screen: fix CVE-2025-46804

A minor information leak when running Screen with setuid-root privileges allosw unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0. Reference: https://security-tracker.debian.org/tracker/CVE-2025-46804 Upstream-patch: https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a2664416a56c50ad1d00cb30 (From OE-Core rev: a313af8ca347797214669406ee86f5239997f7e3) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-06-05 16:31:00 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-11 08:17:34 -0700
commit: 8422c6f52fa5228318c129bade4672cb84d03c9f (patch)
tree: 6e52c35dfb81656ba40a06a1d33245a38040596a
parent: fa0fef4a3d5081c7ed300cb5d02286675aabece0 (diff)
download: poky-8422c6f52fa5228318c129bade4672cb84d03c9f.tar.gz
2 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46804.patch b/meta/recipes-extended/screen/screen/CVE-2025-46804.patch
new file mode 100644
index 0000000000..918c2c5ce9
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2025-46804.patch
@@ -0,0 +1,131 @@
+From e0eef5aac453fa98a2664416a56c50ad1d00cb30 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Mon, 12 May 2025 15:26:11 +0200
+Subject: [PATCH] fix CVE-2025-46804: avoid file existence test information 
+ leaks
+In setuid-root context the current error messages give away whether
+certain paths not accessible by the real user exist and what type they
+have. To prevent this only output generic error messages in setuid-root
+context.
+In some situations, when an error is pertaining a directory and the
+directory is owner by the real user then we can still output more
+detailed diagnostics.
+This change can lead to less helpful error messages when Screen is
+install setuid-root. More complex changes would be needed to avoid this
+(e.g.  only open the `SocketPath` with raised privileges when
+multi-attach is requested).
+There might still be lingering some code paths that allow such
+information leaks, since `SocketPath` is a global variable that is used
+across the code base. The majority of issues should be caught with this
+fix, however.
+CVE: CVE-2025-46804
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a2664416a56c50ad1d00cb30]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ screen.c | 45 ++++++++++++++++++++++++++++++++++-----------
+ socket.c |  9 +++++++--
+ 2 files changed, 41 insertions(+), 13 deletions(-)
+diff --git a/screen.c b/screen.c
+index 1a23e1a..6eec151 100644
+--- a/screen.c
+++ b/screen.c
+@@ -1122,15 +1122,28 @@ int main(int ac, char** av)
+ #endif
+   }
+ 
+-  if (stat(SockPath, &st) == -1)
+-    Panic(errno, "Cannot access %s", SockPath);
+-  else
+-    if (!S_ISDIR(st.st_mode))
+  if (stat(SockPath, &st) == -1) {
+    if (eff_uid == real_uid) {
+      Panic(errno, "Cannot access %s", SockPath);
+    } else {
+      Panic(0, "Error accessing %s", SockPath);
+    }
+  } else if (!S_ISDIR(st.st_mode)) {
+    if (eff_uid == real_uid || st.st_uid == real_uid) {
+       Panic(0, "%s is not a directory.", SockPath);
+    } else {
+      Panic(0, "Error accessing %s", SockPath);
+    }
+  }
+ #ifdef MULTIUSER
+   if (multi) {
+-    if ((int)st.st_uid != multi_uid)
+-      Panic(0, "%s is not the owner of %s.", multi, SockPath);
+    if ((int)st.st_uid != multi_uid) {
+      if (eff_uid == real_uid || st.st_uid == real_uid) {
+        Panic(0, "%s is not the owner of %s.", multi, SockPath);
+      } else {
+        Panic(0, "Error accessing %s", SockPath);
+      }
+    }
+   }
+   else
+ #endif
+@@ -1144,9 +1157,13 @@ int main(int ac, char** av)
+       Panic(0, "You are not the owner of %s.", SockPath);
+ #endif
+   }
+-
+-  if ((st.st_mode & 0777) != 0700)
+-    Panic(0, "Directory %s must have mode 700.", SockPath);
+  if ((st.st_mode & 0777) != 0700) {
+    if (eff_uid == real_uid || st.st_uid == real_uid) {
+      Panic(0, "Directory %s must have mode 700.", SockPath);
+    } else {
+      Panic(0, "Error accessing %s", SockPath);
+    }
+  }
+   if (SockMatch && index(SockMatch, '/'))
+     Panic(0, "Bad session name '%s'", SockMatch);
+   SockName = SockPath + strlen(SockPath) + 1;
+@@ -1184,8 +1201,14 @@ int main(int ac, char** av)
+       else
+         exit(9 + (fo || oth ? 1 : 0) + fo);
+     }
+-    if (fo == 0)
+-      Panic(0, "No Sockets found in %s.\n", SockPath);
+    if (fo == 0) {
+      if (eff_uid == real_uid || st.st_uid == real_uid) {
+        Panic(0, "No Sockets found in %s.\n", SockPath);
+      } else {
+        Panic(0, "Error accessing %s", SockPath);
+      }
+    }
+
+     Msg(0, "%d Socket%s in %s.", fo, fo > 1 ? "s" : "", SockPath);
+     eexit(0);
+   }
+diff --git a/socket.c b/socket.c
+index 54d8cb8..6c3502f 100644
+--- a/socket.c
+++ b/socket.c
+@@ -169,8 +169,13 @@ bool *is_sock;
+   xsetegid(real_gid);
+ #endif
+ 
+-  if ((dirp = opendir(SockPath)) == 0)
+-    Panic(errno, "Cannot opendir %s", SockPath);
+  if ((dirp = opendir(SockPath)) == 0) {
+    if (eff_uid == real_uid) {
+      Panic(errno, "Cannot opendir %s", SockPath);
+    } else {
+      Panic(0, "Error accessing %s", SockPath);
+    }
+  }
+ 
+   slist = 0;
+   slisttail = &slist;
+-- 
+2.40.0
diff --git a/meta/recipes-extended/screen/screen_4.9.1.bb b/meta/recipes-extended/screen/screen_4.9.1.bb
index bc4928ff77..706351a593 100644
--- a/meta/recipes-extended/screen/screen_4.9.1.bb
+++ b/meta/recipes-extended/screen/screen_4.9.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
           file://0001-Remove-more-compatibility-stuff.patch \
           file://CVE-2025-46805.patch \
           file://CVE-2025-46802.patch \
+           file://CVE-2025-46804.patch \
           "
 SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"
author	Divya Chellam <divya.chellam@windriver.com>	2025-06-05 16:31:00 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-11 08:17:34 -0700
commit	8422c6f52fa5228318c129bade4672cb84d03c9f (patch)
tree	6e52c35dfb81656ba40a06a1d33245a38040596a
parent	fa0fef4a3d5081c7ed300cb5d02286675aabece0 (diff)
download	poky-8422c6f52fa5228318c129bade4672cb84d03c9f.tar.gz

diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46804.patch b/meta/recipes-extended/screen/screen/CVE-2025-46804.patch new file mode 100644 index 0000000000..918c2c5ce9 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2025-46804.patch
@@ -0,0 +1,131 @@
		1	From e0eef5aac453fa98a2664416a56c50ad1d00cb30 Mon Sep 17 00:00:00 2001
		2	From: Matthias Gerstner <matthias.gerstner@suse.de>
		3	Date: Mon, 12 May 2025 15:26:11 +0200
		4	Subject: [PATCH] fix CVE-2025-46804: avoid file existence test information
		5	leaks
		6
		7	In setuid-root context the current error messages give away whether
		8	certain paths not accessible by the real user exist and what type they
		9	have. To prevent this only output generic error messages in setuid-root
		10	context.
		11
		12	In some situations, when an error is pertaining a directory and the
		13	directory is owner by the real user then we can still output more
		14	detailed diagnostics.
		15
		16	This change can lead to less helpful error messages when Screen is
		17	install setuid-root. More complex changes would be needed to avoid this
		18	(e.g. only open the `SocketPath` with raised privileges when
		19	multi-attach is requested).
		20
		21	There might still be lingering some code paths that allow such
		22	information leaks, since `SocketPath` is a global variable that is used
		23	across the code base. The majority of issues should be caught with this
		24	fix, however.
		25
		26	CVE: CVE-2025-46804
		27
		28	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a2664416a56c50ad1d00cb30]
		29
		30	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		31	---
		32	screen.c \| 45 ++++++++++++++++++++++++++++++++++-----------
		33	socket.c \| 9 +++++++--
		34	2 files changed, 41 insertions(+), 13 deletions(-)
		35
		36	diff --git a/screen.c b/screen.c
		37	index 1a23e1a..6eec151 100644
		38	--- a/screen.c
		39	+++ b/screen.c
		40	@@ -1122,15 +1122,28 @@ int main(int ac, char** av)
		41	#endif
		42	}
		43
		44	- if (stat(SockPath, &st) == -1)
		45	- Panic(errno, "Cannot access %s", SockPath);
		46	- else
		47	- if (!S_ISDIR(st.st_mode))
		48	+ if (stat(SockPath, &st) == -1) {
		49	+ if (eff_uid == real_uid) {
		50	+ Panic(errno, "Cannot access %s", SockPath);
		51	+ } else {
		52	+ Panic(0, "Error accessing %s", SockPath);
		53	+ }
		54	+ } else if (!S_ISDIR(st.st_mode)) {
		55	+ if (eff_uid == real_uid \|\| st.st_uid == real_uid) {
		56	Panic(0, "%s is not a directory.", SockPath);
		57	+ } else {
		58	+ Panic(0, "Error accessing %s", SockPath);
		59	+ }
		60	+ }
		61	#ifdef MULTIUSER
		62	if (multi) {
		63	- if ((int)st.st_uid != multi_uid)
		64	- Panic(0, "%s is not the owner of %s.", multi, SockPath);
		65	+ if ((int)st.st_uid != multi_uid) {
		66	+ if (eff_uid == real_uid \|\| st.st_uid == real_uid) {
		67	+ Panic(0, "%s is not the owner of %s.", multi, SockPath);
		68	+ } else {
		69	+ Panic(0, "Error accessing %s", SockPath);
		70	+ }
		71	+ }
		72	}
		73	else
		74	#endif
		75	@@ -1144,9 +1157,13 @@ int main(int ac, char** av)
		76	Panic(0, "You are not the owner of %s.", SockPath);
		77	#endif
		78	}
		79	-
		80	- if ((st.st_mode & 0777) != 0700)
		81	- Panic(0, "Directory %s must have mode 700.", SockPath);
		82	+ if ((st.st_mode & 0777) != 0700) {
		83	+ if (eff_uid == real_uid \|\| st.st_uid == real_uid) {
		84	+ Panic(0, "Directory %s must have mode 700.", SockPath);
		85	+ } else {
		86	+ Panic(0, "Error accessing %s", SockPath);
		87	+ }
		88	+ }
		89	if (SockMatch && index(SockMatch, '/'))
		90	Panic(0, "Bad session name '%s'", SockMatch);
		91	SockName = SockPath + strlen(SockPath) + 1;
		92	@@ -1184,8 +1201,14 @@ int main(int ac, char** av)
		93	else
		94	exit(9 + (fo \|\| oth ? 1 : 0) + fo);
		95	}
		96	- if (fo == 0)
		97	- Panic(0, "No Sockets found in %s.\n", SockPath);
		98	+ if (fo == 0) {
		99	+ if (eff_uid == real_uid \|\| st.st_uid == real_uid) {
		100	+ Panic(0, "No Sockets found in %s.\n", SockPath);
		101	+ } else {
		102	+ Panic(0, "Error accessing %s", SockPath);
		103	+ }
		104	+ }
		105	+
		106	Msg(0, "%d Socket%s in %s.", fo, fo > 1 ? "s" : "", SockPath);
		107	eexit(0);
		108	}
		109	diff --git a/socket.c b/socket.c
		110	index 54d8cb8..6c3502f 100644
		111	--- a/socket.c
		112	+++ b/socket.c
		113	@@ -169,8 +169,13 @@ bool *is_sock;
		114	xsetegid(real_gid);
		115	#endif
		116
		117	- if ((dirp = opendir(SockPath)) == 0)
		118	- Panic(errno, "Cannot opendir %s", SockPath);
		119	+ if ((dirp = opendir(SockPath)) == 0) {
		120	+ if (eff_uid == real_uid) {
		121	+ Panic(errno, "Cannot opendir %s", SockPath);
		122	+ } else {
		123	+ Panic(0, "Error accessing %s", SockPath);
		124	+ }
		125	+ }
		126
		127	slist = 0;
		128	slisttail = &slist;
		129	--
		130	2.40.0
		131


diff --git a/meta/recipes-extended/screen/screen_4.9.1.bb b/meta/recipes-extended/screen/screen_4.9.1.bb index bc4928ff77..706351a593 100644 --- a/meta/recipes-extended/screen/screen_4.9.1.bb +++ b/meta/recipes-extended/screen/screen_4.9.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
23	file://0001-Remove-more-compatibility-stuff.patch \	23	file://0001-Remove-more-compatibility-stuff.patch \
24	file://CVE-2025-46805.patch \	24	file://CVE-2025-46805.patch \
25	file://CVE-2025-46802.patch \	25	file://CVE-2025-46802.patch \
		26	file://CVE-2025-46804.patch \
26	"	27	"
27		28
28	SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"	29	SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"