2185517 – (CVE-2023-24626) CVE-2023-24626 screen: allows sending SIGHUP to arbitrary PIDs

Bug 2185517 (CVE-2023-24626) - CVE-2023-24626 screen: allows sending SIGHUP to arbitrary PIDs

Summary: CVE-2023-24626 screen: allows sending SIGHUP to arbitrary PIDs

Keywords:
Status:	NEW
Alias:	CVE-2023-24626
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2185521 2185518 2186312
Blocks:	2185522
TreeView+	depends on / blocked

Reported:	2023-04-10 06:10 UTC by Avinash Hanwate
Modified:	2023-09-22 09:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in screen. This flaw allows local users to send a SIGHUP signal to any PID due to a missing signal sending permission check, potentially resulting in a denial of service or disruption of the target process.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-04-10 06:10:37 UTC

socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.

https://git.savannah.gnu.org/cgit/screen.git/patch/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
https://www.exploit-db.com/exploits/51252
https://savannah.gnu.org/bugs/?63195

Comment 1 Avinash Hanwate 2023-04-10 06:11:19 UTC

Created screen tracking bugs for this issue:

Affects: fedora-all [bug 2185518]

Comment 2 Avinash Hanwate 2023-04-10 06:27:28 UTC

Created screen tracking bugs for this issue:

Affects: epel-8 [bug 2185521]

Note You need to log in before you can comment on or make changes to this bug.