Bug 2364184 (CVE-2025-23395) - CVE-2025-23395 screen: Local Root Exploit via `logfile_reopen()`
Summary: CVE-2025-23395 screen: Local Root Exploit via `logfile_reopen()`
Keywords:
Status: NEW
Alias: CVE-2025-23395
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-05 20:01 UTC by OSIDB Bzimport
Modified: 2025-05-13 16:44 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-05 20:01:24 UTC 
This issue affects Screen 5.0.0 when it runs with setuid-root privileges. The
function `logfile_reopen()` [3] does not drop privileges
while operating on a user supplied path. This allows unprivileged users to
create files in arbitrary locations with `root` ownership, the invoking user's
(real) group ownership and file mode 0644. All data written to the Screen PTY
will be logged into this file.  Also already existing files can be abused for
logging in this manner: the data will be appended to the file in question, but
the file mode and ownership will be left unchanged.

Screen correctly drops privileges when it initially opens the logfile. The
privilege escalation becomes possible as soon as Screen believes it is
necessary to reopen the logfile. Screen checks this by calling
`stolen_logfile()` [4] before writing to the file. The call
to `logfile_reopen()` happens when the link count of the originally opened
logfile drops to zero, or if it unexpectedly changes in size. This condition
can be triggered at will on the end of the unprivileged user.
Note You need to log in before you can comment on or make changes to this bug.