CVE-2023-24626: https://git.savannah.gnu.org/cgit/screen.git/patch/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 https://www.exploit-db.com/exploits/51252 socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process. So, vulnerability not in Screen itself, but Screen is wrongly a vector to DoS other applications. The Savannah bug is still not viewable (which MITRE shouldn't allow), but the patch is above and doesn't appear to be in any release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5020a4047f9bf00b7cc9423e86ababb049511069 commit 5020a4047f9bf00b7cc9423e86ababb049511069 Author: Sven Wegener <swegener@gentoo.org> AuthorDate: 2023-04-10 19:25:32 +0000 Commit: Sven Wegener <swegener@gentoo.org> CommitDate: 2023-04-10 19:57:04 +0000 app-misc/screen: revbump, security bug #904039 (CVE-2023-24626) Bug: https://bugs.gentoo.org/904039 Signed-off-by: Sven Wegener <swegener@gentoo.org> .../screen/files/screen-4.9.0-CVE-2023-24626.patch | 33 +++++ app-misc/screen/screen-4.9.0-r2.ebuild | 147 +++++++++++++++++++++ 2 files changed, 180 insertions(+)
Thanks! Please stabilize when ready.
