--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
In the Debian Installer https://bugs.debian.org/857808 popped up and
Samuel Thibault found a patch for a workaround. See the upstream bug
at https://savannah.gnu.org/bugs/?50588 for an explanation how the
patch works.
I've prepared, but not yet uploaded version 4.5.0-4 of Debian's screen
package to address this. The package is prepared in the branch
"stretch":
https://anonscm.debian.org/cgit/collab-maint/screen.git/log/?h=stretch
Here's the current git diff between the package in Testing and the
stretch branch as I plan to upload the package:
diff --git a/debian/changelog b/debian/changelog
index 2f87ccd..36227ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,17 @@
+screen (4.5.0-4) unstable; urgency=low
+
+ * Add CVE-ID to previous changelog entry and
+ 62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch.
+ * Apply patch by Samuel Thibault to fix terminal garbage in Debian
+ Installer over serial line. (Closes: #857808)
+
+ -- Axel Beckert <abe@debian.org> Wed, 22 Mar 2017 01:13:07 +0100
+
screen (4.5.0-3) unstable; urgency=medium
* Add patch to revert upstream commit 5460f5d2 ("adding permissions
check for the logfile name") which caused a privilege escalation.
- (Closes: #852484)
+ (CVE-2017-5618, Closes: #852484)
-- Axel Beckert <abe@debian.org> Tue, 24 Jan 2017 22:57:44 +0100
diff --git a/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch b/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
index 32c6c61..0f62702 100644
--- a/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
+++ b/debian/patches/62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
@@ -1,7 +1,7 @@
-Description: Fix privilege escalation by reverting upstream commit 5460f5d2
+Description: [CVE-2017-5618] Fix privilege escalation by reverting upstream commit 5460f5d2
Author: Axel Beckert <abe@debian.org>
Bug-Debian: https://bugs.debian.org/852484
-Bug-CVE: http://www.openwall.com/lists/oss-security/2017/01/24/10
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5618
Bug: https://savannah.gnu.org/bugs/?50142
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
diff --git a/debian/patches/63-fix-garbage-on-serial-terminal.patch b/debian/patches/63-fix-garbage-on-serial-terminal.patch
new file mode 100644
index 0000000..62a149a
--- /dev/null
+++ b/debian/patches/63-fix-garbage-on-serial-terminal.patch
@@ -0,0 +1,17 @@
+Description: Fix terminal garbage in Debian Installer over serial line
+Author: Samuel Thibault <sthibault@debian.org>
+Reviewed-By: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Bug-Debian: https://bugs.debian.org/857808
+Bug: https://savannah.gnu.org/bugs/?50588
+
+--- a/termcap.c
++++ b/termcap.c
+@@ -486,6 +486,8 @@
+
+ D_tcinited = 1;
+ MakeTermcap(0);
++ /* Make sure libterm uses external term properties for our tputs() calls. */
++ e_tgetent(tbuf, D_termname);
+ #ifdef MAPKEYS
+ CheckEscape();
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index f68461c..7c90770 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,6 +12,7 @@
61-default-PATH_MAX-if-undefined-for-hurd.patch
62-reverse-cherry-pick-5460f5d2-to-fix-privilege-escalation.patch
# 80-99: experimental patches, new features etc.
+63-fix-garbage-on-serial-terminal.patch
80_session_creation_docs.patch
81_session_creation_util.patch
82_session_creation_core.patch
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
--- End Message ---