Multiple Security Issues in Screen
a year ago
- #Screen
- #CVE
- #security
- Multiple security vulnerabilities identified in Screen versions 4.9.1 and 5.0.0, including a local root exploit (CVE-2025-23395).
- Screen 5.0.0 introduces a default PTY mode change to 0622, making PTYs world-writable (CVE-2025-46803).
- TTY hijacking vulnerability when attaching to multi-user sessions (CVE-2025-46802).
- Information leak via socket lookup error messages in setuid-root context (CVE-2025-46804).
- Race conditions in signal sending mechanisms (CVE-2025-46805).
- Buffer overflow due to improper use of strncpy() in Screen 5.0.0.
- General recommendations include avoiding setuid-root installation and implementing privilege dropping by default.
- Problematic coordinated disclosure process with Screen upstream, leading to delays in patch development and distribution.
- Affected distributions include Arch Linux, Fedora 42, NetBSD 10.1, and others, with varying degrees of impact.