screen: fix CVE-2025-46802

For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. Reference: https://security-tracker.debian.org/tracker/CVE-2025-46802 Upstream-patch: https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a (From OE-Core rev: b17e091eb4681b69c5a050d3fa0f9289f524e205) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-06-05 16:30:59 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-06-11 08:17:34 -0700
commit: fa0fef4a3d5081c7ed300cb5d02286675aabece0 (patch)
tree: 71a45c7f71b56f65819ab29cb817b2e5296fe2b3
parent: 33fc46afb7e433f6f70b3c2312b52f6215952a49 (diff)
download: poky-fa0fef4a3d5081c7ed300cb5d02286675aabece0.tar.gz
2 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46802.patch b/meta/recipes-extended/screen/screen/CVE-2025-46802.patch
new file mode 100644
index 0000000000..e46affc480
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2025-46802.patch
@@ -0,0 +1,146 @@
+From 049b26b22e197ba3be9c46e5c193032e01a4724a Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Mon, 12 May 2025 15:15:38 +0200
+Subject: [PATCH] fix CVE-2025-46802: attacher.c - prevent temporary 0666 mode
+ on PTYs
+This temporary chmod of the PTY to mode 0666 is most likely a remnant of
+past times, before the PTY file descriptor was passed to the target
+session via the UNIX domain socket.
+This chmod() causes a race condition during which any other user in the
+system can open the PTY for reading and writing, and thus allows PTY
+hijacking.
+Simply remove this logic completely.
+CVE: CVE-2025-46802
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ attacher.c | 27 ---------------------------
+ screen.c   | 19 -------------------
+ 2 files changed, 46 deletions(-)
+diff --git a/attacher.c b/attacher.c
+index c35ae7a..16b151e 100644
+--- a/attacher.c
+++ b/attacher.c
+@@ -73,7 +73,6 @@ extern int MasterPid, attach_fd;
+ #ifdef MULTIUSER
+ extern char *multi;
+ extern int multiattach, multi_uid, own_uid;
+-extern int tty_mode, tty_oldmode;
+ # ifndef USE_SETEUID
+ static int multipipe[2];
+ # endif
+@@ -160,9 +159,6 @@ int how;
+ 
+       if (pipe(multipipe))
+        Panic(errno, "pipe");
+-      if (chmod(attach_tty, 0666))
+-       Panic(errno, "chmod %s", attach_tty);
+-      tty_oldmode = tty_mode;
+       eff_uid = -1;    /* make UserContext fork */
+       real_uid = multi_uid;
+       if ((ret = UserContext()) <= 0)
+@@ -174,11 +170,6 @@ int how;
+            Panic(errno, "UserContext");
+          close(multipipe[1]);
+          read(multipipe[0], &dummy, 1);
+-         if (tty_oldmode >= 0)
+-           {
+-             chmod(attach_tty, tty_oldmode);
+-             tty_oldmode = -1;
+-           }
+          ret = UserStatus();
+ #ifdef LOCK
+          if (ret == SIG_LOCK)
+@@ -224,9 +215,6 @@ int how;
+       xseteuid(multi_uid);
+       xseteuid(own_uid);
+ #endif
+-      if (chmod(attach_tty, 0666))
+-       Panic(errno, "chmod %s", attach_tty);
+-      tty_oldmode = tty_mode;
+     }
+ # endif /* USE_SETEUID */
+ #endif /* MULTIUSER */
+@@ -423,13 +411,6 @@ int how;
+       ContinuePlease = 0;
+ # ifndef USE_SETEUID
+       close(multipipe[1]);
+-# else
+-      xseteuid(own_uid);
+-      if (tty_oldmode >= 0)
+-        if (chmod(attach_tty, tty_oldmode))
+-          Panic(errno, "chmod %s", attach_tty);
+-      tty_oldmode = -1;
+-      xseteuid(real_uid);
+ # endif
+     }
+ #endif
+@@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG
+          close(s);
+        }
+     }
+-#ifdef MULTIUSER
+-  if (tty_oldmode >= 0)
+-    {
+-      if (setuid(own_uid))
+-        Panic(errno, "setuid");
+-      chmod(attach_tty, tty_oldmode);
+-    }
+-#endif
+   exit(0);
+   SIGRETURN;
+ }
+diff --git a/screen.c b/screen.c
+index 7653cd1..1a23e1a 100644
+--- a/screen.c
+++ b/screen.c
+@@ -230,8 +230,6 @@ char *multi_home;
+ int multi_uid;
+ int own_uid;
+ int multiattach;
+-int tty_mode;
+-int tty_oldmode = -1;
+ #endif
+ 
+ char HostName[MAXSTR];
+@@ -1009,9 +1007,6 @@ int main(int ac, char** av)
+ 
+     /* ttyname implies isatty */
+     SetTtyname(true, &st);
+-#ifdef MULTIUSER
+-    tty_mode = (int)st.st_mode & 0777;
+-#endif
+ 
+     fl = fcntl(0, F_GETFL, 0);
+     if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR)
+@@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic)
+       if (D_userpid)
+         Kill(D_userpid, SIG_BYE);
+     }
+-#ifdef MULTIUSER
+-  if (tty_oldmode >= 0) {
+-
+-# ifdef USE_SETEUID
+-    if (setuid(own_uid))
+-      xseteuid(own_uid);       /* may be a loop. sigh. */
+-# else
+-      setuid(own_uid);
+-# endif
+-
+-    debug1("Panic: changing back modes from %s\n", attach_tty);
+-    chmod(attach_tty, tty_oldmode);
+-  }
+-#endif
+   eexit(1);
+ }
+ 
+-- 
+2.40.0
diff --git a/meta/recipes-extended/screen/screen_4.9.1.bb b/meta/recipes-extended/screen/screen_4.9.1.bb
index 96f8021255..bc4928ff77 100644
--- a/meta/recipes-extended/screen/screen_4.9.1.bb
+++ b/meta/recipes-extended/screen/screen_4.9.1.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
           file://0001-fix-for-multijob-build.patch \
           file://0001-Remove-more-compatibility-stuff.patch \
           file://CVE-2025-46805.patch \
+           file://CVE-2025-46802.patch \
           "
 SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"
author	Divya Chellam <divya.chellam@windriver.com>	2025-06-05 16:30:59 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-06-11 08:17:34 -0700
commit	fa0fef4a3d5081c7ed300cb5d02286675aabece0 (patch)
tree	71a45c7f71b56f65819ab29cb817b2e5296fe2b3
parent	33fc46afb7e433f6f70b3c2312b52f6215952a49 (diff)
download	poky-fa0fef4a3d5081c7ed300cb5d02286675aabece0.tar.gz

diff --git a/meta/recipes-extended/screen/screen/CVE-2025-46802.patch b/meta/recipes-extended/screen/screen/CVE-2025-46802.patch new file mode 100644 index 0000000000..e46affc480 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2025-46802.patch
@@ -0,0 +1,146 @@
		1	From 049b26b22e197ba3be9c46e5c193032e01a4724a Mon Sep 17 00:00:00 2001
		2	From: Matthias Gerstner <matthias.gerstner@suse.de>
		3	Date: Mon, 12 May 2025 15:15:38 +0200
		4	Subject: [PATCH] fix CVE-2025-46802: attacher.c - prevent temporary 0666 mode
		5	on PTYs
		6
		7	This temporary chmod of the PTY to mode 0666 is most likely a remnant of
		8	past times, before the PTY file descriptor was passed to the target
		9	session via the UNIX domain socket.
		10
		11	This chmod() causes a race condition during which any other user in the
		12	system can open the PTY for reading and writing, and thus allows PTY
		13	hijacking.
		14
		15	Simply remove this logic completely.
		16
		17	CVE: CVE-2025-46802
		18
		19	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a]
		20
		21	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		22	---
		23	attacher.c \| 27 ---------------------------
		24	screen.c \| 19 -------------------
		25	2 files changed, 46 deletions(-)
		26
		27	diff --git a/attacher.c b/attacher.c
		28	index c35ae7a..16b151e 100644
		29	--- a/attacher.c
		30	+++ b/attacher.c
		31	@@ -73,7 +73,6 @@ extern int MasterPid, attach_fd;
		32	#ifdef MULTIUSER
		33	extern char *multi;
		34	extern int multiattach, multi_uid, own_uid;
		35	-extern int tty_mode, tty_oldmode;
		36	# ifndef USE_SETEUID
		37	static int multipipe[2];
		38	# endif
		39	@@ -160,9 +159,6 @@ int how;
		40
		41	if (pipe(multipipe))
		42	Panic(errno, "pipe");
		43	- if (chmod(attach_tty, 0666))
		44	- Panic(errno, "chmod %s", attach_tty);
		45	- tty_oldmode = tty_mode;
		46	eff_uid = -1; /* make UserContext fork */
		47	real_uid = multi_uid;
		48	if ((ret = UserContext()) <= 0)
		49	@@ -174,11 +170,6 @@ int how;
		50	Panic(errno, "UserContext");
		51	close(multipipe[1]);
		52	read(multipipe[0], &dummy, 1);
		53	- if (tty_oldmode >= 0)
		54	- {
		55	- chmod(attach_tty, tty_oldmode);
		56	- tty_oldmode = -1;
		57	- }
		58	ret = UserStatus();
		59	#ifdef LOCK
		60	if (ret == SIG_LOCK)
		61	@@ -224,9 +215,6 @@ int how;
		62	xseteuid(multi_uid);
		63	xseteuid(own_uid);
		64	#endif
		65	- if (chmod(attach_tty, 0666))
		66	- Panic(errno, "chmod %s", attach_tty);
		67	- tty_oldmode = tty_mode;
		68	}
		69	# endif /* USE_SETEUID */
		70	#endif /* MULTIUSER */
		71	@@ -423,13 +411,6 @@ int how;
		72	ContinuePlease = 0;
		73	# ifndef USE_SETEUID
		74	close(multipipe[1]);
		75	-# else
		76	- xseteuid(own_uid);
		77	- if (tty_oldmode >= 0)
		78	- if (chmod(attach_tty, tty_oldmode))
		79	- Panic(errno, "chmod %s", attach_tty);
		80	- tty_oldmode = -1;
		81	- xseteuid(real_uid);
		82	# endif
		83	}
		84	#endif
		85	@@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG
		86	close(s);
		87	}
		88	}
		89	-#ifdef MULTIUSER
		90	- if (tty_oldmode >= 0)
		91	- {
		92	- if (setuid(own_uid))
		93	- Panic(errno, "setuid");
		94	- chmod(attach_tty, tty_oldmode);
		95	- }
		96	-#endif
		97	exit(0);
		98	SIGRETURN;
		99	}
		100	diff --git a/screen.c b/screen.c
		101	index 7653cd1..1a23e1a 100644
		102	--- a/screen.c
		103	+++ b/screen.c
		104	@@ -230,8 +230,6 @@ char *multi_home;
		105	int multi_uid;
		106	int own_uid;
		107	int multiattach;
		108	-int tty_mode;
		109	-int tty_oldmode = -1;
		110	#endif
		111
		112	char HostName[MAXSTR];
		113	@@ -1009,9 +1007,6 @@ int main(int ac, char** av)
		114
		115	/* ttyname implies isatty */
		116	SetTtyname(true, &st);
		117	-#ifdef MULTIUSER
		118	- tty_mode = (int)st.st_mode & 0777;
		119	-#endif
		120
		121	fl = fcntl(0, F_GETFL, 0);
		122	if (fl != -1 && (fl & (O_RDWR\|O_RDONLY\|O_WRONLY)) == O_RDWR)
		123	@@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic)
		124	if (D_userpid)
		125	Kill(D_userpid, SIG_BYE);
		126	}
		127	-#ifdef MULTIUSER
		128	- if (tty_oldmode >= 0) {
		129	-
		130	-# ifdef USE_SETEUID
		131	- if (setuid(own_uid))
		132	- xseteuid(own_uid); /* may be a loop. sigh. */
		133	-# else
		134	- setuid(own_uid);
		135	-# endif
		136	-
		137	- debug1("Panic: changing back modes from %s\n", attach_tty);
		138	- chmod(attach_tty, tty_oldmode);
		139	- }
		140	-#endif
		141	eexit(1);
		142	}
		143
		144	--
		145	2.40.0
		146


diff --git a/meta/recipes-extended/screen/screen_4.9.1.bb b/meta/recipes-extended/screen/screen_4.9.1.bb index 96f8021255..bc4928ff77 100644 --- a/meta/recipes-extended/screen/screen_4.9.1.bb +++ b/meta/recipes-extended/screen/screen_4.9.1.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
22	file://0001-fix-for-multijob-build.patch \	22	file://0001-fix-for-multijob-build.patch \
23	file://0001-Remove-more-compatibility-stuff.patch \	23	file://0001-Remove-more-compatibility-stuff.patch \
24	file://CVE-2025-46805.patch \	24	file://CVE-2025-46805.patch \
		25	file://CVE-2025-46802.patch \
25	"	26	"
26		27
27	SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"	28	SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"