[Buildroot] [PATCH] screen: bump to version 4.2.1
Maarten ter Huurne
maarten at treewalker.org
Mon Sep 15 11:54:05 UTC 2014
Hi,
The Buildroot package of GNU Screen installs the binary as setuid root; both
the old (4.0.3) and the new (4.2.1) version do. After having spent some time
reading the Screen source code, I wouldn't trust it with root privileges on
any system where security is relevant.
I haven't seen (or looked for) any actual code that could be exploited, just
a code base that is really old, under-maintained and quite complex from all
the workarounds it contains. So it resembles the OpenSSL situation, although
it is not quite that bad.
It seems multiuser mode is the feature that requires Screen to be setuid
root. Which means that without setuid root, Screen works fine but users can
only connect to their own sessions.
I would like some guidance on how to proceed here:
- leave the setuid flag on
- always clear the setuid flag post-install
- make it a configuration option
- ...?
Bye,
Maarten
More information about the buildroot
mailing list