Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

[Eli Schwartz <eschwartz () gentoo org>]

On 5/16/25 11:01 AM, Jan Schaumann wrote:
> Matthias Gerstner <mgerstner () suse de> wrote:
> > we were surprised to find a local root exploit in
> > the Screen 5.0.0 major version update affecting distributions that ship
> > it as setuid-root (Arch Linux and NetBSD).
>
> I think it's useful to clarify here that NetBSD does
> _not_ ship with GNU screen(1) at all.  NetBSD's
> third-party package manager pkgsrc[1] includes
> screen(1), allowing users to install additional
> software on top of the base OS.
>
> That package as included in _pkgsrc_ was installed
> setuid[2], but a NetBSD base installation does not
> include that package.  (NetBSD happens to include
> tmux(1) _in the base OS_, but not screen(1).)
>
> This distinction between a base OS and add-on software
> that is optionally available for users to choose tends
> to cause confusion for some people, so I figured
> it's worth noting.


This is a nonsensical claim, but if I accept it as stated then I will
counter-assert that zero (0) Linux distros are vulnerable as they don't
preinstall screen in the base OS.

The definition of "the NetBSD base installation" is "nobody uses it".
People use computing devices in order to run software on it. You cannot
consider your OS in a bubble and go "well ackshually it's perfectly
secure unless you use the builtin software to install official software,
but we don't support that as a secure option".

Yes, this applies to other BSDs too. You know who I'm talking about. :P


-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature