wok view screen/stuff/CVE-2025-46805.patch @ rev 25841
Up screen CVEs (CVE-2025-[46802,46804,46805)
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Wed May 14 16:32:36 2025 +0200 (5 weeks ago) |
| parents | |
| children |
line source
1 From 161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4 Mon Sep 17 00:00:00 2001
2 From: Matthias Gerstner <matthias.gerstner@suse.de>
3 Date: Mon, 12 May 2025 15:38:19 +0200
4 Subject: fix CVE-2025-46805: socket.c - don't send signals with root
5 privileges
7 The CheckPid() function was introduced to address CVE-2023-24626, to
8 prevent sending SIGCONT and SIGHUP to arbitrary PIDs in the system. This
9 fix still suffers from a TOCTOU race condition. The client can replace
10 itself by a privileged process, or try to cycle PIDs until a privileged
11 process receives the original PID.
13 To prevent this, always send signals using the real privileges. Keep
14 CheckPid() for error diagnostics. If sending the actual signal fails
15 later on then there will be no more error reporting.
17 It seems the original bugfix already introduced a regression when
18 attaching to another's user session that is not owned by root. In this
19 case the target sessions runs with real uid X, while for sending a
20 signal to the `pid` provided by the client real uid Y (or root
21 privileges) are required.
23 This is hard to properly fix without this regression. On Linux pidfds
24 could be used to allow safely sending signals to other PIDs as root
25 without involving race conditions. In this case the client PID should
26 also be obtained via the UNIX domain socket's SO_PEERCRED option,
27 though.
28 ---
29 src/socket.c | 21 +++++++++++++--------
30 1 file changed, 13 insertions(+), 8 deletions(-)
32 diff --git a/socket.c b/socket.c
33 index 6c3502f..d6621fa 100644
34 --- a/socket.c
35 +++ b/socket.c
36 @@ -831,6 +831,11 @@ int pid;
37 return UserStatus();
38 }
40 +static void KillUnpriv(pid_t pid, int sig) {
41 + UserContext();
42 + UserReturn(kill(pid, sig));
43 +}
44 +
45 #ifdef hpux
46 /*
47 * From: "F. K. Bruner" <napalm@ugcs.caltech.edu>
48 @@ -916,14 +921,14 @@ struct win *wi;
49 {
50 Msg(errno, "Could not perform necessary sanity checks on pts device.");
51 close(i);
52 - Kill(pid, SIG_BYE);
53 + KillUnpriv(pid, SIG_BYE);
54 return -1;
55 }
56 if (strcmp(ttyname_in_ns, m->m_tty))
57 {
58 Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
59 close(i);
60 - Kill(pid, SIG_BYE);
61 + KillUnpriv(pid, SIG_BYE);
62 return -1;
63 }
64 /* m->m_tty so far contains the actual name of the pts device in the
65 @@ -940,19 +945,19 @@ struct win *wi;
66 {
67 Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
68 close(i);
69 - Kill(pid, SIG_BYE);
70 + KillUnpriv(pid, SIG_BYE);
71 return -1;
72 }
73 }
74 else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0)
75 {
76 Msg(errno, "Attach: Could not open %s!", m->m_tty);
77 - Kill(pid, SIG_BYE);
78 + KillUnpriv(pid, SIG_BYE);
79 return -1;
80 }
81 #ifdef MULTIUSER
82 if (attach)
83 - Kill(pid, SIGCONT);
84 + KillUnpriv(pid, SIGCONT);
85 #endif
87 #if defined(ultrix) || defined(pyr) || defined(NeXT)
88 @@ -965,7 +970,7 @@ struct win *wi;
89 {
90 write(i, "Attaching from inside of screen?\n", 33);
91 close(i);
92 - Kill(pid, SIG_BYE);
93 + KillUnpriv(pid, SIG_BYE);
94 Msg(0, "Attach msg ignored: coming from inside.");
95 return -1;
96 }
97 @@ -976,7 +981,7 @@ struct win *wi;
98 {
99 write(i, "Access to session denied.\n", 26);
100 close(i);
101 - Kill(pid, SIG_BYE);
102 + KillUnpriv(pid, SIG_BYE);
103 Msg(0, "Attach: access denied for user %s.", user);
104 return -1;
105 }
106 @@ -1294,7 +1299,7 @@ ReceiveMsg()
107 Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
108 }
109 else {
110 - Kill(m.m.command.apid,
111 + KillUnpriv(m.m.command.apid,
112 (queryflag >= 0)
113 ? SIGCONT
114 : SIG_BYE); /* Send SIG_BYE if an error happened */
115 --
116 cgit v1.1