Hello, On Fri, May 16, 2025 at 11:01:53AM -0400, Jan Schaumann wrote: > Matthias Gerstner <mgerst...@suse.de> wrote: > > we were surprised to find a local root exploit in > > the Screen 5.0.0 major version update affecting distributions that ship > > it as setuid-root (Arch Linux and NetBSD). > > I think it's useful to clarify here that NetBSD does > _not_ ship with GNU screen(1) at all. NetBSD's > third-party package manager pkgsrc[1] includes > screen(1), allowing users to install additional > software on top of the base OS.
we apologize if our report contains any ambiguities in this regard. We are more familiar with Linux systems, naturally, and only look into other UNIX systems when cross platform software like Screen is affected. I guess it is still correct to assume that if a NetBSD user wants to install Screen, using the pkgsrc binary package would be the canonical way to achieve this. I believe none of the systems we looked into comes with Screen pre-installed. In our report we assume that Screen is installed using the system's default package manager. Considering all potential other uses of the package manager sources/artifacts in other systems would complicate matters too much for us, however. We did not intend to single out NetBSD, but simply looked into it, because we believe it is one of the major free BSD distributions in existence. We can provide a clarification of this aspect in our blog post to reflect your concerns, but we would also like to avoid to unnecessarily complicate it. Best Regards Matthias
signature.asc
Description: PGP signature
