oss-sec mailing list archives
Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)
From: Matthias Gerstner <mgerstner () suse de>
Date: Wed, 14 May 2025 13:45:05 +0200
Hello Thomas, On Tue, May 13, 2025 at 06:21:06PM +0200, Dr. Thomas Orgis wrote:
Are you sure the safe default wins? I also read configure.ac as such, at a first glance … but running plain configure results in $ grep PTYMODE config.h * define PTYMODE if you do not like the default of 0622, which allows /* #undef PTYMODE */ on a Debian 12 machine with perhaps a specific setup because of multiuser access — exactly the situation where the world-writable ptys are of most concern. Configure messages: configure: checking for ptyranges... configure: checking default tty permissions/group... checking for write... /usr/bin/write checking for xterm... no - ptys are world accessable
we did not dive this deeply into the configure script logic, we simply assumed it always applies the default without further checks. It seems to work out on openSUSE Tumblweed in the build service context at least. As we stated in the report, explicitly passing the mode, and likely also the group is the recommended way to avoid any uncertainties in this area. Cheers Matthias
Attachment:
signature.asc
Description:
Current thread:
- screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 12)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 14)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Mark Esler (May 13)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Jan Schaumann (May 16)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Taylor R Campbell (May 16)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)
- Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Jacob Bachmeyer (May 16)
- Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Jan Schaumann (May 17)
- Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)