Package: bsdextrautils Version: 2.40.2-9 Severity: normal File: /usr/bin/write
Attempting to use write(1) in recent versions of bsdextrautils invariably (unless run by root) results in: write: effective gid does not match group of /dev/pts/NN Of course, now that the pre-1995 behaviour was restored and the tty group isn't used, a malicious actor no longer has to jump through the hoops of finding mistakes in any sgid programs and can just directly cat arbitrary escape sequences to the terminal of a user who has mesg y set. But when you want to actually pass a message to another user rather than mess with their terminal or exfiltrate their passwords, the write command used to be more convenient than cat, as it could find the right terminal to use itself and added a nice greeting header with the caller's name and terminal. The problem is also present in stable. To be honest, I'm a bit surprised that such change was pushed to stable together with a bugfix without even mentioning it in NEWS or something. Whatever the reason, the write command is completely unusable in that configuration. -k -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (900, 'testing'), (700, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.7.12-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) Versions of packages bsdextrautils depends on: ii libc6 2.40-3 ii libsmartcols1 2.40.2-9 ii libsystemd0 256.7-2 ii libtinfo6 6.5-2 bsdextrautils recommends no packages. bsdextrautils suggests no packages. -- no debconf information
