[32659] in bugtraq
Re: GNU screen buffer overflow
daemon@ATHENA.MIT.EDU (Kyle Sallee)
Wed Dec 3 14:38:06 2003
Date: Mon, 1 Dec 2003 16:48:38 -0500 (EST)
From: Kyle Sallee <cromwell@metalab.unc.edu>
To: Mariusz Woloszyn <emsi@ipartners.pl>
Cc: Timo Sirainen <tss@iki.fi>, <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.58.0312011239350.2263@dzyngiel.ipartners.pl>
Message-ID: <Pine.LNX.4.44.0312011647170.9411-100000@tribal.metalab.unc.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 1 Dec 2003, Mariusz Woloszyn wrote:
> On Thu, 27 Nov 2003, Timo Sirainen wrote:
>
> > Buffer overflow in GNU screen allows privilege escalation for local users.
> > Usually screen is installed either setgid-utmp or setuid-root.
> >
> With devpts and libutempter it is possible to install fully functional
> screen without suid/sgid.
Does that mean any program that links with libutempter gains
complete suid/sgid root functionality, or only when executing
the functions in the libutempter library, please?
