Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 904039 (CVE-2023-24626)

Summary: <app-misc/screen-4.9.0-r2: allows sending SIGHUP to arbitrary PIDs
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: shell-tools, swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 906098    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-08 16:41:51 UTC

socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.

So, vulnerability not in Screen itself, but Screen is wrongly a vector
to DoS other applications. The Savannah bug is still not viewable
(which MITRE shouldn't allow), but the patch is above and doesn't
appear to be in any release.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-10 19:57:17 UTC
The bug has been referenced in the following commit(s):

commit 5020a4047f9bf00b7cc9423e86ababb049511069
Author:     Sven Wegener <>
AuthorDate: 2023-04-10 19:25:32 +0000
Commit:     Sven Wegener <>
CommitDate: 2023-04-10 19:57:04 +0000

    app-misc/screen: revbump, security bug #904039 (CVE-2023-24626)
    Signed-off-by: Sven Wegener <>

 .../screen/files/screen-4.9.0-CVE-2023-24626.patch |  33 +++++
 app-misc/screen/screen-4.9.0-r2.ebuild             | 147 +++++++++++++++++++++
 2 files changed, 180 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 23:05:32 UTC
Thanks! Please stabilize when ready.