Most active commenters
  • mjevans(3)
  • bandrami(3)

←back to thread

Multiple security issues in GNU Screen

(www.openwall.com)
414 points st_goliath | 28 comments | 13 May 25 11:28 UTC | HN request time: 1.777s | source | bottom
1. teddyh ◴[13 May 25 12:09 UTC] No.43972000[source]
Note: In Debian, GNU screen is not installed with setuid-root privileges.
replies(4): >>43972155 #>>43972240 #>>43972667 #>>43972691 #
2. jesprenj ◴[13 May 25 12:27 UTC] No.43972155[source]
Likewise in Gentoo. But in Gentoo it has SETGID for utmp group. Though I'm not sure what the implications are.
replies(1): >>43972744 #
3. ktm5j ◴[13 May 25 12:37 UTC] No.43972240[source]
Looks like it is in Fedora.
replies(3): >>43972602 #>>43972615 #>>43972773 #
4. znpy ◴[13 May 25 13:16 UTC] No.43972602[source]
I wonder if there is some selinux policy to reduce the attack surface
replies(1): >>43975986 #
5. tmtvl ◴[13 May 25 13:17 UTC] No.43972615[source]
Likewise in Arch.
6. jmclnx ◴[13 May 25 13:22 UTC] No.43972667[source]
Slackware 15:

lrwxrwxrwx 1 root root 12 Feb 11 2022 /usr/bin/screen -> screen-4.9.0

-rwxr-xr-x 1 root root 455016 Feb 1 2022 /usr/bin/screen-4.9.0

no suid

replies(1): >>43979544 #
7. perlgeek ◴[13 May 25 13:24 UTC] No.43972691[source]
And the package in Debian Stable (aka bookworm) is too old to be affected by the vulnerabilities in 5.0.0.

I used to hate that Debian always was behind on software versions, but now I use different package sources for the few applications where I really don't want to rely on old software (like browsers), and otherwise doing great with the old stuff :-)

replies(2): >>43972806 #>>43980202 #
8. JdeBP ◴[13 May 25 13:29 UTC] No.43972744[source]
If one is in group utmp, one can mess with the login accounting database: the table of currently active logins, the log of log-ons/log-offs, and the table of per-user last logins.

https://jdebp.uk/FGA/unix-login-database.html

The login accounting system that Linux-based operating systems have inherited from Unix really has never reconciled its initial real-terminal-login-only superuser-managed design with the fact that non-superuser programs that allocate pseudo-terminals (e.g. any local terminal emulator, NeoVIM, tmux, screen) want to (over)write entries for those pseudo-terminals in the login accounting database to make the output of the "who" command (and its ilk) more complete.

The best approach I've seen was to re-think the idea; have the pseudo-terminal-using programs run entirely unprivileged and use a client-server model where only the server actually has access to the database files.

Laurent Bercot did this. It fixes many holes, including that the log of log-ons/log-offs is made truly append-only (modulo superuser access to the underlying files). But it has the same architectural problem that any client in the group can overwrite any currently active login record if it knows the record ID, which by design (and the Single Unix Specification) there's an API for enumerating.

* https://skarnet.org/software/utmps/

Both the BSDs and M. Bercot have improved the situation with pututxline(), but it's still not out of the woods yet.

replies(1): >>43973078 #
9. mlichvar ◴[13 May 25 13:31 UTC] No.43972773[source]
On Fedora it is setgid screen, not root.
10. mjevans ◴[13 May 25 13:35 UTC] No.43972806[source]
Related... https://bugzilla.mozilla.org/show_bug.cgi?id=1966096

If you're running Firefox on Debian please make sure you manually update it since the package repo's been down for a while. I filed a 'support' ticket first ( https://support.mozilla.org/en-US/questions/1510388 ) since it seemed to be the proper place, but no one seems to look at those.

replies(2): >>43974517 #>>43974767 #
11. anthk ◴[13 May 25 14:00 UTC] No.43973078{3}[source]
I set TMPDIR to $HOME/tmp because of that.
replies(1): >>43975355 #
12. sillystuff ◴[13 May 25 16:12 UTC] No.43974517{3}[source]
The repo appears to be working for installing/updating packages. Mozilla should allow file listing which should fix the 404s, and make this repo behave as expected when manually browsed (Apparently hosted on a Google webserver; maybe Google forbids this?).

  apt-get changelog firefox
  Get:1 store: firefox 138.0.3~build1 Changelog
  Fetched 129 B in 0s (0 B/s)
  firefox (138.0.3~build1) UNRELEASED; urgency=medium
 
    * N/A
 
   -- Mozilla <release@mozilla.com>  Mon, 12 May 2025 12:40:33 -0000

  date
  Tue May 13 08:56:09 AM PDT 2025
Or, to really prove it to yourself, you can re-download the package:

  apt-get install --download-only --reinstall firefox
replies(1): >>43975405 #
13. foresto ◴[13 May 25 16:35 UTC] No.43974767{3}[source]
This is about Mozilla's builds of Firefox for Debian, not Debian's builds, right? So regular Debian users who run the default Firefox (firefox-esr) would be unaffected.
replies(1): >>43975107 #
14. mjevans ◴[13 May 25 17:00 UTC] No.43975107{4}[source]
Correct, but that's firefox-esr not firefox. At one point I found it necessary to switch as there was an issue with security updates, but that might have been an issue in that particular system's configuration that I since resolved.
replies(1): >>43979073 #
15. blueflow ◴[13 May 25 17:20 UTC] No.43975355{4}[source]
Except for the name, TMPDIR is unrelated to utmp.
replies(1): >>43975634 #
16. mjevans ◴[13 May 25 17:25 UTC] No.43975405{4}[source]
I will have to look into that more tomorrow. My only Debian desktop is a laptop at family's house and currently asleep. It mentioned an error with the repository but my first troubleshooting step was to try to manually verify I could _get_ to the repo in a browser.
17. anthk ◴[13 May 25 17:46 UTC] No.43975634{5}[source]
I know; but it mitigates some potential race conditions.
replies(1): >>43975651 #
18. blueflow ◴[13 May 25 17:47 UTC] No.43975651{6}[source]
More info on that?
19. JCattheATM ◴[13 May 25 18:17 UTC] No.43975986{3}[source]
There almost certainly is, pretty sure Fedora has an SELinux policy for all software in base.
20. foresto ◴[13 May 25 23:34 UTC] No.43979073{5}[source]
To be clear for the sake of other readers, Debian's firefox-esr package is Firefox.

It's simply a release from Mozilla's Extended Support Release channel, as distinct from the Rapid Release channel that you are apparently using. Not a different project/product.

https://support.mozilla.org/en-US/kb/choosing-firefox-update...

21. jmclnx ◴[14 May 25 00:49 UTC] No.43979544[source]
FWIW, Slackware 15 was updated to screen to screen-4.9.1.

This update fixes security issues:

* attacher.c - prevent temporary 0666 mode on PTYs.

* avoid file existence test information leaks.

* socket.c - don't send signals with root privileges.

replies(1): >>43982312 #
22. bandrami ◴[14 May 25 02:45 UTC] No.43980202[source]
Debian stable users missed heartbleed entirely. I think the glacial pace is underrated.
replies(2): >>43980272 #>>43982665 #
23. krferriter ◴[14 May 25 02:57 UTC] No.43980272{3}[source]
Glacial page bedrock of an OS with optional sandboxed more-up-to-date userspace packages and runtimes that can be layered on top of the host system was the dream of flatpak/snap/appimage, right?
replies(1): >>43980724 #
24. bandrami ◴[14 May 25 04:11 UTC] No.43980724{4}[source]
Yes, though that comes with its own headaches since the data those sandboxed applications are supposed to touch are the only actually valuable data on my computer. (How many versions of OpenSSL are currently running on my Silverblue system? I literally couldn't tell you.) My spreadsheet is only vouched for by some random dude on Flathub and it can steal all my financial information. But at least it can't add a printer, or delete a system file that I can freely download from the Internet at any time.
replies(1): >>43996520 #
25. lazide ◴[14 May 25 08:42 UTC] No.43982312{3}[source]
Damn, Slackware. That’s a name I haven’t heard in a very long time.
26. rs_rs_rs_rs_rs ◴[14 May 25 09:49 UTC] No.43982665{3}[source]
> Debian stable users missed heartbleed entirely

Missed it? Not at all, Debian pioneered that style of bugs years before!

https://github.com/g0tmi1k/debian-ssh

replies(1): >>43983784 #
27. bandrami ◴[14 May 25 12:38 UTC] No.43983784{4}[source]
And the default SELinux config was broken for like 15 years IIRC. It's always pick your poison.
28. rlpb ◴[15 May 25 16:16 UTC] No.43996520{5}[source]
This a decent observation, but I would add that some other Flatpak app that you run might be correctly sandboxed from accessing your financial information, and this is the real benefit of such a system.