Insecure creation of /tmp/screen-exchange (symlink attack)

Bug #315993 reported by Jan Minář
Affects Status Importance Assigned to Milestone
screen (Debian)
Fix Released
screen (Ubuntu)
Fix Released

Bug Description

1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.

$ lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.

$ apt-cache policy screen
  Installed: 4.0.3-7ubuntu1
  Candidate: 4.0.3-7ubuntu1
  Version table:
 *** 4.0.3-7ubuntu1 0
        500 hardy/main Packages
        100 /var/lib/dpkg/status

3) What you expected to happen

/tmp/screen-exchange should be created in a secure manner. In particular:

(a) The file should be readable and writable only to the owner (fix for #433338 didn't really fix it, and instead changed the race condition into no-race, making the issue worse)
(b) Symlink attack should be impossible

4) What happened instead

The code responsible for the error does: open("/tmp/screen-exchange", O_WRONLY, 0666);

(a) the file is created with default permissions, depending on the user umask value, which means world-readable under default install settings
(b) Symlink attack is possible. There used to be a race condition, but it seems it was removed when #433338 was closed, as the fix didn't really fix the problem. Now there is no race condition, and any pre-existing symbolic link will result in a file overwrite/creation.

I have created a patch that fixes the problem. The changelog shows three previous patches related to /tmp/screen-exchange. I have commented the source so that future readers can understand better what is going on, and there is hopefully no regression.

I have tested the patched version, and it works under all conditions. The patch applies with an offset to current Debian unstable version (4.0.3-11), and I can only presume it would work.

Tags: patch

CVE References

Revision history for this message
Jan Minář (rdancer) wrote :
Revision history for this message
Jan Minář (rdancer) wrote :

I have reported this to upstream, but Launchpad can not add the bug URL: <>.

Revision history for this message
Micah Cowan (micahcowan) wrote :

(Launchpad doesn't like the "index.php" part, otherwise it can track Savannah bugs)

Changed in screen:
importance: Undecided → Unknown
status: New → Unknown
Kees Cook (kees)
Changed in screen (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Kees Cook (kees)
Changed in screen (Debian):
importance: Undecided → Unknown
status: New → Unknown
Changed in screen (Debian):
status: Unknown → Fix Released
tags: added: patch
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in 4.0.3-13ubuntu4.

Changed in screen (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.