Debian Bug report logs -
#521123
/tmp/screen-exchange still unsafe
Reported by: Kees Cook <kees@debian.org>
Date: Wed, 25 Mar 2009 00:36:01 UTC
Severity: normal
Tags: security
Found in version screen/4.0.3-3
Fixed in versions screen/4.0.3-13, screen/4.0.3-11+lenny1
Done: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#521123; Package screen.
(Wed, 25 Mar 2009 00:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kees Cook <kees@debian.org>:
New Bug report received and forwarded. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
Your message specified a Severity: in the pseudo-header, but
the severity value low was not recognised.
The default severity normal is being used instead.
The recognised values are: critical, grave, serious, important, normal, minor, wishlist, fixed.
(Wed, 25 Mar 2009 00:36:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: screen
Version: 4.0.3-3
Severity: low
Tags: security
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu jaunty
Hi,
Based on the bug report[1] in Ubuntu, /tmp/screen-exchange is still being
created unsafely (lacks O_CREAT|O_EXCL, has a race, etc). Upstream has a
report open[2] as well.
-Kees
[1] https://bugs.launchpad.net/bugs/315993
[2] http://savannah.gnu.org/bugs/?25296
--
Kees Cook @debian.org
Reply sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(Fri, 17 Apr 2009 09:48:08 GMT) (full text, mbox, link).
Notification sent
to Kees Cook <kees@debian.org>:
Bug acknowledged by developer.
(Fri, 17 Apr 2009 09:48:08 GMT) (full text, mbox, link).
Message #10 received at 521123-close@bugs.debian.org (full text, mbox, reply):
Source: screen
Source-Version: 4.0.3-13
We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive:
screen_4.0.3-13.diff.gz
to pool/main/s/screen/screen_4.0.3-13.diff.gz
screen_4.0.3-13.dsc
to pool/main/s/screen/screen_4.0.3-13.dsc
screen_4.0.3-13_amd64.deb
to pool/main/s/screen/screen_4.0.3-13_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 521123@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated screen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 10 Apr 2009 18:20:49 +0200
Source: screen
Binary: screen
Architecture: source amd64
Version: 4.0.3-13
Distribution: unstable
Urgency: low
Maintainer: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
screen - terminal multiplexor with VT100/ANSI terminal emulation
Closes: 520317 520359 521123 522689
Changes:
screen (4.0.3-13) unstable; urgency=low
.
* Sync with Ubuntu, closes: #520359. New dpatches:
* 33increase_max_winmsg_renditions
* 35screen_invoked_with_a_command (cherry-picked from upstream)
* Bump Standards version to 3.8.1 (again, no changes).
* Accommodate initscript to adjust the $SCREENDIR permissions
correctly even if /usr/bin/screen is installed 0755.
Add a Q&A pair to README.Debian to clarify this problem.
Closes: #520317.
* Fix #433338 properly by keeping the umask instead of dropping
the 'public exchange file' concept. Modify dpatch 22.
Addresses CVE-2009-1214, CVE-2009-1215, closes: #521123.
* Depend on patch-stamp instead of patch in debian/rules.
(Phony targets as intermediates in a dep chain are braindead.)
* Fix job control and CTTY handling on our new kfreebsd archs.
Closes: #522689. Thanks to Axel Beckert for his support!
Checksums-Sha1:
59a8a50583b41231f8ce8644f4639804e6823285 1096 screen_4.0.3-13.dsc
17359bf914c2369146f5c6cc009e7b5643aa5cc3 132891 screen_4.0.3-13.diff.gz
26f62a5d3c49a493dc871f9954c05589901dd1be 626354 screen_4.0.3-13_amd64.deb
Checksums-Sha256:
691aa9706c187edc259f10fbdbb0b70eb653b6de66f743aedef64a5321c6dccc 1096 screen_4.0.3-13.dsc
f85b8b1b478f1027fa1c8bb6e8f38e60ab95c09662584cd4157b914707560c57 132891 screen_4.0.3-13.diff.gz
c6bedf903a150e99ccd3bd0bc73505b48895f95f3d3919778fbd398897bcfd7c 626354 screen_4.0.3-13_amd64.deb
Files:
157dd78e0ca325b4b944720b154074b6 1096 misc optional screen_4.0.3-13.dsc
4c43dfec73755dfc460024b1b65a91a6 132891 misc optional screen_4.0.3-13.diff.gz
c1662f7f24f5aa365f0104a5a891cd1a 626354 misc optional screen_4.0.3-13_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknoSTYACgkQHYflSXNkfP8uxgCaApwJNI5AN0hdVl/vDAZh6ngP
xZ0An0KQyN5iXXlT2EBS4Uq7dNBJP6TX
=Snkz
-----END PGP SIGNATURE-----
Reply sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(Sat, 02 May 2009 16:03:14 GMT) (full text, mbox, link).
Notification sent
to Kees Cook <kees@debian.org>:
Bug acknowledged by developer.
(Sat, 02 May 2009 16:03:14 GMT) (full text, mbox, link).
Message #15 received at 521123-close@bugs.debian.org (full text, mbox, reply):
Source: screen
Source-Version: 4.0.3-11+lenny1
We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive:
screen_4.0.3-11+lenny1.diff.gz
to pool/main/s/screen/screen_4.0.3-11+lenny1.diff.gz
screen_4.0.3-11+lenny1.dsc
to pool/main/s/screen/screen_4.0.3-11+lenny1.dsc
screen_4.0.3-11+lenny1_i386.deb
to pool/main/s/screen/screen_4.0.3-11+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 521123@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated screen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 04 Apr 2009 02:10:09 +0200
Source: screen
Binary: screen
Architecture: source i386
Version: 4.0.3-11+lenny1
Distribution: stable
Urgency: high
Maintainer: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
screen - terminal multiplexor with VT100/ANSI terminal emulation
Closes: 521123
Changes:
screen (4.0.3-11+lenny1) stable; urgency=high
.
* Security upload.
* Change the fix for #433338 so symlink attacks against the
public exchange file are prevented again. Closes: #521123.
Tracked as CVE-2009-1214 and CVE-2009-1215.
Checksums-Sha1:
403a959e861176317267d262c8ba28ce2d03e0d6 1079 screen_4.0.3-11+lenny1.dsc
beb7ca2d72247fdb7bbf0f6047648bcf49d48309 130043 screen_4.0.3-11+lenny1.diff.gz
c521a8ab10f98f9599654b2c000b5dd77696c53e 604366 screen_4.0.3-11+lenny1_i386.deb
Checksums-Sha256:
5f39654dbb2759e9da97a25f58d37c212dbfaba44ef967b4c8aea46a505bbd17 1079 screen_4.0.3-11+lenny1.dsc
19130d097e9ed897c84a2c640634dd36ee3233c17b0bf5d18549ed1e064b3073 130043 screen_4.0.3-11+lenny1.diff.gz
cf40a1a96e2cc20b2fd7ee67f9d800606f3065642b2dee83027767bd788f5fbc 604366 screen_4.0.3-11+lenny1_i386.deb
Files:
42797bf22534be17ea4b9ce8f76a88d5 1079 misc optional screen_4.0.3-11+lenny1.dsc
9bacd9be1d9c57e2e0381df2775b33e0 130043 misc optional screen_4.0.3-11+lenny1.diff.gz
6e6fc39407ee8a7971b42b52756afafd 604366 misc optional screen_4.0.3-11+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknUpYoACgkQHYflSXNkfP/z7ACfdBoD/3E7Gpo6zXIPGSCYCXML
S1cAnAnJc279N2j5j9eSI+PucECGgaix
=FDzc
-----END PGP SIGNATURE-----
Reply sent
to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(Sat, 27 Jun 2009 16:39:09 GMT) (full text, mbox, link).
Notification sent
to Kees Cook <kees@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Jun 2009 16:39:09 GMT) (full text, mbox, link).
Message #20 received at 521123-close@bugs.debian.org (full text, mbox, reply):
Source: screen
Source-Version: 4.0.3-11+lenny1
We believe that the bug you reported is fixed in the latest version of
screen, which is due to be installed in the Debian FTP archive:
screen_4.0.3-11+lenny1.diff.gz
to pool/main/s/screen/screen_4.0.3-11+lenny1.diff.gz
screen_4.0.3-11+lenny1.dsc
to pool/main/s/screen/screen_4.0.3-11+lenny1.dsc
screen_4.0.3-11+lenny1_i386.deb
to pool/main/s/screen/screen_4.0.3-11+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 521123@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated screen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 04 Apr 2009 02:10:09 +0200
Source: screen
Binary: screen
Architecture: source i386
Version: 4.0.3-11+lenny1
Distribution: stable
Urgency: high
Maintainer: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
screen - terminal multiplexor with VT100/ANSI terminal emulation
Closes: 521123
Changes:
screen (4.0.3-11+lenny1) stable; urgency=high
.
* Security upload.
* Change the fix for #433338 so symlink attacks against the
public exchange file are prevented again. Closes: #521123.
Tracked as CVE-2009-1214 and CVE-2009-1215.
Checksums-Sha1:
403a959e861176317267d262c8ba28ce2d03e0d6 1079 screen_4.0.3-11+lenny1.dsc
beb7ca2d72247fdb7bbf0f6047648bcf49d48309 130043 screen_4.0.3-11+lenny1.diff.gz
c521a8ab10f98f9599654b2c000b5dd77696c53e 604366 screen_4.0.3-11+lenny1_i386.deb
Checksums-Sha256:
5f39654dbb2759e9da97a25f58d37c212dbfaba44ef967b4c8aea46a505bbd17 1079 screen_4.0.3-11+lenny1.dsc
19130d097e9ed897c84a2c640634dd36ee3233c17b0bf5d18549ed1e064b3073 130043 screen_4.0.3-11+lenny1.diff.gz
cf40a1a96e2cc20b2fd7ee67f9d800606f3065642b2dee83027767bd788f5fbc 604366 screen_4.0.3-11+lenny1_i386.deb
Files:
42797bf22534be17ea4b9ce8f76a88d5 1079 misc optional screen_4.0.3-11+lenny1.dsc
9bacd9be1d9c57e2e0381df2775b33e0 130043 misc optional screen_4.0.3-11+lenny1.diff.gz
6e6fc39407ee8a7971b42b52756afafd 604366 misc optional screen_4.0.3-11+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknUpYoACgkQHYflSXNkfP/z7ACfdBoD/3E7Gpo6zXIPGSCYCXML
S1cAnAnJc279N2j5j9eSI+PucECGgaix
=FDzc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 20 Oct 2009 07:32:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:35:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon