[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[screen-devel] Handling of security bugs
From: |
Donald Buczek |
Subject: |
[screen-devel] Handling of security bugs |
Date: |
Thu, 2 Mar 2017 11:04:14 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 |
Hey, "GNU Screen team",
thanks for v4.5.1!
I've reported "root exploit 4.5.0" through Savannah [1] and I can
confirm the issue is fixed in 4.5.1.
However, I must say that I'm not to impressed with how it was handled.
So I'd like to enumerate a few points where I think, things could
possibly be improved. This is a friendly rant, just my personal
suggestions for you consideration. No bad feelings, I appreciate you
work on free and open-source software!
* The distributed Makefile installs the binary suid root. Some
distributions lower the privileges, but still run it with somehow
advanced privileges (e.g. sgid). Therefore bugs in GNU Screen can have a
greater impact on security then bugs in other software. I was a bit
disappointed to not find any information on how to report security bugs
on the screen homepage [2]. I suggest to add some information to that page.
* Not finding any special information there, I followed the GNU security
policy [3] and used the general bug reporting instructions of the
package, which is to use the GNU Savannah bugtracker. To give the
developers a bit of lead, I've set the Privacy field to "Private". The
information for that field is: "Determines whether the item can be seen
by members of the project only or anybody." [4]. I was then surprised by
the fact, that the information was automatically forwarded to an open
mailing list with public visible archives [5]. The bug report was
spotted and republished by several parties [6] even with working
exploits [7]. I suggest, that the "Privacy" field of the bugtracker
should either be honored or eliminated. But maybe this is a general GNU
issue and not a GNU Screen specific issue?
* While the information was public available, the GNU Screen homepage
was unchanged and the GNU ftp repository continued to offer 4.5.0 as the
latest and greatest release for about one month [8]. One month is not
bad, but maybe, looking at the fact, that the vulnerability was already
leaked, it would have been possible to bring out a quickfix immediately.
The bug was trivial, all it needed was to comment out five lines.
Donald
[1] https://savannah.gnu.org/bugs/index.php?50142
[2] https://www.gnu.org/software/screen/
[3] https://www.gnu.org/software/security/
[4] https://savannah.gnu.org/bugs/?func=additem&group=screen
[5] http://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
[6] https://blog.fefe.de/?ts=a6762bb4
[7] https://www.reddit.com/r/netsec/comments/5pz0bs/gnu_screen_root_exploit/
[8] https://ftp.gnu.org/gnu/screen/
--
Donald Buczek
address@hidden
Tel: +49 30 8413 1433
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [screen-devel] Handling of security bugs,
Donald Buczek <=