[Buildroot] [PATCH] screen: bump to version 4.2.1

Maarten ter Huurne maarten at treewalker.org
Mon Sep 15 11:54:05 UTC 2014


Hi,

The Buildroot package of GNU Screen installs the binary as setuid root; both 
the old (4.0.3) and the new (4.2.1) version do. After having spent some time 
reading the Screen source code, I wouldn't trust it with root privileges on 
any system where security is relevant.

I haven't seen (or looked for) any actual code that could be exploited, just 
a code base that is really old, under-maintained and quite complex from all 
the workarounds it contains. So it resembles the OpenSSL situation, although 
it is not quite that bad.

It seems multiuser mode is the feature that requires Screen to be setuid 
root. Which means that without setuid root, Screen works fine but users can 
only connect to their own sessions.

I would like some guidance on how to proceed here:
- leave the setuid flag on
- always clear the setuid flag post-install
- make it a configuration option
- ...?

Bye,
		Maarten




More information about the buildroot mailing list