From e0eef5aac453fa98a2664416a56c50ad1d00cb30 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 12 May 2025 15:26:11 +0200 Subject: fix CVE-2025-46804: avoid file existence test information leaks In setuid-root context the current error messages give away whether certain paths not accessible by the real user exist and what type they have. To prevent this only output generic error messages in setuid-root context. In some situations, when an error is pertaining a directory and the directory is owner by the real user then we can still output more detailed diagnostics. This change can lead to less helpful error messages when Screen is install setuid-root. More complex changes would be needed to avoid this (e.g. only open the `SocketPath` with raised privileges when multi-attach is requested). There might still be lingering some code paths that allow such information leaks, since `SocketPath` is a global variable that is used across the code base. The majority of issues should be caught with this fix, however. --- src/screen.c | 45 ++++++++++++++++++++++++++++++++++----------- src/socket.c | 9 +++++++-- 2 files changed, 41 insertions(+), 13 deletions(-) diff --git a/src/screen.c b/src/screen.c index 1a23e1a..6eec151 100644 --- a/src/screen.c +++ b/src/screen.c @@ -1122,15 +1122,28 @@ int main(int ac, char** av) #endif } - if (stat(SockPath, &st) == -1) - Panic(errno, "Cannot access %s", SockPath); - else - if (!S_ISDIR(st.st_mode)) + if (stat(SockPath, &st) == -1) { + if (eff_uid == real_uid) { + Panic(errno, "Cannot access %s", SockPath); + } else { + Panic(0, "Error accessing %s", SockPath); + } + } else if (!S_ISDIR(st.st_mode)) { + if (eff_uid == real_uid || st.st_uid == real_uid) { Panic(0, "%s is not a directory.", SockPath); + } else { + Panic(0, "Error accessing %s", SockPath); + } + } #ifdef MULTIUSER if (multi) { - if ((int)st.st_uid != multi_uid) - Panic(0, "%s is not the owner of %s.", multi, SockPath); + if ((int)st.st_uid != multi_uid) { + if (eff_uid == real_uid || st.st_uid == real_uid) { + Panic(0, "%s is not the owner of %s.", multi, SockPath); + } else { + Panic(0, "Error accessing %s", SockPath); + } + } } else #endif @@ -1144,9 +1157,13 @@ int main(int ac, char** av) Panic(0, "You are not the owner of %s.", SockPath); #endif } - - if ((st.st_mode & 0777) != 0700) - Panic(0, "Directory %s must have mode 700.", SockPath); + if ((st.st_mode & 0777) != 0700) { + if (eff_uid == real_uid || st.st_uid == real_uid) { + Panic(0, "Directory %s must have mode 700.", SockPath); + } else { + Panic(0, "Error accessing %s", SockPath); + } + } if (SockMatch && index(SockMatch, '/')) Panic(0, "Bad session name '%s'", SockMatch); SockName = SockPath + strlen(SockPath) + 1; @@ -1184,8 +1201,14 @@ int main(int ac, char** av) else exit(9 + (fo || oth ? 1 : 0) + fo); } - if (fo == 0) - Panic(0, "No Sockets found in %s.\n", SockPath); + if (fo == 0) { + if (eff_uid == real_uid || st.st_uid == real_uid) { + Panic(0, "No Sockets found in %s.\n", SockPath); + } else { + Panic(0, "Error accessing %s", SockPath); + } + } + Msg(0, "%d Socket%s in %s.", fo, fo > 1 ? "s" : "", SockPath); eexit(0); } diff --git a/src/socket.c b/src/socket.c index 54d8cb8..6c3502f 100644 --- a/src/socket.c +++ b/src/socket.c @@ -169,8 +169,13 @@ bool *is_sock; xsetegid(real_gid); #endif - if ((dirp = opendir(SockPath)) == 0) - Panic(errno, "Cannot opendir %s", SockPath); + if ((dirp = opendir(SockPath)) == 0) { + if (eff_uid == real_uid) { + Panic(errno, "Cannot opendir %s", SockPath); + } else { + Panic(0, "Error accessing %s", SockPath); + } + } slist = 0; slisttail = &slist; -- cgit v1.1