I compiled it for 7.2. It seems to work fine. I updated the bug. https://bugzilla.fedora.us/show_bug.cgi?id=1187 I am not certain if we should choose to release this as a security fix. Certainly if RedHat does for 9 we should. If other distributions do we should as well. Since we did the work at this point we should. -- Christian Pearce http://www.commnav.com rohwedde@xxxxxxxxxxxxxxx (Jason) said: > > > Currently entered into the bugzilla at: > https://bugzilla.fedora.us/show_bug.cgi?id=1187 > > I'm curious whether the community thinks this is a necessary patch? > Thanks. > > -jason > > --------------------------------------------------------------------- > > Patched SRPMS for screen buffer overflow > > Details at: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972 > http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2 > > RH 7.3 https://mail.codegrinder.com/www/screen-3.9.11-4.legacy.src.rpm > RH 7.2 https://mail.codegrinder.com/www/screen-3.9.9-4.legacy.src.rpm > MD5SUM https://mail.codegrinder.com/www/screen-md5sums.asc > > The 7.3 rpms work for me.. I don't have a 7.2 box available to test that > one. > > The default in 7.3 is to not suid the screen binary, so I think we're > safe from privilege escalation (unless the user does it of their own > volition). But, I am a bit concerned with the idea that someone could > hijack my screen session. So, is this a patch we want to push? If so, > we should patch the RH8 rpms as well. RH hasn't yet released a patch > for 9, though it has a vulnerable version. > >
