screen: patch CVE-2025-46805

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4] (From OE-Core rev: 69dd9b16fbd18a1a960887ee9479a2e731b5a184) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ashish Sharma <asharma@mvista.com> 2025-05-30 09:57:17 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-05 08:41:15 -0700
commit: f8d52ece40b3e361973bed38df2538b2709bc730 (patch)
tree: c6d43ed8af5595ab39077f9a164ba763be011c89
parent: d56536a6185c532c618348aa1e13a8688106af03 (diff)
download: poky-f8d52ece40b3e361973bed38df2538b2709bc730.tar.gz
2 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46805.patch b/meta/recipes-extended/screen/screen/CVE-2025-46805.patch
new file mode 100644
index 0000000000..e0207b6072
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2025-46805.patch
@@ -0,0 +1,101 @@
+From aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Mon Sep 17 00:00:00 2001
+From: Axel Beckert <abe@debian.org>
+Date: Mon, 19 May 2025 00:42:42 +0200
+Subject: fix CVE-2025-46805: socket.c - don't send signals with root
+Gbp-Pq: fix-CVE-2025-46805-socket.c-don-t-send-signals-with-.patch.
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 
+Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4]
+CVE: CVE-2025-46805
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ socket.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+diff --git a/socket.c b/socket.c
+index e268e3d..11b5e59 100644
+--- a/socket.c
+++ b/socket.c
+@@ -832,6 +832,11 @@ int pid;
+   return UserStatus();
+ }
+ 
+static void KillUnpriv(pid_t pid, int sig) {
+    UserContext();
+    UserReturn(kill(pid, sig));
+}
+
+ #ifdef hpux
+ /*
+  * From: "F. K. Bruner" <napalm@ugcs.caltech.edu>
+@@ -917,14 +922,14 @@ struct win *wi;
+             {
+              Msg(errno, "Could not perform necessary sanity checks on pts device.");
+              close(i);
+-             Kill(pid, SIG_BYE);
+             KillUnpriv(pid, SIG_BYE);
+              return -1;
+             }
+           if (strcmp(ttyname_in_ns, m->m_tty))
+             {
+              Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
+              close(i);
+-             Kill(pid, SIG_BYE);
+             KillUnpriv(pid, SIG_BYE);
+              return -1;
+            }
+          /* m->m_tty so far contains the actual name of the pts device in the
+@@ -941,19 +946,19 @@ struct win *wi;
+        {
+          Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
+          close(i);
+-         Kill(pid, SIG_BYE);
+         KillUnpriv(pid, SIG_BYE);
+          return -1;
+        }
+     }
+   else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0)
+     {
+       Msg(errno, "Attach: Could not open %s!", m->m_tty);
+-      Kill(pid, SIG_BYE);
+      KillUnpriv(pid, SIG_BYE);
+       return -1;
+     }
+ #ifdef MULTIUSER
+   if (attach)
+-    Kill(pid, SIGCONT);
+    KillUnpriv(pid, SIGCONT);
+ #endif
+ 
+ #if defined(ultrix) || defined(pyr) || defined(NeXT)
+@@ -966,7 +971,7 @@ struct win *wi;
+        {
+          write(i, "Attaching from inside of screen?\n", 33);
+          close(i);
+-         Kill(pid, SIG_BYE);
+         KillUnpriv(pid, SIG_BYE);
+          Msg(0, "Attach msg ignored: coming from inside.");
+          return -1;
+        }
+@@ -977,7 +982,7 @@ struct win *wi;
+          {
+              write(i, "Access to session denied.\n", 26);
+              close(i);
+-             Kill(pid, SIG_BYE);
+             KillUnpriv(pid, SIG_BYE);
+              Msg(0, "Attach: access denied for user %s.", user);
+              return -1;
+          }
+@@ -1295,7 +1300,7 @@ ReceiveMsg()
+             Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
+           }
+           else {
+-            Kill(m.m.command.apid,
+            KillUnpriv(m.m.command.apid,
+                (queryflag >= 0)
+                    ? SIGCONT
+                    : SIG_BYE); /* Send SIG_BYE if an error happened */
+-- 
+cgit v1.2.3
diff --git a/meta/recipes-extended/screen/screen_4.9.1.bb b/meta/recipes-extended/screen/screen_4.9.1.bb
index 7b040e6b57..96f8021255 100644
--- a/meta/recipes-extended/screen/screen_4.9.1.bb
+++ b/meta/recipes-extended/screen/screen_4.9.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
           file://0002-comm.h-now-depends-on-term.h.patch \
           file://0001-fix-for-multijob-build.patch \
           file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2025-46805.patch \
           "
 SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"
author	Ashish Sharma <asharma@mvista.com>	2025-05-30 09:57:17 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-05 08:41:15 -0700
commit	f8d52ece40b3e361973bed38df2538b2709bc730 (patch)
tree	c6d43ed8af5595ab39077f9a164ba763be011c89
parent	d56536a6185c532c618348aa1e13a8688106af03 (diff)
download	poky-f8d52ece40b3e361973bed38df2538b2709bc730.tar.gz

diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46805.patch b/meta/recipes-extended/screen/screen/CVE-2025-46805.patch new file mode 100644 index 0000000000..e0207b6072 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2025-46805.patch
@@ -0,0 +1,101 @@
		1	From aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Mon Sep 17 00:00:00 2001
		2	From: Axel Beckert <abe@debian.org>
		3	Date: Mon, 19 May 2025 00:42:42 +0200
		4	Subject: fix CVE-2025-46805: socket.c - don't send signals with root
		5
		6	Gbp-Pq: fix-CVE-2025-46805-socket.c-don-t-send-signals-with-.patch.
		7
		8	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5
		9	Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4]
		10	CVE: CVE-2025-46805
		11	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		12
		13	socket.c \| 21 +++++++++++++--------
		14	1 file changed, 13 insertions(+), 8 deletions(-)
		15
		16	diff --git a/socket.c b/socket.c
		17	index e268e3d..11b5e59 100644
		18	--- a/socket.c
		19	+++ b/socket.c
		20	@@ -832,6 +832,11 @@ int pid;
		21	return UserStatus();
		22	}
		23
		24	+static void KillUnpriv(pid_t pid, int sig) {
		25	+ UserContext();
		26	+ UserReturn(kill(pid, sig));
		27	+}
		28	+
		29	#ifdef hpux
		30	/*
		31	* From: "F. K. Bruner" <napalm@ugcs.caltech.edu>
		32	@@ -917,14 +922,14 @@ struct win *wi;
		33	{
		34	Msg(errno, "Could not perform necessary sanity checks on pts device.");
		35	close(i);
		36	- Kill(pid, SIG_BYE);
		37	+ KillUnpriv(pid, SIG_BYE);
		38	return -1;
		39	}
		40	if (strcmp(ttyname_in_ns, m->m_tty))
		41	{
		42	Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
		43	close(i);
		44	- Kill(pid, SIG_BYE);
		45	+ KillUnpriv(pid, SIG_BYE);
		46	return -1;
		47	}
		48	/* m->m_tty so far contains the actual name of the pts device in the
		49	@@ -941,19 +946,19 @@ struct win *wi;
		50	{
		51	Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
		52	close(i);
		53	- Kill(pid, SIG_BYE);
		54	+ KillUnpriv(pid, SIG_BYE);
		55	return -1;
		56	}
		57	}
		58	else if ((i = secopen(m->m_tty, O_RDWR \| O_NONBLOCK, 0)) < 0)
		59	{
		60	Msg(errno, "Attach: Could not open %s!", m->m_tty);
		61	- Kill(pid, SIG_BYE);
		62	+ KillUnpriv(pid, SIG_BYE);
		63	return -1;
		64	}
		65	#ifdef MULTIUSER
		66	if (attach)
		67	- Kill(pid, SIGCONT);
		68	+ KillUnpriv(pid, SIGCONT);
		69	#endif
		70
		71	#if defined(ultrix) \|\| defined(pyr) \|\| defined(NeXT)
		72	@@ -966,7 +971,7 @@ struct win *wi;
		73	{
		74	write(i, "Attaching from inside of screen?\n", 33);
		75	close(i);
		76	- Kill(pid, SIG_BYE);
		77	+ KillUnpriv(pid, SIG_BYE);
		78	Msg(0, "Attach msg ignored: coming from inside.");
		79	return -1;
		80	}
		81	@@ -977,7 +982,7 @@ struct win *wi;
		82	{
		83	write(i, "Access to session denied.\n", 26);
		84	close(i);
		85	- Kill(pid, SIG_BYE);
		86	+ KillUnpriv(pid, SIG_BYE);
		87	Msg(0, "Attach: access denied for user %s.", user);
		88	return -1;
		89	}
		90	@@ -1295,7 +1300,7 @@ ReceiveMsg()
		91	Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
		92	}
		93	else {
		94	- Kill(m.m.command.apid,
		95	+ KillUnpriv(m.m.command.apid,
		96	(queryflag >= 0)
		97	? SIGCONT
		98	: SIG_BYE); /* Send SIG_BYE if an error happened */
		99	--
		100	cgit v1.2.3
		101


diff --git a/meta/recipes-extended/screen/screen_4.9.1.bb b/meta/recipes-extended/screen/screen_4.9.1.bb index 7b040e6b57..96f8021255 100644 --- a/meta/recipes-extended/screen/screen_4.9.1.bb +++ b/meta/recipes-extended/screen/screen_4.9.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
21	file://0002-comm.h-now-depends-on-term.h.patch \	21	file://0002-comm.h-now-depends-on-term.h.patch \
22	file://0001-fix-for-multijob-build.patch \	22	file://0001-fix-for-multijob-build.patch \
23	file://0001-Remove-more-compatibility-stuff.patch \	23	file://0001-Remove-more-compatibility-stuff.patch \
		24	file://CVE-2025-46805.patch \
24	"	25	"
25		26
26	SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"	27	SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"