Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-5618

Source

Debian Bug report logs - #852484
screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0

Package: screen; Maintainer for screen is Axel Beckert <abe@debian.org>; Source for screen is src:screen (PTS, buildd, popcon).

Reported by: Axel Beckert <abe@debian.org>

Date: Tue, 24 Jan 2017 21:39:02 UTC

Severity: grave

Tags: security

Found in version screen/4.5.0-1

Fixed in version screen/4.5.0-3

Done: Axel Beckert <abe@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://savannah.gnu.org/bugs/?50142

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, abe@debian.org, security@debian.org:
Bug#852484; Package screen. (Tue, 24 Jan 2017 21:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
New Bug report received and forwarded. Copy sent to abe@debian.org, security@debian.org. (Tue, 24 Jan 2017 21:39:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: screen
Version: 4.5.0-1
Severity: grave
Control: forwarded -1 https://savannah.gnu.org/bugs/?50142

A potential root exploit was reported upstream at
https://savannah.gnu.org/bugs/?50142 (currently private) but also
forwarded to a publically archived mailing list at
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html

In Debian with default configuration of the screen package, only access
to the utmp group can be gained -- which has very little privileges. See
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00027.html
for the impact in Debian.

Neverless the Debian screen package also supports different permissions
and hence some setups might be affected by the root exploit.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages screen depends on:
ii  libc6      2.24-9
ii  libpam0g   1.1.8-3.5
ii  libtinfo5  6.0+20161126-1

screen recommends no packages.

Versions of packages screen suggests:
ii  byobu         5.112-1
ii  iselect       1.4.0-2+b1
ii  ncurses-term  6.0+20161126-1
ii  screenie      20120406-1

-- no debconf information

Set Bug forwarded-to-address to 'https://savannah.gnu.org/bugs/?50142'. Request was from Axel Beckert <abe@debian.org> to submit@bugs.debian.org. (Tue, 24 Jan 2017 21:39:04 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Tue, 24 Jan 2017 21:54:10 GMT) (full text, mbox, link).

Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Tue, 24 Jan 2017 22:39:08 GMT) (full text, mbox, link).

Notification sent to Axel Beckert <abe@debian.org>:
Bug acknowledged by developer. (Tue, 24 Jan 2017 22:39:08 GMT) (full text, mbox, link).

Message #14 received at 852484-close@bugs.debian.org (full text, mbox, reply):

Source: screen
Source-Version: 4.5.0-3

We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 852484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated screen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Jan 2017 22:57:44 +0100
Source: screen
Binary: screen screen-udeb
Architecture: source amd64
Version: 4.5.0-3
Distribution: unstable
Urgency: medium
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description:
 screen     - terminal multiplexer with VT100/ANSI terminal emulation
 screen-udeb - terminal multiplexer with VT100/ANSI terminal emulation - udeb (udeb)
Closes: 852484
Changes:
 screen (4.5.0-3) unstable; urgency=medium
 .
   * Add patch to revert upstream commit 5460f5d2 ("adding permissions
     check for the logfile name") which caused a privilege escalation.
     (Closes: #852484)
Checksums-Sha1:
 647be3426525b074371f2ea09548eae6750865ce 2125 screen_4.5.0-3.dsc
 89effa25e523eb9c941fe47e615132f458c1d312 42036 screen_4.5.0-3.debian.tar.xz
 7a7a22abec020673d4a3b80d5a3e401cb52aefd0 454162 screen-dbgsym_4.5.0-3_amd64.deb
 623ee736338f4a8577fd6326f4d667b63e99e2ed 375028 screen-udeb_4.5.0-3_amd64.udeb
 ce804d795c1e253f633ba5fbb24bf93a81d0befc 5294 screen_4.5.0-3_amd64.buildinfo
 409118aa68375ecb200bef1b3db2dd71f9fb1bb9 591284 screen_4.5.0-3_amd64.deb
Checksums-Sha256:
 367102210297b3118317ec3539c379b5a5cdc39779083eac76dfcc1caffe3c09 2125 screen_4.5.0-3.dsc
 91f4651fece4a3ece962b6ec06c69153ee63087722fdf8c834c8e5e23353b066 42036 screen_4.5.0-3.debian.tar.xz
 80ca3977f0761a26593a875dd7bcac1d00dbea6bd6f16a1d077fb6a00168812d 454162 screen-dbgsym_4.5.0-3_amd64.deb
 7b95c54933dd5fad03b7ed12fb8cf5f98febaef2bc418eca0d6f51d4fb950f5f 375028 screen-udeb_4.5.0-3_amd64.udeb
 f3d03511b16f46bc0e2c88c58eeaf2e18c43dd179998d9927149b97a7755f8df 5294 screen_4.5.0-3_amd64.buildinfo
 d53760ea1384caf0a919900323aa52db525d35e6a850746b5051f11f02484320 591284 screen_4.5.0-3_amd64.deb
Files:
 8696e727ca604e6226970adbebebcd3b 2125 misc standard screen_4.5.0-3.dsc
 38765ca33480140e33d68b73a1063dda 42036 misc standard screen_4.5.0-3.debian.tar.xz
 1ba0041b69ac12eaabae2d5c64a2d66c 454162 debug extra screen-dbgsym_4.5.0-3_amd64.deb
 4b3491220e6b593d8e9973c3242e8ee4 375028 debian-installer extra screen-udeb_4.5.0-3_amd64.udeb
 9799a5aab61b09d62d827cbd208ce166 5294 misc standard screen_4.5.0-3_amd64.buildinfo
 701fcdf08e0862114e75080c2b727a37 591284 misc standard screen_4.5.0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERoyJeTtCmBnp12Ema+Zjx1o1yXUFAliH0I8ACgkQa+Zjx1o1
yXUU5BAAj25pagLkhGqN3STeKvU/gNNjRP0tHywVzLzjxRMaSjtcm9+PdEeUaLft
eXneESCCafXKGLbxqc406LVeOzkkzwnPWhhcytedP2oGrMky+Oke+RpofcJiuTjA
N3h7okm/moDg194KVFalx/lJ/HSAAsRxd/WdMbo7SHZD7ApJ2jZ251ohXT6Zxt6H
DAhPuijSZ61IzUeKEcPyql+C8fzq/Up4AmtaI6oXAIUM8pgMJFOgrlPySwcPh727
5NHAm5OKFVCC+ch7HzeN0gaBM+ACQQ1STO0WQP2Zf0m7Vj3MhhbplHrysTTpJSHy
oQD3nF1of6rVRS0zQ0Q/5pjgN6of91edVgjfLhQR3gilDEm+KIN/VSP2dCsNlMR4
f2CzkZaW9iYQNR3JL5fL7xdegJTn06nRK1WuOQzJULNCIlpPf9x8r9mfv+K1OKf1
K5zPrGfnLD0JxMmlyPkv2tWD1isLu++WHuVt04TKXtWKMw+bzi6E6HDSzCTrfM50
DAvSQAwg5f1JBBMOncdzYXISn9ZwPdrKgFrNAm49v+xCy4LBq8CkFRqQnlxHNd28
1TniqGNn0QoT7CODbrd9EY+hd30gn1rUN718Z97m4Q7Rtgfx8MgzAkHnxqDZSGnk
STIJLJuvXdc8mOwJOjFlJLAd8DXB27LBTdG4wxeIgN/KNcR0aqY=
=XtON
-----END PGP SIGNATURE-----

Added tag(s) security. Request was from Adrian Bunk <bunk@debian.org> to control@bugs.debian.org. (Wed, 25 Jan 2017 10:24:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Axel Beckert <abe@debian.org>:
Bug#852484; Package screen. (Sun, 29 Jan 2017 13:21:09 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Axel Beckert <abe@debian.org>. (Sun, 29 Jan 2017 13:21:09 GMT) (full text, mbox, link).

Message #21 received at 852484@bugs.debian.org (full text, mbox, reply):

Control: retitle -1 screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0

A CVE has been assigned for this issue on oss-security
(CVE-2017-5618):

http://www.openwall.com/lists/oss-security/2017/01/29/3

Regards,
Salvatore

Changed Bug title to 'screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0' from 'screen: Privilege escalation in Screen 4.5.0'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 852484-submit@bugs.debian.org. (Sun, 29 Jan 2017 13:21:09 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 27 Feb 2017 07:32:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:01:30 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0

Debian Bug report logs - #852484
screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0

Vulmon Search

About

Products

Connect

screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0

Debian Bug report logs - #852484 screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0

Vulmon Search

About

Products

Connect

Debian Bug report logs - #852484
screen: CVE-2017-5618: Privilege escalation in Screen 4.5.0