Screen Update for ArchLinux
ArchLinux has released updates for the screen package due to multiple vulnerabilities that have been identified. The security advisory, designated ASA-202505-1, was published on May 13, 2025, and is categorized as a high-severity issue.
Vulnerabilities Overview
The vulnerabilities affect versions of the screen package prior to 5.0.0-3 and include the following CVE identifiers:
- CVE-2025-23395: Privilege escalation.
- CVE-2025-46802: Access restriction bypass.
- CVE-2025-46803: Access restriction bypass.
- CVE-2025-46804: Privilege escalation.
- CVE-2025-46805: Denial of service.
Description of Issues
1. CVE-2025-23395: The `logfile_reopen()` function allows unprivileged users to create files with root ownership due to improper privilege handling when reopening log files.
2. CVE-2025-46802: A race condition exists that lets other users access a caller's TTY temporarily due to a chmod operation that modifies the TTY's permissions.
3. CVE-2025-46803: The default permissions for pseudo terminals were changed, allowing broader write access to PTYs.
4. CVE-2025-46804: An information leak occurs because root privileges are used to inspect socket paths, enabling unprivileged users to gain unauthorized information.
5. CVE-2025-46805: Time-of-check/time-of-use race conditions can lead to local denial of service through the improper sending of signals.
Resolution
Users are advised to upgrade to version 5.0.0-3 using the command:
Workaround
No workarounds are available for these vulnerabilities.
Impact
These vulnerabilities could potentially allow local unprivileged users to escalate their privileges on the affected systems, posing significant security risks.
Further Information
For more details and references, you can visit the following links:
- [Arch Linux Security Advisory](https://security.archlinux.org/AVG-2862)
- [OpenWall Security Lists](https://www.openwall.com/lists/oss-security/2025/05/12/1)
- [OpenSUSE Security Issues](https://security.opensuse.org/2025/05/12/screen-security-issues.html)
Conclusion
It is crucial for ArchLinux users running the screen package to act promptly by upgrading to mitigate potential security risks associated with these vulnerabilities. Regularly updating packages and keeping an eye on security advisories is essential for maintaining a secure system
ArchLinux has released updates for the screen package due to multiple vulnerabilities that have been identified. The security advisory, designated ASA-202505-1, was published on May 13, 2025, and is categorized as a high-severity issue.
Vulnerabilities Overview
The vulnerabilities affect versions of the screen package prior to 5.0.0-3 and include the following CVE identifiers:
- CVE-2025-23395: Privilege escalation.
- CVE-2025-46802: Access restriction bypass.
- CVE-2025-46803: Access restriction bypass.
- CVE-2025-46804: Privilege escalation.
- CVE-2025-46805: Denial of service.
Description of Issues
1. CVE-2025-23395: The `logfile_reopen()` function allows unprivileged users to create files with root ownership due to improper privilege handling when reopening log files.
2. CVE-2025-46802: A race condition exists that lets other users access a caller's TTY temporarily due to a chmod operation that modifies the TTY's permissions.
3. CVE-2025-46803: The default permissions for pseudo terminals were changed, allowing broader write access to PTYs.
4. CVE-2025-46804: An information leak occurs because root privileges are used to inspect socket paths, enabling unprivileged users to gain unauthorized information.
5. CVE-2025-46805: Time-of-check/time-of-use race conditions can lead to local denial of service through the improper sending of signals.
Resolution
Users are advised to upgrade to version 5.0.0-3 using the command:
pacman -Syu "screen<5.0.0-3"While the upstream issues have been resolved, no official release containing these fixes is currently available.
Workaround
No workarounds are available for these vulnerabilities.
Impact
These vulnerabilities could potentially allow local unprivileged users to escalate their privileges on the affected systems, posing significant security risks.
Further Information
For more details and references, you can visit the following links:
- [Arch Linux Security Advisory](https://security.archlinux.org/AVG-2862)
- [OpenWall Security Lists](https://www.openwall.com/lists/oss-security/2025/05/12/1)
- [OpenSUSE Security Issues](https://security.opensuse.org/2025/05/12/screen-security-issues.html)
Conclusion
It is crucial for ArchLinux users running the screen package to act promptly by upgrading to mitigate potential security risks associated with these vulnerabilities. Regularly updating packages and keeping an eye on security advisories is essential for maintaining a secure system
Screen update for ArchLinux
Updated screen packages have been released for ArchLinux:
[ASA-202505-1] screen: multiple issues
