Re: proper fix / hotfix for screen world-writable ttys

To: "Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>
Subject: Re: proper fix / hotfix for screen world-writable ttys
From: Thomas Klausner <wiz%gatalith.at@localhost>
Date: Tue, 13 May 2025 23:19:43 +0200

On Tue, May 13, 2025 at 07:34:04PM +0200, Dr. Thomas Orgis wrote:
> Should we add that to misc/screen4
> to ensure that the flawed tty group checks do not trigger? Should I
> also add the patches OpenSUSE prepared? There are 3 for 4.9.1:
> 
> 0001-attacher.c-prevent-temporary-0666-mode-on-PTYs-to-fi.patch
> 0002-Avoid-file-existence-test-information-leaks-to-fix-C.patch
> 0003-socket.c-don-t-send-signals-with-root-privileges-to-.patch

I don't care much about screen, but I already added these patches to
the screen4 package - both screen4 and screen (5) have the suse
patches applied in pkgsrc.

Upstream had a 5.0.1 tag in their repository yesterday (with a news
file listing the CVEs as fixed), but no release tarball available in
the usual places yet. Perhaps that has changed in the meantime.

If you read the opensuse report, screen5 should probably be avoided
for now.
 Thomas

References:
- proper fix / hotfix for screen world-writable ttys
  - From: Dr. Thomas Orgis

Prev by Date: proper fix / hotfix for screen world-writable ttys
Next by Date: make fetch-list suport for DIST_PATH
Previous by Thread: proper fix / hotfix for screen world-writable ttys
Next by Thread: make fetch-list suport for DIST_PATH
Indexes:

Home | Main Index | Thread Index | Old Index