Buffer overflow in GNU screen allows privilege escalation for local users.
It also has some potential for attackers getting control of another user's
screen. Transfer of approximately two gigabytes of data is required to
exploit this vulnerability.
Usually screen is installed either setgid-utmp or setuid-root but this DOES
NOT happen on OpenBSD, thus the reliability fix.
ok brad@
hard coded to ${DESTDIR}/etc/screenrc in the resulting screen binary thus
the system wide /etc/screenrc does not work as expected.
--
Reported by: Luke Bakken <luke_bakken@yahoo.com>
- remove pre-configure target
- make screen's Makefile remove screen.info before re-creating it
- instead of removing CFLAGS from Makefile.in, replace its value with
@CFLAGS@ so the autoconf script fills it in, same with LDFLAGS
of the filename is a symbolic link. Note: in some cases the file may still
be opened which can in itself be a problem. This solves the security
hole where the bad-guy creates a symbolic link named /tmp/screen-exchange
pointing to a file that s/he wishes root to clobber.
Install screenrc in /etc (but do not overright existing file).
Install latest screenrc and screencap in /usr/local/lib/screen for
reference (and so pkg_add knows where to get them from).
