Bug#347768: marked as done (screen: insecure file creation with '>')

Thu, 12 Jan 2006 08:35:11 -0800 

Your message dated Thu, 12 Jan 2006 08:22:58 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#347768: screen: insecure file creation with '>'
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Jan 2006 15:05:37 +0000
>From [EMAIL PROTECTED] Thu Jan 12 07:05:37 2006
Return-path: <[EMAIL PROTECTED]>
Received: from ms-smtp-03.nyroc.rr.com ([24.24.2.57])
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1Ex41A-00037T-Uz
        for [EMAIL PROTECTED]; Thu, 12 Jan 2006 07:05:37 -0800
Received: from andromeda (cpe-69-202-136-66.twcny.res.rr.com [69.202.136.66])
        by ms-smtp-03.nyroc.rr.com (8.13.4/8.13.4) with ESMTP id k0CF5Zvu021629
        for <[EMAIL PROTECTED]>; Thu, 12 Jan 2006 10:05:36 -0500 (EST)
Received: from pryzbyj by andromeda with local (Exim 4.60)
        (envelope-from <[EMAIL PROTECTED]>)
        id 1Ex419-0006pn-Bd
        for [EMAIL PROTECTED]; Thu, 12 Jan 2006 10:05:35 -0500
Date: Thu, 12 Jan 2006 10:05:35 -0500
To: Debian BTS Submission <[EMAIL PROTECTED]>
Subject: screen: insecure file creation with '>'
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.11
From: Justin Pryzby <[EMAIL PROTECTED]>
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        RCVD_IN_SORBS autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: screen
Version: 4.0.2-4.1
Severity: important
Tags: security

I have never used ^a> before now, and I have

-rw-rw-rw- 1 pryzbyj pryzbyj 6 Jan 10 10:58 /tmp/screen-exchange

Surely this should be neither readable nor writable by "others".

---------------------------------------
Received: (at 347768-done) by bugs.debian.org; 12 Jan 2006 16:23:02 +0000
>From [EMAIL PROTECTED] Thu Jan 12 08:23:02 2006
Return-path: <[EMAIL PROTECTED]>
Received: from ninjak.clustermonkey.org ([66.139.79.169])
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1Ex5E6-0007Ph-6H
        for [EMAIL PROTECTED]; Thu, 12 Jan 2006 08:23:02 -0800
Received: from localhost (localhost [127.0.0.1])
        by ninjak.clustermonkey.org (Postfix) with ESMTP id 7F93B54236
        for <[EMAIL PROTECTED]>; Thu, 12 Jan 2006 16:23:01 +0000 (UTC)
Received: from ninjak.clustermonkey.org ([127.0.0.1])
        by localhost (ninjak.clustermonkey.org [127.0.0.1]) (amavisd-new, port 
10024)
        with ESMTP id 10040-04 for <[EMAIL PROTECTED]>;
        Thu, 12 Jan 2006 08:22:58 -0800 (PST)
Received: by ninjak.clustermonkey.org (Postfix, from userid 1000)
        id 99602541D6; Thu, 12 Jan 2006 16:22:58 +0000 (UTC)
Date: Thu, 12 Jan 2006 08:22:58 -0800
From: Adam Lazur <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Bug#347768: screen: insecure file creation with '>'
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Justin Pryzby ([EMAIL PROTECTED]) said:
> I have never used ^a> before now, and I have
> 
> -rw-rw-rw- 1 pryzbyj pryzbyj 6 Jan 10 10:58 /tmp/screen-exchange
> 
> Surely this should be neither readable nor writable by "others".

One man's bug is another man's feature :)

Debian used to patch screen to "fix" the permissions on this file, but
I got advice about the intent from upstream and it was changed back to
the default.

readbuf and, writebuf are setup to allow the exchange of information
among different users on the same system. This is also why everyone gets
the same default filename rather than a filename guaranteed not to
collide.

-- 
Adam Lazur


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to