Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

[Eli Schwartz <eschwartz () gentoo org>]

On 5/16/25 12:31 PM, Taylor R Campbell wrote:
> It is not nonsensical, and it is not the inconsequential pedantry you
> are suggesting.  Please consider avoiding sarcastic disparagement when
> publicly discussing the factual matters of security reports.
>
> The report says that `NetBSD 10.1' is affected.  This is not quite
> right, _and it matters_ even if you set aside the fact that NetBSD
> 10.1 itself (which does ship tmux!) does not ship screen, because:


NetBSD 10.1 (and earlier) is affected (if you use its package manager to
install screen).


Arch Linux is affected (if you use its package manager to install screen).

Debian 12.10 (but this is not quite right!!!1!11!!!oneoneeleven. The
same packages are available on e.g. Debian 13, 11, etc) is affected (if
you use its package manager to install screen).

Ubuntu 24.04.10 (but this is not quite right!!!1!11!!!oneoneeleven. The
same packages are available on e.g. Ubuntu 22.04, 24.10, 25.04, 25.10)
is affected (if you use its package manager to install screen).

Gentoo (but this is not quite right!!!1!11!!!oneoneeleven. The same
packages are available on e.g. macOS Prefix) is affected (if you use its
package manager to install screen).


> (a) the same pkgsrc packages are available on, e.g., NetBSD 9.x (which
>     is not EOL); and
>
> (b) pkgsrc is used on platforms other than NetBSD, including macOS,
>     SmartOS, and various Linux distributions (e.g., for unprivileged
>     use on HPC clusters where it is more flexible and up-to-date than
>     the Linux distribution's package manager).
>
> That is why it would be more accurate for the report to say
> `pkgsrc-2025Q1', not `NetBSD 10.1'.


I strongly dispute this. It should instead list both, as both are
affected. (Again, b is the same distinction as "Gentoo, but also
portage-20250508, are both affected".)


But the list of affected distributions wasn't complete, and likely
wasn't intended to be. Nor was its list of distribution *versions*. It
didn't list affected versions for Adelie, Alpine, CRUX, Exherbo, Guix,
Homebrew, Mageia, Mandriva, Solus, Void Linux...


I'll reiterate that claiming NetBSD is "not affected" because "the base
installation doesn't preinstall it" is nonsensical, and highly
reminiscent of, erm, a different BSD that uses similar logic to conclude
that "the base installation" does not need useless bloat such as TrustedBSD.


I encourage you to relax and stop feeling like the honor of NetBSD is at
stake if you fail to prove that "NetBSD 10.1" was exempt from the same
issue all other distributors had.

It's no embarrassment for an operating system to have the builtin
capability to install software, you can just *not* treat it like an
unwanted and uninvited guest tracking mud all over the kitchen that
needs to be disavowed.


-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature