From aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 Mon Sep 17 00:00:00 2001
From: Axel Beckert <abe@debian.org>
Date: Mon, 19 May 2025 00:42:42 +0200
Subject: fix CVE-2025-46805: socket.c - don't send signals with root

Gbp-Pq: fix-CVE-2025-46805-socket.c-don-t-send-signals-with-.patch.

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/screen/patch/?id=aa9f51f996a22470b8461d2b6a32e62c7ec30ed5 
Upstream commit https://git.savannah.gnu.org/cgit/screen.git/commit/?id=161f85b98b7e1d5e4893aeed20f4cdb5e3dfaaa4]
CVE: CVE-2025-46805
Signed-off-by: Ashish Sharma <asharma@mvista.com>

 socket.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/socket.c b/socket.c
index e268e3d..11b5e59 100644
--- a/socket.c
+++ b/socket.c
@@ -832,6 +832,11 @@ int pid;
   return UserStatus();
 }
 
+static void KillUnpriv(pid_t pid, int sig) {
+    UserContext();
+    UserReturn(kill(pid, sig));
+}
+
 #ifdef hpux
 /*
  * From: "F. K. Bruner" <napalm@ugcs.caltech.edu>
@@ -917,14 +922,14 @@ struct win *wi;
             {
 	      Msg(errno, "Could not perform necessary sanity checks on pts device.");
 	      close(i);
-	      Kill(pid, SIG_BYE);
+	      KillUnpriv(pid, SIG_BYE);
 	      return -1;
             }
           if (strcmp(ttyname_in_ns, m->m_tty))
             {
 	      Msg(errno, "Attach: passed fd does not match tty: %s - %s!", ttyname_in_ns, m->m_tty[0] != '\0' ? m->m_tty : "(null)");
 	      close(i);
-	      Kill(pid, SIG_BYE);
+	      KillUnpriv(pid, SIG_BYE);
 	      return -1;
 	    }
 	  /* m->m_tty so far contains the actual name of the pts device in the
@@ -941,19 +946,19 @@ struct win *wi;
 	{
 	  Msg(errno, "Attach: passed fd does not match tty: %s - %s!", m->m_tty, myttyname ? myttyname : "NULL");
 	  close(i);
-	  Kill(pid, SIG_BYE);
+	  KillUnpriv(pid, SIG_BYE);
 	  return -1;
 	}
     }
   else if ((i = secopen(m->m_tty, O_RDWR | O_NONBLOCK, 0)) < 0)
     {
       Msg(errno, "Attach: Could not open %s!", m->m_tty);
-      Kill(pid, SIG_BYE);
+      KillUnpriv(pid, SIG_BYE);
       return -1;
     }
 #ifdef MULTIUSER
   if (attach)
-    Kill(pid, SIGCONT);
+    KillUnpriv(pid, SIGCONT);
 #endif
 
 #if defined(ultrix) || defined(pyr) || defined(NeXT)
@@ -966,7 +971,7 @@ struct win *wi;
 	{
 	  write(i, "Attaching from inside of screen?\n", 33);
 	  close(i);
-	  Kill(pid, SIG_BYE);
+	  KillUnpriv(pid, SIG_BYE);
 	  Msg(0, "Attach msg ignored: coming from inside.");
 	  return -1;
 	}
@@ -977,7 +982,7 @@ struct win *wi;
 	  {
 	      write(i, "Access to session denied.\n", 26);
 	      close(i);
-	      Kill(pid, SIG_BYE);
+	      KillUnpriv(pid, SIG_BYE);
 	      Msg(0, "Attach: access denied for user %s.", user);
 	      return -1;
 	  }
@@ -1295,7 +1300,7 @@ ReceiveMsg()
             Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
           }
           else {
-            Kill(m.m.command.apid,
+            KillUnpriv(m.m.command.apid,
                (queryflag >= 0)
                    ? SIGCONT
                    : SIG_BYE); /* Send SIG_BYE if an error happened */
-- 
cgit v1.2.3