UPDATING warning of this, please?
(In reply to void from comment #12) Sure. This can and does occur every time screen is updated.
After the 5.0.1 update screen seems to be ignoring the system-wide config file at /usr/local/etc/screenrc (but does read /etc/screenrc) - I opened a separate issue at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286834 but figured I'd mention it here as well since this is still ongoing.
(In reply to Cy Schubert from comment #13) Nothing recent about screen in UPDATING, yet. The last mention of screen in this file is datestamped 20220410 ports tree is at 706046 (refreshed around 1250 UTC)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=68042c2be4390fab15a24993a3a8eff913f0f794 commit 68042c2be4390fab15a24993a3a8eff913f0f794 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-05-19 15:10:33 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-05-19 15:12:48 +0000 UPDATING: Note orpnaning of screen sessions PR: 286743 UPDATING | 9 +++++++++ 1 file changed, 9 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=b2390b41cd22ddab88be90a88c262facc08a3665 commit b2390b41cd22ddab88be90a88c262facc08a3665 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2025-05-19 15:15:38 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2025-05-19 15:15:38 +0000 sysutils/screen49: Deprecate and expire PR: 286743 sysutils/screen49/Makefile | 3 +++ 1 file changed, 3 insertions(+)