Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

[Matthias Gerstner <mgerstner () suse de>]

Hi,

On Tue, May 13, 2025 at 03:48:31PM -0700, Mark Esler wrote:
> Cheers for the report Matthias and SUSE Security!

thanks!

> Could you please comment on the affectedness of upstream screen 5.0.1?
>
> https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=464c8d8f945f53f8cbb854517279349e09d74756
>
> This version was released ~an hour before your initial oss post. It appears
> that upstream landed the patches, which may be worth mentioning in your
> timeline.

Indeed, this is the bugfix release announced by upstream here:

https://lists.gnu.org/archive/html/screen-users/2025-05/msg00005.html

We just updated our blog post to reflect what we could find out about
the upstream bugfixes:

https://security.opensuse.org/2025/05/12/screen-security-issues.html#8-upstream-bugfixes

For screen 4.9.1 bugfixes landed on the upstream screen-v4 branch, but
it seems no release is planned here. We reviewed the following bugfixes:

- commit 049b26b22e1 [1]: fixes the PTY mode issue (item 3.b, CVE-2025-46802).
- commit e0eef5aac45 [2]: fixes the file existence test issue (item 3.d, CVE-2025-46804).
- commit 161f85b98b7 [3]: fixes the signal sending issue (item 3.e, CVE-2025-46805).

For screen 5.0.0 the 5.0.1 bugfix release has been announced. Patches
landed on the upstream screen-v5 branch. We reviewed the following
bugfixes:

- commit e894caeff [4] fixes the logfile reopen issue (item 3.a, CVE-2025-23395)
- commit d10eb5b2f [5] fixes the PTY mode issue (item 3.b, CVE-2025-46802).
- commit d5d7bf43f [6] fixes the default PTY mode issue (item 3.c, CVE-2025-46803)
- commit 710cda5c7 [7] fixes the file existence test issue (item 3.d, CVE-2025-46804).
- commit a17b0da26 [8] fixes the signal sending issue (item 3.e, CVE-2025-46805).
- commit 2bdebfc98 [9] fixes the strncpy related crashes (item 3.f).

The last time we checked no screen 5.0.1 release tarballs could be found
in the GNU Screen download area yet.

[1]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=049b26b22e197ba3be9c46e5c193032e01a4724a
[2]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=e0eef5aac453fa98a2664416a56c50ad1d00cb30
[3]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4

[4]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=e894caeffccdb62f9c644989a936dc7ec83cc747
[5]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=d10eb5b2f7eebaa347f09c010bd391373fdd1695
[6]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=d5d7bf43f3842e8b62d5f34eb4b031de7c8098c1
[7]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=710cda5c71cacfed201b5659e04a83815313d8e6
[8]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=a17b0da26494856640bd9d52a03fc1b575400170
[9]: https://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v5&id=2bdebfc9837cfd3cea0645030e626b08bb6bc2d0

Best Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich

Attachment: signature.asc
Description: