Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 904039 (CVE-2023-24626)

Summary: <app-misc/screen-4.9.0-r2: allows sending SIGHUP to arbitrary PIDs
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: shell-tools, swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://savannah.gnu.org/bugs/?63195
Whiteboard: B4 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 906098    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-08 16:41:51 UTC 
CVE-2023-24626:
https://git.savannah.gnu.org/cgit/screen.git/patch/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
https://www.exploit-db.com/exploits/51252

socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.

So, vulnerability not in Screen itself, but Screen is wrongly a vector
to DoS other applications. The Savannah bug is still not viewable
(which MITRE shouldn't allow), but the patch is above and doesn't
appear to be in any release.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-10 19:57:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5020a4047f9bf00b7cc9423e86ababb049511069

commit 5020a4047f9bf00b7cc9423e86ababb049511069
Author:     Sven Wegener <swegener@gentoo.org>
AuthorDate: 2023-04-10 19:25:32 +0000
Commit:     Sven Wegener <swegener@gentoo.org>
CommitDate: 2023-04-10 19:57:04 +0000

    app-misc/screen: revbump, security bug #904039 (CVE-2023-24626)
    
    Bug: https://bugs.gentoo.org/904039
    Signed-off-by: Sven Wegener <swegener@gentoo.org>

 .../screen/files/screen-4.9.0-CVE-2023-24626.patch |  33 +++++
 app-misc/screen/screen-4.9.0-r2.ebuild             | 147 +++++++++++++++++++++
 2 files changed, 180 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 23:05:32 UTC 
Thanks! Please stabilize when ready.