[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [screen-devel] [bug #50142] root exploit 4.5.0 (CVE-2017-5618)
|
From: |
Axel Beckert |
|
Subject: |
Re: [screen-devel] [bug #50142] root exploit 4.5.0 (CVE-2017-5618) |
|
Date: |
Thu, 2 Feb 2017 12:16:11 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
On Tue, Jan 24, 2017 at 07:05:10PM +0000, anonymous wrote:
> <http://savannah.gnu.org/bugs/?50142>
>
> Summary: root exploit 4.5.0
> Project: GNU Screen
[…]
> Commit f86a374 ("screen.c: adding permissions check for the logfile name",
> 2015-11-04)
>
> The check opens the logfile with full root privileges. This allows us to
> truncate any file or create a root-owned file with any contents in any
> directory and can be easily exploited to full root access in several ways.
Please use CVE-2017-5618 as identifier for this security issue.
I'd have also updated https://savannah.gnu.org/bugs/?50142 but it's
marked as private despite the information is publically available via
the mailing list and its archive.
So please make https://savannah.gnu.org/bugs/?50142 public again. It's
nothing in there which isn't known publically.
Kind regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | address@hidden (Mail)
X See http://www.nonhtmlmail.org/campaign.html | address@hidden (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)
signature.asc
Description: Digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [screen-devel] [bug #50142] root exploit 4.5.0 (CVE-2017-5618),
Axel Beckert <=