wok-current rev 25774
Fix efivar postinstall, up firefox-official (128.10.1), screen (4.9.1 with patch CVEs 46802,46804,4682A05)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Tue May 20 13:58:53 2025 +0000 (4 months ago) |
| parents | 7b06593b8393 |
| children | 4997842104b5 |
| files | efivar/receipt firefox-official/receipt screen/receipt screen/stuff/CVE-2025-46802.patch screen/stuff/CVE-2025-46804.patch screen/stuff/CVE-2025-46805.patch |
line diff
1.1 --- a/efivar/receipt Sun May 11 19:49:36 2025 +0000 1.2 +++ b/efivar/receipt Tue May 20 13:58:53 2025 +0000 1.3 @@ -60,7 +60,7 @@ 1.4 fi 1.5 # and after reboot: 1.6 # insert mount into /etc/init.d/local.sh 1.7 - if [ -f /etc/init.d/local.sh ]; then 1.8 + if [ -f $1/etc/init.d/local.sh ]; then 1.9 grep -qs efivarfs $1/etc/init.d/local.sh || 1.10 echo -e "#inserted by post_install of evifar up to END-efivar: 1.11 if [ -d /sys/firmware/efi/efivars ]; then
2.1 --- a/firefox-official/receipt Sun May 11 19:49:36 2025 +0000 2.2 +++ b/firefox-official/receipt Tue May 20 13:58:53 2025 +0000 2.3 @@ -1,7 +1,7 @@ 2.4 # SliTaz package receipt. 2.5 2.6 PACKAGE="firefox-official" 2.7 -VERSION="128.10.0esr" 2.8 +VERSION="128.10.1esr" 2.9 CATEGORY="network" 2.10 TAGS="web-browser" 2.11 SHORT_DESC="Official Firefox build by the Mozilla foundation (English language)."
3.1 --- a/screen/receipt Sun May 11 19:49:36 2025 +0000 3.2 +++ b/screen/receipt Tue May 20 13:58:53 2025 +0000 3.3 @@ -1,7 +1,7 @@ 3.4 # SliTaz package receipt. 3.5 3.6 PACKAGE="screen" 3.7 -VERSION="4.9.0" 3.8 +VERSION="4.9.1" 3.9 CATEGORY="system-tools" 3.10 SHORT_DESC="Terminal multiplexer." 3.11 MAINTAINER="pascal.bellard@slitaz.org" 3.12 @@ -28,6 +28,14 @@ 3.13 # Rules to configure and make the package. 3.14 compile_rules() 3.15 { 3.16 + # CVEs 3.17 + # see https://www.cve.org/CVERecord?id=CVE-2025-46802 3.18 + # see https://www.cve.org/CVERecord?id=CVE-2025-46804 3.19 + # see https://www.cve.org/CVERecord?id=CVE-2025-46805 3.20 + patch -p1 < $stuff/CVE-2025-46802.patch 3.21 + patch -p1 < $stuff/CVE-2025-46804.patch 3.22 + patch -p1 < $stuff/CVE-2025-46805.patch 3.23 + 3.24 ./autogen.sh && 3.25 ./configure \ 3.26 --with-sys-screenrc=/etc/screenrc \
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/screen/stuff/CVE-2025-46802.patch Tue May 20 13:58:53 2025 +0000 4.3 @@ -0,0 +1,140 @@ 4.4 +From 049b26b22e197ba3be9c46e5c193032e01a4724a Mon Sep 17 00:00:00 2001 4.5 +From: Matthias Gerstner <matthias.gerstner@suse.de> 4.6 +Date: Mon, 12 May 2025 15:15:38 +0200 4.7 +Subject: fix CVE-2025-46802: attacher.c - prevent temporary 0666 mode on PTYs 4.8 + 4.9 +This temporary chmod of the PTY to mode 0666 is most likely a remnant of 4.10 +past times, before the PTY file descriptor was passed to the target 4.11 +session via the UNIX domain socket. 4.12 + 4.13 +This chmod() causes a race condition during which any other user in the 4.14 +system can open the PTY for reading and writing, and thus allows PTY 4.15 +hijacking. 4.16 + 4.17 +Simply remove this logic completely. 4.18 +--- 4.19 + src/attacher.c | 27 --------------------------- 4.20 + src/screen.c | 19 ------------------- 4.21 + 2 files changed, 46 deletions(-) 4.22 + 4.23 +diff --git a/attacher.c b/attacher.c 4.24 +index c35ae7a..16b151e 100644 4.25 +--- a/attacher.c 4.26 ++++ b/attacher.c 4.27 +@@ -73,7 +73,6 @@ extern int MasterPid, attach_fd; 4.28 + #ifdef MULTIUSER 4.29 + extern char *multi; 4.30 + extern int multiattach, multi_uid, own_uid; 4.31 +-extern int tty_mode, tty_oldmode; 4.32 + # ifndef USE_SETEUID 4.33 + static int multipipe[2]; 4.34 + # endif 4.35 +@@ -160,9 +159,6 @@ int how; 4.36 + 4.37 + if (pipe(multipipe)) 4.38 + Panic(errno, "pipe"); 4.39 +- if (chmod(attach_tty, 0666)) 4.40 +- Panic(errno, "chmod %s", attach_tty); 4.41 +- tty_oldmode = tty_mode; 4.42 + eff_uid = -1; /* make UserContext fork */ 4.43 + real_uid = multi_uid; 4.44 + if ((ret = UserContext()) <= 0) 4.45 +@@ -174,11 +170,6 @@ int how; 4.46 + Panic(errno, "UserContext"); 4.47 + close(multipipe[1]); 4.48 + read(multipipe[0], &dummy, 1); 4.49 +- if (tty_oldmode >= 0) 4.50 +- { 4.51 +- chmod(attach_tty, tty_oldmode); 4.52 +- tty_oldmode = -1; 4.53 +- } 4.54 + ret = UserStatus(); 4.55 + #ifdef LOCK 4.56 + if (ret == SIG_LOCK) 4.57 +@@ -224,9 +215,6 @@ int how; 4.58 + xseteuid(multi_uid); 4.59 + xseteuid(own_uid); 4.60 + #endif 4.61 +- if (chmod(attach_tty, 0666)) 4.62 +- Panic(errno, "chmod %s", attach_tty); 4.63 +- tty_oldmode = tty_mode; 4.64 + } 4.65 + # endif /* USE_SETEUID */ 4.66 + #endif /* MULTIUSER */ 4.67 +@@ -423,13 +411,6 @@ int how; 4.68 + ContinuePlease = 0; 4.69 + # ifndef USE_SETEUID 4.70 + close(multipipe[1]); 4.71 +-# else 4.72 +- xseteuid(own_uid); 4.73 +- if (tty_oldmode >= 0) 4.74 +- if (chmod(attach_tty, tty_oldmode)) 4.75 +- Panic(errno, "chmod %s", attach_tty); 4.76 +- tty_oldmode = -1; 4.77 +- xseteuid(real_uid); 4.78 + # endif 4.79 + } 4.80 + #endif 4.81 +@@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG 4.82 + close(s); 4.83 + } 4.84 + } 4.85 +-#ifdef MULTIUSER 4.86 +- if (tty_oldmode >= 0) 4.87 +- { 4.88 +- if (setuid(own_uid)) 4.89 +- Panic(errno, "setuid"); 4.90 +- chmod(attach_tty, tty_oldmode); 4.91 +- } 4.92 +-#endif 4.93 + exit(0); 4.94 + SIGRETURN; 4.95 + } 4.96 +diff --git a/screen.c b/screen.c 4.97 +index 7653cd1..1a23e1a 100644 4.98 +--- a/screen.c 4.99 ++++ b/screen.c 4.100 +@@ -230,8 +230,6 @@ char *multi_home; 4.101 + int multi_uid; 4.102 + int own_uid; 4.103 + int multiattach; 4.104 +-int tty_mode; 4.105 +-int tty_oldmode = -1; 4.106 + #endif 4.107 + 4.108 + char HostName[MAXSTR]; 4.109 +@@ -1009,9 +1007,6 @@ int main(int ac, char** av) 4.110 + 4.111 + /* ttyname implies isatty */ 4.112 + SetTtyname(true, &st); 4.113 +-#ifdef MULTIUSER 4.114 +- tty_mode = (int)st.st_mode & 0777; 4.115 +-#endif 4.116 + 4.117 + fl = fcntl(0, F_GETFL, 0); 4.118 + if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR) 4.119 +@@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic) 4.120 + if (D_userpid) 4.121 + Kill(D_userpid, SIG_BYE); 4.122 + } 4.123 +-#ifdef MULTIUSER 4.124 +- if (tty_oldmode >= 0) { 4.125 +- 4.126 +-# ifdef USE_SETEUID 4.127 +- if (setuid(own_uid)) 4.128 +- xseteuid(own_uid); /* may be a loop. sigh. */ 4.129 +-# else 4.130 +- setuid(own_uid); 4.131 +-# endif 4.132 +- 4.133 +- debug1("Panic: changing back modes from %s\n", attach_tty); 4.134 +- chmod(attach_tty, tty_oldmode); 4.135 +- } 4.136 +-#endif 4.137 + eexit(1); 4.138 + } 4.139 + 4.140 +-- 4.141 +cgit v1.1 4.142 + 4.143 +
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 5.2 +++ b/screen/stuff/CVE-2025-46804.patch Tue May 20 13:58:53 2025 +0000 5.3 @@ -0,0 +1,125 @@ 5.4 +From e0eef5aac453fa98a2664416a56c50ad1d00cb30 Mon Sep 17 00:00:00 2001 5.5 +From: Matthias Gerstner <matthias.gerstner@suse.de> 5.6 +Date: Mon, 12 May 2025 15:26:11 +0200 5.7 +Subject: fix CVE-2025-46804: avoid file existence test information leaks 5.8 + 5.9 +In setuid-root context the current error messages give away whether 5.10 +certain paths not accessible by the real user exist and what type they 5.11 +have. To prevent this only output generic error messages in setuid-root 5.12 +context. 5.13 + 5.14 +In some situations, when an error is pertaining a directory and the 5.15 +directory is owner by the real user then we can still output more 5.16 +detailed diagnostics. 5.17 + 5.18 +This change can lead to less helpful error messages when Screen is 5.19 +install setuid-root. More complex changes would be needed to avoid this 5.20 +(e.g. only open the `SocketPath` with raised privileges when 5.21 +multi-attach is requested). 5.22 + 5.23 +There might still be lingering some code paths that allow such 5.24 +information leaks, since `SocketPath` is a global variable that is used 5.25 +across the code base. The majority of issues should be caught with this 5.26 +fix, however. 5.27 +--- 5.28 + src/screen.c | 45 ++++++++++++++++++++++++++++++++++----------- 5.29 + src/socket.c | 9 +++++++-- 5.30 + 2 files changed, 41 insertions(+), 13 deletions(-) 5.31 + 5.32 +diff --git a/screen.c b/screen.c 5.33 +index 1a23e1a..6eec151 100644 5.34 +--- a/screen.c 5.35 ++++ b/screen.c 5.36 +@@ -1122,15 +1122,28 @@ int main(int ac, char** av) 5.37 + #endif 5.38 + } 5.39 + 5.40 +- if (stat(SockPath, &st) == -1) 5.41 +- Panic(errno, "Cannot access %s", SockPath); 5.42 +- else 5.43 +- if (!S_ISDIR(st.st_mode)) 5.44 ++ if (stat(SockPath, &st) == -1) { 5.45 ++ if (eff_uid == real_uid) { 5.46 ++ Panic(errno, "Cannot access %s", SockPath); 5.47 ++ } else { 5.48 ++ Panic(0, "Error accessing %s", SockPath); 5.49 ++ } 5.50 ++ } else if (!S_ISDIR(st.st_mode)) { 5.51 ++ if (eff_uid == real_uid || st.st_uid == real_uid) { 5.52 + Panic(0, "%s is not a directory.", SockPath); 5.53 ++ } else { 5.54 ++ Panic(0, "Error accessing %s", SockPath); 5.55 ++ } 5.56 ++ } 5.57 + #ifdef MULTIUSER 5.58 + if (multi) { 5.59 +- if ((int)st.st_uid != multi_uid) 5.60 +- Panic(0, "%s is not the owner of %s.", multi, SockPath); 5.61 ++ if ((int)st.st_uid != multi_uid) { 5.62 ++ if (eff_uid == real_uid || st.st_uid == real_uid) { 5.63 ++ Panic(0, "%s is not the owner of %s.", multi, SockPath); 5.64 ++ } else { 5.65 ++ Panic(0, "Error accessing %s", SockPath); 5.66 ++ } 5.67 ++ } 5.68 + } 5.69 + else 5.70 + #endif 5.71 +@@ -1144,9 +1157,13 @@ int main(int ac, char** av) 5.72 + Panic(0, "You are not the owner of %s.", SockPath); 5.73 + #endif 5.74 + } 5.75 +- 5.76 +- if ((st.st_mode & 0777) != 0700) 5.77 +- Panic(0, "Directory %s must have mode 700.", SockPath); 5.78 ++ if ((st.st_mode & 0777) != 0700) { 5.79 ++ if (eff_uid == real_uid || st.st_uid == real_uid) { 5.80 ++ Panic(0, "Directory %s must have mode 700.", SockPath); 5.81 ++ } else { 5.82 ++ Panic(0, "Error accessing %s", SockPath); 5.83 ++ } 5.84 ++ } 5.85 + if (SockMatch && index(SockMatch, '/')) 5.86 + Panic(0, "Bad session name '%s'", SockMatch); 5.87 + SockName = SockPath + strlen(SockPath) + 1; 5.88 +@@ -1184,8 +1201,14 @@ int main(int ac, char** av) 5.89 + else 5.90 + exit(9 + (fo || oth ? 1 : 0) + fo); 5.91 + } 5.92 +- if (fo == 0) 5.93 +- Panic(0, "No Sockets found in %s.\n", SockPath); 5.94 ++ if (fo == 0) { 5.95 ++ if (eff_uid == real_uid || st.st_uid == real_uid) { 5.96 ++ Panic(0, "No Sockets found in %s.\n", SockPath); 5.97 ++ } else { 5.98 ++ Panic(0, "Error accessing %s", SockPath); 5.99 ++ } 5.100 ++ } 5.101 ++ 5.102 + Msg(0, "%d Socket%s in %s.", fo, fo > 1 ? "s" : "", SockPath); 5.103 + eexit(0); 5.104 + } 5.105 +diff --git a/socket.c b/socket.c 5.106 +index 54d8cb8..6c3502f 100644 5.107 +--- a/socket.c 5.108 ++++ b/socket.c 5.109 +@@ -169,8 +169,13 @@ bool *is_sock; 5.110 + xsetegid(real_gid); 5.111 + #endif 5.112 + 5.113 +- if ((dirp = opendir(SockPath)) == 0) 5.114 +- Panic(errno, "Cannot opendir %s", SockPath); 5.115 ++ if ((dirp = opendir(SockPath)) == 0) { 5.116 ++ if (eff_uid == real_uid) { 5.117 ++ Panic(errno, "Cannot opendir %s", SockPath); 5.118 ++ } else { 5.119 ++ Panic(0, "Error accessing %s", SockPath); 5.120 ++ } 5.121 ++ } 5.122 + 5.123 + slist = 0; 5.124 + slisttail = &slist; 5.125 +-- 5.126 +cgit v1.1 5.127 + 5.128 +
6.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 6.2 +++ b/screen/stuff/CVE-2025-46805.patch Tue May 20 13:58:53 2025 +0000 6.3 @@ -0,0 +1,118 @@ 6.4 +From 161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4 Mon Sep 17 00:00:00 2001 6.5 +From: Matthias Gerstner <matthias.gerstner@suse.de> 6.6 +Date: Mon, 12 May 2025 15:38:19 +0200 6.7 +Subject: fix CVE-2025-46805: socket.c - don't send signals with root 6.8 + privileges 6.9 + 6.10 +The CheckPid() function was introduced to address CVE-2023-24626, to 6.11 +prevent sending SIGCONT and SIGHUP to arbitrary PIDs in the system. This 6.12 +fix still suffers from a TOCTOU race condition. The client can replace 6.13 +itself by a privileged process, or try to cycle PIDs until a privileged 6.14 +process receives the original PID. 6.15 + 6.16 +To prevent this, always send signals using the real privileges. Keep 6.17 +CheckPid() for error diagnostics. If sending the actual signal fails 6.18 +later on then there will be no more error reporting. 6.19 + 6.20 +It seems the original bugfix already introduced a regression when 6.21 +attaching to another's user session that is not owned by root. In this 6.22 +case the target sessions runs with real uid X, while for sending a 6.23 +signal to the `pid` provided by the client real uid Y (or root 6.24 +privileges) are required. 6.25 + 6.26 +This is hard to properly fix without this regression. On Linux pidfds 6.27 +could be used to allow safely sending signals to other PIDs as root 6.28 +without involving race conditions. In this case the client PID should 6.29 +also be obtained via the UNIX domain socket's SO_PEERCRED option, 6.30 +though. 6.31 +--- 6.32 + src/socket.c | 21 +++++++++++++-------- 6.33 + 1 file changed, 13 insertions(+), 8 deletions(-) 6.34 + 6.35 +diff --git a/socket.c b/socket.c 6.36 +index 6c3502f..d6621fa 100644 6.37 +--- a/socket.c 6.38 ++++ b/socket.c 6.39 +@@ -831,6 +831,11 @@ int pid; 6.40 + return UserStatus(); 6.41 + } 6.42 + 6.43 ++static void KillUnpriv(pid_t pid, int sig) { 6.44 ++ UserContext(); 6.45 ++ UserReturn(kill(pid, sig)); 6.46 ++} 6.47 ++ 6.48 + #ifdef hpux 6.49 + /* 6.50 + * From: "F. K. Bruner" <napalm@ugcs.caltech.edu> 6.51 +@@ -916,14 +921,14 @@ struct win *wi; 6.52 + { 6.53 + Msg(errno, "Could not perform necessary sanity checks on pts device."); 6.54 + close(i); 6.55 +- Kill(pid, SIG_BYE); 6.56 ++ KillUnpriv(pid, SIG_BYE); 6.57 + return -1; 6.58 + } 6.59 + if (strcmp(ttyname_in_ns, m->m_tty)) 6.60 + { 6.61 + Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)"); 6.62 + close(i); 6.63 +- Kill(pid, SIG_BYE); 6.64 ++ KillUnpriv(pid, SIG_BYE); 6.65 + return -1; 6.66 + } 6.67 + /* m->m_tty so far contains the actual name of the pts device in the 6.68 +@@ -940,19 +945,19 @@ struct win *wi; 6.69 + { 6.70 + Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL"); 6.71 + close(i); 6.72 +- Kill(pid, SIG_BYE); 6.73 ++ KillUnpriv(pid, SIG_BYE); 6.74 + return -1; 6.75 + } 6.76 + } 6.77 + else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0) 6.78 + { 6.79 + Msg(errno, "Attach: Could not open %s!", m->m_tty); 6.80 +- Kill(pid, SIG_BYE); 6.81 ++ KillUnpriv(pid, SIG_BYE); 6.82 + return -1; 6.83 + } 6.84 + #ifdef MULTIUSER 6.85 + if (attach) 6.86 +- Kill(pid, SIGCONT); 6.87 ++ KillUnpriv(pid, SIGCONT); 6.88 + #endif 6.89 + 6.90 + #if defined(ultrix) || defined(pyr) || defined(NeXT) 6.91 +@@ -965,7 +970,7 @@ struct win *wi; 6.92 + { 6.93 + write(i, "Attaching from inside of screen?\n", 33); 6.94 + close(i); 6.95 +- Kill(pid, SIG_BYE); 6.96 ++ KillUnpriv(pid, SIG_BYE); 6.97 + Msg(0, "Attach msg ignored: coming from inside."); 6.98 + return -1; 6.99 + } 6.100 +@@ -976,7 +981,7 @@ struct win *wi; 6.101 + { 6.102 + write(i, "Access to session denied.\n", 26); 6.103 + close(i); 6.104 +- Kill(pid, SIG_BYE); 6.105 ++ KillUnpriv(pid, SIG_BYE); 6.106 + Msg(0, "Attach: access denied for user %s.", user); 6.107 + return -1; 6.108 + } 6.109 +@@ -1294,7 +1299,7 @@ ReceiveMsg() 6.110 + Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid); 6.111 + } 6.112 + else { 6.113 +- Kill(m.m.command.apid, 6.114 ++ KillUnpriv(m.m.command.apid, 6.115 + (queryflag >= 0) 6.116 + ? SIGCONT 6.117 + : SIG_BYE); /* Send SIG_BYE if an error happened */ 6.118 +-- 6.119 +cgit v1.1 6.120 + 6.121 +