Matthias Gerstner <mgerst...@suse.de> wrote: > we were surprised to find a local root exploit in > the Screen 5.0.0 major version update affecting distributions that ship > it as setuid-root (Arch Linux and NetBSD).
I think it's useful to clarify here that NetBSD does _not_ ship with GNU screen(1) at all. NetBSD's third-party package manager pkgsrc[1] includes screen(1), allowing users to install additional software on top of the base OS. That package as included in _pkgsrc_ was installed setuid[2], but a NetBSD base installation does not include that package. (NetBSD happens to include tmux(1) _in the base OS_, but not screen(1).) This distinction between a base OS and add-on software that is optionally available for users to choose tends to cause confusion for some people, so I figured it's worth noting. -Jan [1] https://www.pkgsrc.org/ [2] now no more since https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=59417
