SECURITY: misc/screen, update to 4.0.3

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SECURITY: misc/screen, update to 4.0.3

Marc Balmer-2
screen 4.0.2 is vulnerable and allows for a DoS attack.  This updates
screen to version 4.0.3 which is not vulnerable.

ok?

Index: misc/screen/Makefile
===================================================================
RCS file: /cvs/ports/misc/screen/Makefile,v
retrieving revision 1.55
diff -u -r1.55 Makefile
--- misc/screen/Makefile 27 Jan 2005 02:09:52 -0000 1.55
+++ misc/screen/Makefile 25 Oct 2006 08:57:15 -0000
@@ -2,7 +2,7 @@
 
 COMMENT= "multi-screen window manager"
 
-VERSION= 4.0.2
+VERSION= 4.0.3
 DISTNAME= screen-${VERSION}
 CATEGORIES= misc
 MASTER_SITES= ftp://ftp.uni-erlangen.de/pub/utilities/screen/
Index: misc/screen/distinfo
===================================================================
RCS file: /cvs/ports/misc/screen/distinfo,v
retrieving revision 1.8
diff -u -r1.8 distinfo
--- misc/screen/distinfo 5 Jan 2005 17:05:05 -0000 1.8
+++ misc/screen/distinfo 25 Oct 2006 08:57:15 -0000
@@ -1,4 +1,4 @@
-MD5 (screen-4.0.2.tar.gz) = ed68ea9b43d9fba0972cb017a24940a1
-RMD160 (screen-4.0.2.tar.gz) = 42aea3d27ed25104f2a48606ea73234b715e480f
-SHA1 (screen-4.0.2.tar.gz) = 461eb9d5edc211e1480d7b5e94d89c4d9ba3643f
-SIZE (screen-4.0.2.tar.gz) = 840519
+MD5 (screen-4.0.3.tar.gz) = 8506fd205028a96c741e4037de6e3c42
+RMD160 (screen-4.0.3.tar.gz) = 8c3903c1642ae30fd9d5706298919428552f7754
+SHA1 (screen-4.0.3.tar.gz) = 7bc6e2f0959ffaae6f52d698c26c774e7dec3545
+SIZE (screen-4.0.3.tar.gz) = 840602

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

Martynas Venckus-2
> screen 4.0.2 is vulnerable and allows for a DoS attack.  This updates
> screen to version 4.0.3 which is not vulnerable.

Works fine here on amd64 && i386.
Screen version 4.00.03 (FAU) 23-Oct-06

--
Martynas Venckus

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

Ben Lovett
In reply to this post by Marc Balmer-2
On Wed, Oct 25, 2006 at 11:05:35AM +0200, Marc Balmer wrote:
> screen 4.0.2 is vulnerable and allows for a DoS attack.  This updates
> screen to version 4.0.3 which is not vulnerable.
>
> ok?

Works fine for me on i386 (3.9-stable and -current).

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

marius-6
On 10/25/06, Ben Lovett <[hidden email]> wrote:
> On Wed, Oct 25, 2006 at 11:05:35AM +0200, Marc Balmer wrote:
> > screen 4.0.2 is vulnerable and allows for a DoS attack.  This updates
> > screen to version 4.0.3 which is not vulnerable.
> >
> > ok?
>
> Works fine for me on i386 (3.9-stable and -current).
>

I know it's late, since the update has been committed, but it
coredumps on an Alpha running the October 10th snapshot if I try to
switch to the window that's already active (i.e. hitting C-a 0 when in
the 0 window) or to a non-existent window (i.e. hitting C-a 4 when
there are only 2 windows).

If anyone wants to look into this, please email me for a .core file and a dmesg.

Marius

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

Christian Weisgerber
marius <[hidden email]> wrote:

> I know it's late, since the update has been committed, but it
> coredumps on an Alpha running the October 10th snapshot if I try to
> switch to the window that's already active (i.e. hitting C-a 0 when in
> the 0 window) or to a non-existent window (i.e. hitting C-a 4 when
> there are only 2 windows).

Or simply checking the window, C-a w.
However, this is not due to the tiny change in this update, rather
4.0.2 is already affected.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

Christian Weisgerber
Here's a fix for screen dying on C-w etc on alpha.

The problem is that the autoconf test for vsprintf() erroneously
fails and the build falls back on an implementation included with
screen, which is miscompiled by gcc with optimization turned on.
:-/

The bandaid below helps the autoconf test.  I don't like it, but
gcc on alpha spews errors on both a simple

  vsprintf();

as well as

  vsprintf(0,0,0);

If anybody has a better idea... something that could go in upstream...

Index: Makefile
===================================================================
RCS file: /cvs/ports/misc/screen/Makefile,v
retrieving revision 1.56
diff -u -r1.56 Makefile
--- Makefile 25 Oct 2006 16:27:04 -0000 1.56
+++ Makefile 30 Oct 2006 17:01:58 -0000
@@ -4,6 +4,7 @@
 
 VERSION= 4.0.3
 DISTNAME= screen-${VERSION}
+PKGNAME= ${DISTNAME}p0
 CATEGORIES= misc
 MASTER_SITES= ftp://ftp.uni-erlangen.de/pub/utilities/screen/
 
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-configure 30 Oct 2006 17:01:58 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+--- configure.orig Mon Oct 30 17:48:42 2006
++++ configure Mon Oct 30 17:49:09 2006
+@@ -7186,10 +7186,12 @@ cat confdefs.h >>conftest.$ac_ext
+ cat >>conftest.$ac_ext <<_ACEOF
+ /* end confdefs.h.  */
+
++#include <stdarg.h>
+ int
+ main ()
+ {
+-vsprintf(0,0,0);
++va_list ap;
++vsprintf(0,0,ap);
+   ;
+   return 0;
+ }
--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

Otto Moerbeek

On Mon, 30 Oct 2006, Christian Weisgerber wrote:

> Here's a fix for screen dying on C-w etc on alpha.
>
> The problem is that the autoconf test for vsprintf() erroneously
> fails and the build falls back on an implementation included with
> screen, which is miscompiled by gcc with optimization turned on.
> :-/
>
> The bandaid below helps the autoconf test.  I don't like it, but
> gcc on alpha spews errors on both a simple
>
>   vsprintf();
>
> as well as
>
>   vsprintf(0,0,0);
>
> If anybody has a better idea... something that could go in upstream...

I'm pretty sure 0 for a va_list arg is illegal, and your fix looks
reasoanble.

        -Otto

>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/misc/screen/Makefile,v
> retrieving revision 1.56
> diff -u -r1.56 Makefile
> --- Makefile 25 Oct 2006 16:27:04 -0000 1.56
> +++ Makefile 30 Oct 2006 17:01:58 -0000
> @@ -4,6 +4,7 @@
>  
>  VERSION= 4.0.3
>  DISTNAME= screen-${VERSION}
> +PKGNAME= ${DISTNAME}p0
>  CATEGORIES= misc
>  MASTER_SITES= ftp://ftp.uni-erlangen.de/pub/utilities/screen/
>  
> Index: patches/patch-configure
> ===================================================================
> RCS file: patches/patch-configure
> diff -N patches/patch-configure
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-configure 30 Oct 2006 17:01:58 -0000
> @@ -0,0 +1,17 @@
> +$OpenBSD$
> +--- configure.orig Mon Oct 30 17:48:42 2006
> ++++ configure Mon Oct 30 17:49:09 2006
> +@@ -7186,10 +7186,12 @@ cat confdefs.h >>conftest.$ac_ext
> + cat >>conftest.$ac_ext <<_ACEOF
> + /* end confdefs.h.  */
> +
> ++#include <stdarg.h>
> + int
> + main ()
> + {
> +-vsprintf(0,0,0);
> ++va_list ap;
> ++vsprintf(0,0,ap);
> +   ;
> +   return 0;
> + }
> --
> Christian "naddy" Weisgerber                          [hidden email]
>
>

Reply | Threaded
Open this post in threaded view
|

Re: SECURITY: misc/screen, update to 4.0.3

marius-6
In reply to this post by Christian Weisgerber
On 10/30/06, Christian Weisgerber <[hidden email]> wrote:
> Here's a fix for screen dying on C-w etc on alpha.

Thanks. Works like a charm.

Marius