CVE-2009-1214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1214): GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with world-readable permissions, which might allow local users to obtain sensitive session information. CVE-2009-1215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1215): Race condition in GNU screen 4.0.3 allows local users to create or overwrite arbitrary files via a symlink attack on the /tmp/screen-exchange temporary file.
See bug #95273, we've changed the default buffer file to $HOME/.screen_exchange. And for the default location, screen checks whether it's a hardlink or symlinks and rejects to write to it. See the explanation in the redhat bug as reference. There is still a race, if someone replaces the regular exchange file with a link to a file having the same dev and inode number, but that is highly unlikely.
Oh, I was not aware of that change in defaults. Since there is no reason for the program to handle files securely in a user's home directory, I'm closing this as UPSTREAM. A user could still configure screen to use /tmp as a directory for exchange files, however that is at the user's discretion and risk (for both data disclosure and race confidition). If screen upstream is going to consider the race condition an issue, we'll get the updates via the usual channel anyway -- no need for priority handling.
