Bug 32074

Summary: screen new security issue CVE-2023-24626
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, geiger.david68210, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: screen-4.9.0-4.mga9.src.rpm CVE: CVE-2023-24626
Status comment:

Description David Walser 2023-07-05 23:08:14 CEST 
Ubuntu has issued an advisory on July 3:
https://ubuntu.com/security/notices/USN-6198-1

It sounds like, like for Ubuntu, this is not actually a security issue for us.  It should be easy enough to include the patch in Cauldron anyway, and maybe just check it into SVN for Mageia 8.
Comment 1 Lewis Smith 2023-07-07 20:51:23 CEST 
No obvious packager for this, so assigning globally.
CC'ing DavidG, but it is years since he dealt with it.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2024-03-12 11:01:44 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process. (CVE-2023-24626)

References:
https://ubuntu.com/security/notices/USN-6198-1
========================

Updated package in core/updates_testing:
========================
screen-4.9.0-4.1.mga9

from SRPM:
screen-4.9.0-4.1.mga9.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2023-24626
Version: Cauldron => 9

katnatek 2024-03-12 21:58:28 CET

Keywords: (none) => advisory

Comment 3 katnatek 2024-03-12 23:40:26 CET 
RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing screen-4.9.0-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: screen                ##################################################################################################
      1/1: removing screen-4.9.0-4.mga9.x86_64
                                 ##################################################################################################

use screen to run a script without issues, screen have capacities that I don't use, so this is all the test I can do
Comment 4 Brian Rockwell 2024-03-13 02:55:40 CET 
Installed

basic testing completed.  It appears to work, though the version reported from screen seems out dated.

CC: (none) => brtians1
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-03-13 23:45:33 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2024-03-14 00:15:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0057.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED