--- /dev/null
+From aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Mon Sep 17 00:00:00 2001
+From: Axel Beckert <abe@debian.org>
+Date: Mon, 19 May 2025 00:42:42 +0200
+Subject: fix CVE-2025-46805: socket.c - don't send signals with root
+
+Gbp-Pq: fix-CVE-2025-46805-socket.c-don-t-send-signals-with-.patch.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5
+Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4]
+CVE: CVE-2025-46805
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ socket.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/socket.c b/socket.c
+index e268e3d..11b5e59 100644
+--- a/socket.c
++++ b/socket.c
+@@ -832,6 +832,11 @@ int pid;
+ return UserStatus();
+ }
+
++static void KillUnpriv(pid_t pid, int sig) {
++ UserContext();
++ UserReturn(kill(pid, sig));
++}
++
+ #ifdef hpux
+ /*
+ * From: "F. K. Bruner" <napalm@ugcs.caltech.edu>
+@@ -917,14 +922,14 @@ struct win *wi;
+ {
+ Msg(errno, "Could not perform necessary sanity checks on pts device.");
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ if (strcmp(ttyname_in_ns, m->m_tty))
+ {
+ Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ /* m->m_tty so far contains the actual name of the pts device in the
+@@ -941,19 +946,19 @@ struct win *wi;
+ {
+ Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ }
+ else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0)
+ {
+ Msg(errno, "Attach: Could not open %s!", m->m_tty);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ return -1;
+ }
+ #ifdef MULTIUSER
+ if (attach)
+- Kill(pid, SIGCONT);
++ KillUnpriv(pid, SIGCONT);
+ #endif
+
+ #if defined(ultrix) || defined(pyr) || defined(NeXT)
+@@ -966,7 +971,7 @@ struct win *wi;
+ {
+ write(i, "Attaching from inside of screen?\n", 33);
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ Msg(0, "Attach msg ignored: coming from inside.");
+ return -1;
+ }
+@@ -977,7 +982,7 @@ struct win *wi;
+ {
+ write(i, "Access to session denied.\n", 26);
+ close(i);
+- Kill(pid, SIG_BYE);
++ KillUnpriv(pid, SIG_BYE);
+ Msg(0, "Attach: access denied for user %s.", user);
+ return -1;
+ }
+@@ -1295,7 +1300,7 @@ ReceiveMsg()
+ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
+ }
+ else {
+- Kill(m.m.command.apid,
++ KillUnpriv(m.m.command.apid,
+ (queryflag >= 0)
+ ? SIGCONT
+ : SIG_BYE); /* Send SIG_BYE if an error happened */
+--
+cgit v1.2.3
+
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
