Multiple Security Issues in GNU Screen
a year ago
- #GNU Screen
- #security
- #setuid-root
- Multiple security issues found in GNU Screen, primarily affecting version 5.0.0 and setuid-root installations.
- Local root exploit via `logfile_reopen()` (CVE-2025-23395) allows unprivileged users to create or append files in arbitrary locations with root ownership.
- TTY hijacking while attaching to a multi-user session (CVE-2025-46802) introduces a race condition allowing other users to read or inject data into the caller's TTY.
- Screen by default creates world-writable PTYs (CVE-2025-46803) in version 5.0.0, allowing anyone to write to any Screen PTYs in the system.
- File existence tests via socket lookup error messages (CVE-2025-46804) leak information about paths when Screen runs with setuid-root privileges.
- Race conditions when sending signals (CVE-2025-46805) allow unprivileged users to potentially send signals to privileged processes.
- Bad `strncpy()` use leads to crashes when sending commands in Screen version 5.0.0, potentially causing memory corruption.
- General recommendations include avoiding setuid-root installations, implementing a test suite, and improving privilege handling.
- Problematic coordinated disclosure process highlighted issues with upstream's ability to address security concerns promptly.
- Affectedness matrix provided for various distributions, including Arch Linux, Fedora, Gentoo, FreeBSD, and NetBSD.