Caldera Security Advisory SA-1998.36: screen /tmp file race problem

Topic: screen /tmp file race problem
Advisory issue date: 25 November 1998

I. Problem Description

This is a problem present in screen 3.7.4. When a user uses ^A
> in screen to save whatever he has cut, the file
/tmp/screen-exchange is created. This file contains whatever was in
the cut buffer at the time. This can be exploited if a normal user
links /tmp/screen-exchange to a sensetive file, such as
/etc/passwdr. Whenever root uses ^A > to save his buffer to
file, whatever file /tmp/screen-exchange is linked to, is
overwritten.

II. Impact

Description:

When the root user uses screen critical files may be
overwritten.

Vulnerable Systems:

OpenLinux 1.0, 1.1, 1.2, 1.3 systems using a screen package
prior to screen-3.7.4-2.

III. Solution

Workaround:

Do not use screen and remove the screen package until the fixed
package can be installed.

Correction:

The proper solution is to upgrade to the screen-3.7.4-2
package.

They can be found on Caldera’s FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/008/RPMS

The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/008/SRPMS

The MD5 checksums (from the “md5sum” command) for these packages
are:

        5510280cd7d597115253a32b5b9b1a64  RPMS/screen-3.7.4-2.i386.rpm
        973bcbc995c9301fc9534abe18d18c1f  SRPMS/screen-3.7.4-2.src.rpm

Upgrade with the following commands:

rpm -q screen && rpm -U screen-3.7.4-2.i386.rpm

IV. References

This and other Caldera security resources are located at:
http://www.caldera.com/news/security/index.html

Additional documentation on this problem can be found in
http://www.geek-girl.com/bugtraq/1998_3/0204.html

This security fix closes Caldera’s internal Problem Report
4084.