Package: screen Version: 4.5.0-1 Severity: grave Control: forwarded -1 https://savannah.gnu.org/bugs/?50142
A potential root exploit was reported upstream at https://savannah.gnu.org/bugs/?50142 (currently private) but also forwarded to a publically archived mailing list at https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html In Debian with default configuration of the screen package, only access to the utmp group can be gained -- which has very little privileges. See https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00027.html for the impact in Debian. Neverless the Debian screen package also supports different permissions and hence some setups might be affected by the root exploit. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages screen depends on: ii libc6 2.24-9 ii libpam0g 1.1.8-3.5 ii libtinfo5 6.0+20161126-1 screen recommends no packages. Versions of packages screen suggests: ii byobu 5.112-1 ii iselect 1.4.0-2+b1 ii ncurses-term 6.0+20161126-1 ii screenie 20120406-1 -- no debconf information
