Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aCdTYYH_N9dXOYf8@netmeister.org>
Date: Fri, 16 May 2025 11:01:53 -0400
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: Re: screen: Multiple Security Issues in Screen
 (mostly affecting release 5.0.0 and setuid-root installations)

Matthias Gerstner <mgerstner@...e.de> wrote:
> we were surprised to find a local root exploit in
> the Screen 5.0.0 major version update affecting distributions that ship
> it as setuid-root (Arch Linux and NetBSD).

I think it's useful to clarify here that NetBSD does
_not_ ship with GNU screen(1) at all.  NetBSD's
third-party package manager pkgsrc[1] includes
screen(1), allowing users to install additional
software on top of the base OS.

That package as included in _pkgsrc_ was installed
setuid[2], but a NetBSD base installation does not
include that package.  (NetBSD happens to include
tmux(1) _in the base OS_, but not screen(1).)

This distinction between a base OS and add-on software
that is optionally available for users to choose tends
to cause confusion for some people, so I figured
it's worth noting.

-Jan

[1] https://www.pkgsrc.org/
[2] now no more since
    https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=59417

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.