[screen-devel] Handling of security bugs

[Donald Buczek]

Hey, "GNU Screen team",

thanks for v4.5.1!

I've reported "root exploit 4.5.0" through Savannah [1] and I can 
confirm the issue is fixed in 4.5.1.

However, I must say that I'm not to impressed with how it was handled. 
So I'd like to enumerate a few points where I think, things could 
possibly be improved. This is a friendly rant, just my personal 
suggestions for you consideration. No bad feelings, I appreciate you 
work on free and open-source software!

* The distributed Makefile installs the binary suid root. Some 
distributions lower the privileges, but still run it with somehow 
advanced privileges (e.g. sgid). Therefore bugs in GNU Screen can have a 
greater impact on security then bugs in other software. I was a bit 
disappointed to not find any information on how to report security bugs 
on the screen homepage [2]. I suggest to add some information to that page.

* Not finding any special information there, I followed the GNU security 
policy [3] and used the general bug reporting instructions of the 
package, which is to use the GNU Savannah bugtracker. To give the 
developers a bit of lead, I've set the Privacy field to "Private". The 
information for that field is: "Determines whether the item can be seen 
by members of the project only or anybody." [4]. I was then surprised by 
the fact, that the information was automatically forwarded to an open 
mailing list with public visible archives [5].  The bug report was 
spotted and republished by several parties [6]  even with working 
exploits [7]. I suggest, that the "Privacy" field of the bugtracker 
should either be honored or eliminated. But maybe this is a general GNU 
issue and not a GNU Screen specific issue?

* While the information was public available, the GNU Screen homepage 
was unchanged and the GNU ftp repository continued to offer 4.5.0 as the 
latest and greatest release for about one month [8]. One month is not 
bad, but maybe, looking at the fact, that the vulnerability was already 
leaked, it would have been possible to bring out a quickfix immediately. 
The bug was trivial, all it needed was to comment out five lines.

Donald

[1] https://savannah.gnu.org/bugs/index.php?50142
[2] https://www.gnu.org/software/screen/
[3] https://www.gnu.org/software/security/
[4] https://savannah.gnu.org/bugs/?func=additem&group=screen
[5] http://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
[6] https://blog.fefe.de/?ts=a6762bb4
[7] https://www.reddit.com/r/netsec/comments/5pz0bs/gnu_screen_root_exploit/
[8] https://ftp.gnu.org/gnu/screen/

--
Donald Buczek
address@hidden
Tel: +49 30 8413 1433