screen: patch CVE-2025-46805

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4] (From OE-Core rev: 69dd9b16fbd18a1a960887ee9479a2e731b5a184) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-06-01 13:09:50 +00:00 · 2025-05-30 09:57:17 +05:30
parent d56536a618
commit f8d52ece40
2 changed files with 102 additions and 0 deletions
@@ -0,0 +1,101 @@
 From aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Mon Sep 17 00:00:00 2001
 From: Axel Beckert <abe@debian.org>
 Date: Mon, 19 May 2025 00:42:42 +0200
 Subject: fix CVE-2025-46805: socket.c - don't send signals with root
 Gbp-Pq: fix-CVE-2025-46805-socket.c-don-t-send-signals-with-.patch.
 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 
 Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4]
 CVE: CVE-2025-46805
 Signed-off-by: Ashish Sharma <asharma@mvista.com>
 socket.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)
 diff --git a/socket.c b/socket.c
 index e268e3d..11b5e59 100644
 --- a/socket.c
 +++ b/socket.c
@@ -832,6 +832,11 @@ int pid;
   return UserStatus();
 }
 +static void KillUnpriv(pid_t pid, int sig) {
 +    UserContext();
 +    UserReturn(kill(pid, sig));
 +}
 +
 #ifdef hpux
 /*
  * From: "F. K. Bruner" <napalm@ugcs.caltech.edu>
@@ -917,14 +922,14 @@ struct win *wi;
             {
 	      Msg(errno, "Could not perform necessary sanity checks on pts device.");
 	      close(i);
 -	      Kill(pid, SIG_BYE);
 +	      KillUnpriv(pid, SIG_BYE);
 	      return -1;
             }
           if (strcmp(ttyname_in_ns, m->m_tty))
             {
 	      Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
 	      close(i);
 -	      Kill(pid, SIG_BYE);
 +	      KillUnpriv(pid, SIG_BYE);
 	      return -1;
 	    }
 	  /* m->m_tty so far contains the actual name of the pts device in the
@@ -941,19 +946,19 @@ struct win *wi;
 	{
 	  Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
 	  close(i);
 -	  Kill(pid, SIG_BYE);
 +	  KillUnpriv(pid, SIG_BYE);
 	  return -1;
 	}
     }
   else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0)
     {
       Msg(errno, "Attach: Could not open %s!", m->m_tty);
 -      Kill(pid, SIG_BYE);
 +      KillUnpriv(pid, SIG_BYE);
       return -1;
     }
 #ifdef MULTIUSER
   if (attach)
 -    Kill(pid, SIGCONT);
 +    KillUnpriv(pid, SIGCONT);
 #endif
 #if defined(ultrix) || defined(pyr) || defined(NeXT)
@@ -966,7 +971,7 @@ struct win *wi;
 	{
 	  write(i, "Attaching from inside of screen?\n", 33);
 	  close(i);
 -	  Kill(pid, SIG_BYE);
 +	  KillUnpriv(pid, SIG_BYE);
 	  Msg(0, "Attach msg ignored: coming from inside.");
 	  return -1;
 	}
@@ -977,7 +982,7 @@ struct win *wi;
 	  {
 	      write(i, "Access to session denied.\n", 26);
 	      close(i);
 -	      Kill(pid, SIG_BYE);
 +	      KillUnpriv(pid, SIG_BYE);
 	      Msg(0, "Attach: access denied for user %s.", user);
 	      return -1;
 	  }
@@ -1295,7 +1300,7 @@ ReceiveMsg()
             Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
           }
           else {
 -            Kill(m.m.command.apid,
 +            KillUnpriv(m.m.command.apid,
                (queryflag >= 0)
                    ? SIGCONT
                    : SIG_BYE); /* Send SIG_BYE if an error happened */
 -- 
 cgit v1.2.3
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
           file://0002-comm.h-now-depends-on-term.h.patch \
           file://0001-fix-for-multijob-build.patch \
           file://0001-Remove-more-compatibility-stuff.patch \
           file://CVE-2025-46805.patch \
           "
 SRC_URI[sha256sum] = "26cef3e3c42571c0d484ad6faf110c5c15091fbf872b06fa7aa4766c7405ac69"