Package: screen
Version: 4.9.1-1
Severity: grave
Justification: user security hole
+ possible data loss via a symlink attack
The hardcopy (C-a h) in screen works in the following way:
│ hardcopydir directory
│
│ Defines a directory where hardcopy files will be placed. If unset,
│ hardcopys are dumped in screen's current working directory.
(from the screen(1) man page).
First, using screen's current working directory is insecure,
even though this is documented.
Moreover, the problem gets worse because
* the created file is not protected against read access by
other users;
* it is subject to a symlink attack; and if the target file of
the symbolic link already exists, it will be overwritten!
Note: If the file does not exists yet, the umask is honored.
But if the file already exists (possibly belonging to another
user, with -rw-rw-rw- (666) permissions), the owner and
permissions are preserved, which can be a way to even bypass a
077 umask (the kernel may offer protection for some directories
like /tmp, but not all of them, and software should not rely on
such protection anyway).
The screen-exchange feature (">" in copy mode) is also insecure:
│ > sets the (second) mark and writes the contents of the paste buffer
│ to the screen-exchange file (/tmp/screen-exchange per default) once
│ copy-mode is finished.
The default file is under /tmp (poor default choice) and not protected
against read access by other users. However, a symlink attack does not
seem to be possible: I get an error "No write to links, please." if
/tmp/screen-exchange is a symbolic link.
-- Package-specific info:
File Existence and Permissions
------------------------------
drwxr-xr-x 35 root root 1040 2025-03-17 12:18:24 /run
lrwxrwxrwx 1 root root 4 2015-10-06 13:32:33 /var/run -> /run
-rwxr-xr-x 1 root root 486488 2023-09-07 00:10:56 /usr/bin/screen
-rw-r--r-- 1 root root 29 2017-06-19 12:21:03
/etc/tmpfiles.d/screen-cleanup.conf
lrwxrwxrwx 1 root root 9 2015-10-06 16:01:06
/lib/systemd/system/screen-cleanup.service -> /dev/null
-rwxr-xr-x 1 root root 1222 2017-04-03 01:11:05 /etc/init.d/screen-cleanup
lrwxrwxrwx 1 root root 24 2023-09-18 14:43:32 /etc/rcS.d/S02screen-cleanup
-> ../init.d/screen-cleanup
File contents
-------------
### /etc/tmpfiles.d/screen-cleanup.conf
______________________________________________________________________
d /run/screen 1777 root utmp
______________________________________________________________________
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.11.10-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages screen depends on:
ii debianutils 5.21
ii libc6 2.41-6
ii libcrypt1 1:4.4.38-1
ii libpam0g 1.7.0-3
ii libtinfo6 6.5+20250216-2
ii libutempter0 1.2.1-4
screen recommends no packages.
Versions of packages screen suggests:
pn byobu | screenie | iselect <none>
ii ncurses-term 6.5+20250216-2
-- no debconf information
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
