From 089b97333844e05a4693a3ee726ac6bdb2d6bf59 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 7 May 2025 12:59:05 +0200
Subject: [PATCH 1/3] attacher.c: prevent temporary 0666 mode on PTYs to fix
 CVE-2025-46802

This temporary chmod of the PTY to mode 0666 is most likely a remnant of
past times, before the PTY file descriptor was passed to the target
session via the UNIX domain socket.

This chmod() causes a race condition during which any other user in the
system can open the PTY for reading and writing, and thus allows PTY
hijacking.

Simply remove this logic completely.
---
 attacher.c | 27 ---------------------------
 screen.c   | 19 -------------------
 2 files changed, 46 deletions(-)

diff --git a/attacher.c b/attacher.c
index c35ae7a..16b151e 100644
--- a/attacher.c
+++ b/attacher.c
@@ -73,7 +73,6 @@ extern int MasterPid, attach_fd;
 #ifdef MULTIUSER
 extern char *multi;
 extern int multiattach, multi_uid, own_uid;
-extern int tty_mode, tty_oldmode;
 # ifndef USE_SETEUID
 static int multipipe[2];
 # endif
@@ -160,9 +159,6 @@ int how;
 
       if (pipe(multipipe))
 	Panic(errno, "pipe");
-      if (chmod(attach_tty, 0666))
-	Panic(errno, "chmod %s", attach_tty);
-      tty_oldmode = tty_mode;
       eff_uid = -1;	/* make UserContext fork */
       real_uid = multi_uid;
       if ((ret = UserContext()) <= 0)
@@ -174,11 +170,6 @@ int how;
 	    Panic(errno, "UserContext");
 	  close(multipipe[1]);
 	  read(multipipe[0], &dummy, 1);
-	  if (tty_oldmode >= 0)
-	    {
-	      chmod(attach_tty, tty_oldmode);
-	      tty_oldmode = -1;
-	    }
 	  ret = UserStatus();
 #ifdef LOCK
 	  if (ret == SIG_LOCK)
@@ -224,9 +215,6 @@ int how;
       xseteuid(multi_uid);
       xseteuid(own_uid);
 #endif
-      if (chmod(attach_tty, 0666))
-	Panic(errno, "chmod %s", attach_tty);
-      tty_oldmode = tty_mode;
     }
 # endif /* USE_SETEUID */
 #endif /* MULTIUSER */
@@ -423,13 +411,6 @@ int how;
       ContinuePlease = 0;
 # ifndef USE_SETEUID
       close(multipipe[1]);
-# else
-      xseteuid(own_uid);
-      if (tty_oldmode >= 0)
-        if (chmod(attach_tty, tty_oldmode))
-          Panic(errno, "chmod %s", attach_tty);
-      tty_oldmode = -1;
-      xseteuid(real_uid);
 # endif
     }
 #endif
@@ -505,14 +486,6 @@ AttacherFinit SIGDEFARG
 	  close(s);
 	}
     }
-#ifdef MULTIUSER
-  if (tty_oldmode >= 0)
-    {
-      if (setuid(own_uid))
-        Panic(errno, "setuid");
-      chmod(attach_tty, tty_oldmode);
-    }
-#endif
   exit(0);
   SIGRETURN;
 }
diff --git a/screen.c b/screen.c
index 7653cd1..1a23e1a 100644
--- a/screen.c
+++ b/screen.c
@@ -230,8 +230,6 @@ char *multi_home;
 int multi_uid;
 int own_uid;
 int multiattach;
-int tty_mode;
-int tty_oldmode = -1;
 #endif
 
 char HostName[MAXSTR];
@@ -1009,9 +1007,6 @@ int main(int ac, char** av)
 
     /* ttyname implies isatty */
     SetTtyname(true, &st);
-#ifdef MULTIUSER
-    tty_mode = (int)st.st_mode & 0777;
-#endif
 
     fl = fcntl(0, F_GETFL, 0);
     if (fl != -1 && (fl & (O_RDWR|O_RDONLY|O_WRONLY)) == O_RDWR)
@@ -2170,20 +2165,6 @@ DEFINE_VARARGS_FN(Panic)
       if (D_userpid)
         Kill(D_userpid, SIG_BYE);
     }
-#ifdef MULTIUSER
-  if (tty_oldmode >= 0) {
-
-# ifdef USE_SETEUID
-    if (setuid(own_uid))
-      xseteuid(own_uid);	/* may be a loop. sigh. */
-# else
-      setuid(own_uid);
-# endif
-
-    debug1("Panic: changing back modes from %s\n", attach_tty);
-    chmod(attach_tty, tty_oldmode);
-  }
-#endif
   eexit(1);
 }
 
-- 
2.49.0