Summary: | =app-misc/screen-4.5.0 - root privilege escalation when /usr/bin/screen is set setgid/setuid with -L <file> | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | cloos, shell-tools, swegener, xmw |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/01/24/10 | ||
See Also: | http://savannah.gnu.org/bugs/?50142 | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2017-01-24 21:29:19 UTC
Please also note bug #591772 - it currently prevents screen from being usable without suid. The screen-devel mailing list says that reverting [1] brings back an older problem but also fixes this vulnerability. [1] http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58 (In reply to Jeroen Roovers from comment #2) > The screen-devel mailing list says that reverting [1] brings back an older > problem but also fixes this vulnerability. > > > [1] > http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen- > v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58 And Debian has rolled out a revision that does exactly that. https://packages.qa.debian.org/s/screen/news/20170124T223559Z.html I've addedd 4.5.0-r1, reverting the upstream commit. So that's fixed, then. So bug was only present in a new version which only appeared in ~ARCH. Repository is clean, no need to stabilize anything. Thank you maintainer(s)! |