[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [screen-devel] [bug #50142] root exploit 4.5.0
From: |
Axel Beckert |
Subject: |
Re: [screen-devel] [bug #50142] root exploit 4.5.0 |
Date: |
Tue, 24 Jan 2017 23:53:58 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi Alex,
On Tue, Jan 24, 2017 at 11:23:58PM +0100, Alex Naumov wrote:
> I also can't reproduce it, but it's depend on how do you install
> GNU screen and which security mechanisms do you use in your OS.
Definitely. If you install screen setuid root, I can imagine that the
reported effects are possible.
> There is 2 very nasty bugs and one of them is security related...
What's the second one? The division by zero?
> As I said, I'm working on that and going to release 4.5.1 as a
> security/bugfix release next month.
Thanks for mentioning a time frame. You so far only mention that you
are going to release a security/bugfix release but not when. (I
actually wouldn't have been surprised if I'd seen that release
tomorrow.)
That way, I feel confirmed that uploading a fixed package to Debian
Unstable which just reverts the patch like half an hour ago was the
right thing to do. (Tomorrow is the last day for uploads before the
freeze for the upcoming Debian Stable release. So I hopefully was able
to squeeze that fix and hence 4.5.0 in. 4.5.1 will no more fit in, but
I may cherry-pick single patches out of it if they fix crashes or
other severe things.)
Of course that reopens some silent errors wrt. to non-working log
files due to permission issues, but I can also confirm that it fixes
the privilege escalation (to the utmp group in my case).
Kind regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | address@hidden (Mail)
X See http://www.nonhtmlmail.org/campaign.html | address@hidden (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)
signature.asc
Description: Digital signature