Arch Linux Security Advisory ASA-202505-1 ========================================= Severity: High Date : 2025-05-13 CVE-ID : CVE-2025-23395 CVE-2025-46802 CVE-2025-46803 CVE-2025-46804 CVE-2025-46805 Package : screen Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-2862 Summary ======= The package screen before version 5.0.0-3 is vulnerable to multiple issues including access restriction bypass, denial of service and privilege escalation. Resolution ========== Upgrade to 5.0.0-3. # pacman -Syu "screen>=5.0.0-3" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2025-23395 (privilege escalation) This issue affects Screen 5.0.0 when it runs with setuid-root privileges. The function logfile_reopen() does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with root ownership, the invoking user’s (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file. Also already existing files can be abused for logging in this manner: the data will be appended to the file in question, but the file mode and ownership will be left unchanged. Screen correctly drops privileges when it initially opens the logfile. The privilege escalation becomes possible as soon as Screen believes it is necessary to reopen the logfile. Screen checks this by calling stolen_logfile() before writing to the file. The call to logfile_reopen() happens when the link count of the originally opened logfile drops to zero, or if it unexpectedly changes in size. This condition can be triggered at will on the end of the unprivileged user. - CVE-2025-46802 (access restriction bypass) This issue is found in the Attach() function when the multiattach flag is set (i.e. Screen attempts to attach to a multi-user session). The function performs a chmod() of the current TTY to mode 0666. The path to the current TTY is stored in the attach_tty string. The issue with this temporary TTY mode change is that it introduces a race condition allowing any other user in the system to open the caller’s TTY for reading and writing for a short period of time. - CVE-2025-46803 (access restriction bypass) In Screen version 5.0.0 the default mode of pseudo terminals (PTYs) allocated by Screen was changed from 0620 to 0622, thereby allowing anyone to write to any Screen PTYs in the system. - CVE-2025-46804 (privilege escalation) This is a minor information leak when running Screen with setuid-root privileges that is found in older Screen versions, as well as in version 5.0.0. The code in screen.c starting at line 849 inspects the resulting SocketPath with root privileges, and provides error messages that allow unprivileged users to deduce information about the path that would otherwise not be available. An easy way to achieve this is by using the SCREENDIR environment variable. - CVE-2025-46805 (denial of service) In socket.c lines 646 and 882 time-of-check/time-of-use (TOCTOU) race conditions exist with regards to sending signals to user supplied PIDs in setuid-root context. The CheckPid() function drops privileges to the real user ID and tests whether the kernel allows to send a signal to the target PID using these credentials. The actual signal is sent later via Kill(), potentially using full root privileges. By this time, the PID that was previously checked could have been replaced by a different, privileged process. It might also be possible to trick the (privileged) Screen daemon process into sending signals to itself, since a process is always allowed to send signals to itself. Currently this should only allow to send SIGCONT and SIGHUP signals, thus the impact is likely only in the area of a local denial of service or a minor integrity violation. Impact ====== A local unprivileged user is able to escalate privileges on the affected host. References ========== https://www.openwall.com/lists/oss-security/2025/05/12/1 https://security.opensuse.org/2025/05/12/screen-security-issues.html https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e894caeffccdb62f9c64... https://git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c... https://git.savannah.gnu.org/cgit/screen.git/commit/?id=d5d7bf43f3842e8b62d5... https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e0eef5aac453fa98a266... https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893... https://security.archlinux.org/CVE-2025-23395 https://security.archlinux.org/CVE-2025-46802 https://security.archlinux.org/CVE-2025-46803 https://security.archlinux.org/CVE-2025-46804 https://security.archlinux.org/CVE-2025-46805