Control: reopen -1 Hi,
after https://bugs.debian.org/852484 happened and I'm now well aware of the implications of such a security issue, I will surely reconsider this decision. Sven Joachim wrote: > If libutempter-dev is installed on the build system, configure uses it > by default to build screen with utempter support. At least the sh4 > package of screen, apparently uploaded by a porter, depends on > libutempter0. > > Unfortunately there is no "--disable-utempter" switch for configure, That's a pity. Especially my current idea is to build the screen package with utempter support, but not the screen-udeb to avoid having utempter being packaged as udeb, too, and because it IMHO doesn't make sense in the udeb. This is definitely something that needs investigation before implementing utempter support in Debian's screen package. > and while enabling utempter support certainly makes sense, it > probably won't suffice to avoid installing screen setgid utmp, since > screen needs write access to the /run/screen directory. As a followup to the potential root exploit tracked in Debian in #852484, there was a nice outline posted by Solar Designer on the OSS-Security mailing list on how other distributions implement utempter support in screen: http://www.openwall.com/lists/oss-security/2017/01/25/1 Regards, Axel -- ,''`. | Axel Beckert <[email protected]>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
