Your message dated Tue, 24 Jan 2017 22:35:59 +0000
with message-id <[email protected]>
and subject line Bug#852484: fixed in screen 4.5.0-3
has caused the Debian Bug report #852484,
regarding screen: Privilege escalation in Screen 4.5.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
852484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852484
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: screen
Version: 4.5.0-1
Severity: grave
Control: forwarded -1 https://savannah.gnu.org/bugs/?50142
A potential root exploit was reported upstream at
https://savannah.gnu.org/bugs/?50142 (currently private) but also
forwarded to a publically archived mailing list at
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
In Debian with default configuration of the screen package, only access
to the utmp group can be gained -- which has very little privileges. See
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00027.html
for the impact in Debian.
Neverless the Debian screen package also supports different permissions
and hence some setups might be affected by the root exploit.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'),
(500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1,
'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages screen depends on:
ii libc6 2.24-9
ii libpam0g 1.1.8-3.5
ii libtinfo5 6.0+20161126-1
screen recommends no packages.
Versions of packages screen suggests:
ii byobu 5.112-1
ii iselect 1.4.0-2+b1
ii ncurses-term 6.0+20161126-1
ii screenie 20120406-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: screen
Source-Version: 4.5.0-3
We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Axel Beckert <[email protected]> (supplier of updated screen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Jan 2017 22:57:44 +0100
Source: screen
Binary: screen screen-udeb
Architecture: source amd64
Version: 4.5.0-3
Distribution: unstable
Urgency: medium
Maintainer: Axel Beckert <[email protected]>
Changed-By: Axel Beckert <[email protected]>
Description:
screen - terminal multiplexer with VT100/ANSI terminal emulation
screen-udeb - terminal multiplexer with VT100/ANSI terminal emulation - udeb
(udeb)
Closes: 852484
Changes:
screen (4.5.0-3) unstable; urgency=medium
.
* Add patch to revert upstream commit 5460f5d2 ("adding permissions
check for the logfile name") which caused a privilege escalation.
(Closes: #852484)
Checksums-Sha1:
647be3426525b074371f2ea09548eae6750865ce 2125 screen_4.5.0-3.dsc
89effa25e523eb9c941fe47e615132f458c1d312 42036 screen_4.5.0-3.debian.tar.xz
7a7a22abec020673d4a3b80d5a3e401cb52aefd0 454162 screen-dbgsym_4.5.0-3_amd64.deb
623ee736338f4a8577fd6326f4d667b63e99e2ed 375028 screen-udeb_4.5.0-3_amd64.udeb
ce804d795c1e253f633ba5fbb24bf93a81d0befc 5294 screen_4.5.0-3_amd64.buildinfo
409118aa68375ecb200bef1b3db2dd71f9fb1bb9 591284 screen_4.5.0-3_amd64.deb
Checksums-Sha256:
367102210297b3118317ec3539c379b5a5cdc39779083eac76dfcc1caffe3c09 2125
screen_4.5.0-3.dsc
91f4651fece4a3ece962b6ec06c69153ee63087722fdf8c834c8e5e23353b066 42036
screen_4.5.0-3.debian.tar.xz
80ca3977f0761a26593a875dd7bcac1d00dbea6bd6f16a1d077fb6a00168812d 454162
screen-dbgsym_4.5.0-3_amd64.deb
7b95c54933dd5fad03b7ed12fb8cf5f98febaef2bc418eca0d6f51d4fb950f5f 375028
screen-udeb_4.5.0-3_amd64.udeb
f3d03511b16f46bc0e2c88c58eeaf2e18c43dd179998d9927149b97a7755f8df 5294
screen_4.5.0-3_amd64.buildinfo
d53760ea1384caf0a919900323aa52db525d35e6a850746b5051f11f02484320 591284
screen_4.5.0-3_amd64.deb
Files:
8696e727ca604e6226970adbebebcd3b 2125 misc standard screen_4.5.0-3.dsc
38765ca33480140e33d68b73a1063dda 42036 misc standard
screen_4.5.0-3.debian.tar.xz
1ba0041b69ac12eaabae2d5c64a2d66c 454162 debug extra
screen-dbgsym_4.5.0-3_amd64.deb
4b3491220e6b593d8e9973c3242e8ee4 375028 debian-installer extra
screen-udeb_4.5.0-3_amd64.udeb
9799a5aab61b09d62d827cbd208ce166 5294 misc standard
screen_4.5.0-3_amd64.buildinfo
701fcdf08e0862114e75080c2b727a37 591284 misc standard screen_4.5.0-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAliH0I8ACgkQa+Zjx1o1
yXUU5BAAj25pagLkhGqN3STeKvU/gNNjRP0tHywVzLzjxRMaSjtcm9+PdEeUaLft
eXneESCCafXKGLbxqc406LVeOzkkzwnPWhhcytedP2oGrMky+Oke+RpofcJiuTjA
N3h7okm/moDg194KVFalx/lJ/HSAAsRxd/WdMbo7SHZD7ApJ2jZ251ohXT6Zxt6H
DAhPuijSZ61IzUeKEcPyql+C8fzq/Up4AmtaI6oXAIUM8pgMJFOgrlPySwcPh727
5NHAm5OKFVCC+ch7HzeN0gaBM+ACQQ1STO0WQP2Zf0m7Vj3MhhbplHrysTTpJSHy
oQD3nF1of6rVRS0zQ0Q/5pjgN6of91edVgjfLhQR3gilDEm+KIN/VSP2dCsNlMR4
f2CzkZaW9iYQNR3JL5fL7xdegJTn06nRK1WuOQzJULNCIlpPf9x8r9mfv+K1OKf1
K5zPrGfnLD0JxMmlyPkv2tWD1isLu++WHuVt04TKXtWKMw+bzi6E6HDSzCTrfM50
DAvSQAwg5f1JBBMOncdzYXISn9ZwPdrKgFrNAm49v+xCy4LBq8CkFRqQnlxHNd28
1TniqGNn0QoT7CODbrd9EY+hd30gn1rUN718Z97m4Q7Rtgfx8MgzAkHnxqDZSGnk
STIJLJuvXdc8mOwJOjFlJLAd8DXB27LBTdG4wxeIgN/KNcR0aqY=
=XtON
-----END PGP SIGNATURE-----
--- End Message ---
