Topic: screen /tmp file race problem
Advisory issue date: 25 November 1998
I. Problem Description
This is a problem present in screen 3.7.4. When a user uses ^A
> in screen to save whatever he has cut, the file
/tmp/screen-exchange is created. This file contains whatever was in
the cut buffer at the time. This can be exploited if a normal user
links /tmp/screen-exchange to a sensetive file, such as
/etc/passwdr. Whenever root uses ^A > to save his buffer to
file, whatever file /tmp/screen-exchange is linked to, is
overwritten.
II. Impact
Description:
When the root user uses screen critical files may be
overwritten.
Vulnerable Systems:
OpenLinux 1.0, 1.1, 1.2, 1.3 systems using a screen package
prior to screen-3.7.4-2.
III. Solution
Workaround:
Do not use screen and remove the screen package until the fixed
package can be installed.
Correction:
The proper solution is to upgrade to the screen-3.7.4-2
package.
They can be found on Caldera’s FTP site at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/008/RPMS
The corresponding source code can be found at: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/008/SRPMS
The MD5 checksums (from the “md5sum” command) for these packages
are:
5510280cd7d597115253a32b5b9b1a64 RPMS/screen-3.7.4-2.i386.rpm 973bcbc995c9301fc9534abe18d18c1f SRPMS/screen-3.7.4-2.src.rpm
Upgrade with the following commands:
rpm -q screen && rpm -U screen-3.7.4-2.i386.rpm
IV. References
This and other Caldera security resources are located at:
http://www.caldera.com/news/security/index.html
Additional documentation on this problem can be found in
http://www.geek-girl.com/bugtraq/1998_3/0204.html
This security fix closes Caldera’s internal Problem Report
4084.