proper fix / hotfix for screen world-writable ttys

["Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>]

Hi,

I see traces of the recent vulnerability fest

	https://security.opensuse.org/2025/05/12/screen-security-issues.html

in screen in pkgsrc CVS. Most of it is not relevant to my installs, as
I do not do privileged builds and no setuid stuff. But this is:

Quoting the above:

3.c) Screen by Default Creates World Writable PTYs (CVE-2025-46803)
-------------------------------------------------------------------

In Screen version 5.0.0 the default mode of pseudo terminals (PTYs)
allocated by Screen was changed from 0620 to 0622, thereby allowing
anyone to write to any Screen PTYs in the system. Security-wise this
results in some of the issues that have been outlined in issue 3.b),
without the information leak aspects, however.

The history of the default PTY mode in Screen is rather complex. Let's
have a look at the situation in version 4.9.1 (and a lot of older
versions):

- There is a 0622 default mode in the code in process.c line 207 [14].
  This is only a fallback that should not become active unless the code
  is compiled in unusual ways.
- A default mode of 0620 is applied in configure.ac line 811 [15], which
  results in a safe default when compiling Screen using autotools.
- In acconfig.h line 81 [16] the following is stated:
  
  > define PTYMODE if you do not like the default of 0622, which allows public write to your pty.  
  
  Thus in this version there is an inconsistency between the default
  mode on autoconf level and the default on source code level, but in
  the end the (safe) autoconf default wins.


[end of quote]

I see we got patches imported to fix misc/screen, which is screen5. But
there's also misc/screen4, in 2025Q1, even, that might be a
conservative choice while we wait what happens with the 5.x series. We
probably should include the patches published by OpenSUSE for that,
too, but I am concerned with only the above. I observe that the
description that the autoconf default wins is not accurate. Running
configure in my builds fails to deduce a tty group and defaults to mode
0622 after all, see

	https://www.openwall.com/lists/oss-security/2025/05/13/6

for why (TL;DR: configure only applies pty-mode and pty-group
together). I got the configure arguments wrong in my conclusion there,
you need numeric id for the group. In short: I added this now to my
local build of screen4:

CONFIGURE_ARGS+=       --with-pty-mode=0620 --with-pty-group=5

and this seems to ensure that I don't end up with world-writable screen
ttys.

What irks me about that, and also about the defaults of patched
screen-5 to the same effect: Is it a guaranteed fact that any UNIX-ish
system will have the group tty with numeric ID 5? Is that safe to
hardcode?

Can someone shed some light on that? Should we add that to misc/screen4
to ensure that the flawed tty group checks do not trigger? Should I
also add the patches OpenSUSE prepared? There are 3 for 4.9.1:

0001-attacher.c-prevent-temporary-0666-mode-on-PTYs-to-fi.patch
0002-Avoid-file-existence-test-information-leaks-to-fix-C.patch
0003-socket.c-don-t-send-signals-with-root-privileges-to-.patch

Or are we dropping screen4 soon and are hoping for a robust path for
5.x?


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg