Bug 2364184 (CVE-2025-23395)

Summary: CVE-2025-23395 screen: Local Root Exploit via `logfile_reopen()`
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Screen. When running with setuid-root privileged, the logfile_reopen() function does not drop privileges while operating on a user-supplied path. This vulnerability allows an unprivileged user to create files in arbitrary locations with root ownership.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-05-05 20:01:24 UTC 
This issue affects Screen 5.0.0 when it runs with setuid-root privileges. The
function `logfile_reopen()` [3] does not drop privileges
while operating on a user supplied path. This allows unprivileged users to
create files in arbitrary locations with `root` ownership, the invoking user's
(real) group ownership and file mode 0644. All data written to the Screen PTY
will be logged into this file.  Also already existing files can be abused for
logging in this manner: the data will be appended to the file in question, but
the file mode and ownership will be left unchanged.

Screen correctly drops privileges when it initially opens the logfile. The
privilege escalation becomes possible as soon as Screen believes it is
necessary to reopen the logfile. Screen checks this by calling
`stolen_logfile()` [4] before writing to the file. The call
to `logfile_reopen()` happens when the link count of the originally opened
logfile drops to zero, or if it unexpectedly changes in size. This condition
can be triggered at will on the end of the unprivileged user.