1 files changed, 260 insertions, 0 deletions
diff --git a/debian/patches/02screen-cc.patch b/debian/patches/02screen-cc.patch
new file mode 100644
index 0000000..0af779c
--- /dev/null
+++ b/debian/patches/02screen-cc.patch
@@ -0,0 +1,260 @@
+Author: <bpkroth@gmail.com>
+Description: Some patches stolen from the fedora package for better error checking and tty security.
+--- a/utmp.c
++++ b/utmp.c
+@@ -361,7 +361,7 @@
+       char *tty;
+       debug("couln't zap slot -> do mesg n\n");
+       D_loginttymode = 0;
+-      if ((tty = ttyname(D_userfd)) && stat(tty, &stb) == 0 && (int)stb.st_uid == real_uid && ((int)stb.st_mode & 0777) != 0666)
++      if ((tty = ttyname(D_userfd)) && stat(tty, &stb) == 0 && (int)stb.st_uid == real_uid && !CheckTtyname(tty) && ((int)stb.st_mode & 0777) != 0666)
+ 	{
+ 	  D_loginttymode = (int)stb.st_mode & 0777;
+ 	  chmod(D_usertty, stb.st_mode & 0600);
+@@ -387,7 +387,7 @@
+     }
+   UT_CLOSE;
+   D_loginslot = (slot_t)0;
+-  if (D_loginttymode && (tty = ttyname(D_userfd)))
++  if (D_loginttymode && (tty = ttyname(D_userfd)) && !CheckTtyname(tty))
+     chmod(tty, D_loginttymode);
+ }
+ 
+@@ -575,7 +575,7 @@
+     return ut_delete_user(slot, u.ut_pid, 0, 0) != 0;
+ #endif
+ #ifdef HAVE_UTEMPTER
+-  if (eff_uid && wi->w_ptyfd != -1)
++  if (eff_uid && wi && wi->w_ptyfd != -1)
+     {
+       /* sigh, linux hackers made the helper functions void */
+       if (SLOT_USED(u))
+@@ -853,7 +853,7 @@
+ 
+   for (fd = 0; fd <= 2 && (tty = ttyname(fd)) == NULL; fd++)
+     ;
+-  if ((tty == NULL) || ((fd = open(UTMP_FILE, O_RDONLY)) < 0))
++  if ((tty == NULL) || CheckTtyname(tty) || ((fd = open(UTMP_FILE, O_RDONLY)) < 0))
+     return NULL;
+   tty = stripdev(tty);
+   retbuf[0] = '\0';
+--- a/extern.h
++++ b/extern.h
+@@ -110,6 +110,7 @@
+ extern struct baud_values *lookup_baud __P((int bps));
+ extern int   SetBaud __P((struct mode *, int, int));
+ extern int   SttyMode __P((struct mode *, char *));
++extern int   CheckTtyname __P((char *));
+ 
+ 
+ /* mark.c */
+--- a/screen.c
++++ b/screen.c
+@@ -970,8 +970,13 @@
+ 	else \
+ 	  attach_tty = ""; \
+       } \
+-    else if (stat(attach_tty, &st)) \
+-      Panic(errno, "Cannot access '%s'", attach_tty); \
++    else \
++      { \
++	if (stat(attach_tty, &st)) \
++	  Panic(errno, "Cannot access '%s'", attach_tty); \
++	if (CheckTtyname(attach_tty)) \
++	  Panic(0, "Bad tty '%s'", attach_tty); \
++      } \
+     if (strlen(attach_tty) >= MAXPATHLEN) \
+       Panic(0, "TtyName too long - sorry."); \
+   } while (0)
+--- a/tty.sh
++++ b/tty.sh
+@@ -60,6 +60,7 @@
+ #include <sys/types.h>
+ #include <signal.h>
+ #include <fcntl.h>
++#include <sys/stat.h>
+ #ifndef sgi
+ # include <sys/file.h>
+ #endif
+@@ -1506,6 +1507,19 @@
+   return 0;
+ }
+ 
++
++int
++CheckTtyname (tty)
++char *tty;
++{
++  struct stat st;
++
++  if (lstat(tty, &st) || !S_ISCHR(st.st_mode) ||
++     (st.st_nlink > 1 && strncmp(tty, "/dev/", 5)))
++    return -1;
++  return 0;
++}
++
+ /*
+  *  Write out the mode struct in a readable form
+  */
+--- a/socket.c
++++ b/socket.c
+@@ -722,6 +722,7 @@
+   char *args[MAXARGS];
+   register int n;
+   register char **pp = args, *p = mp->m.create.line;
++  char buf[20];
+ 
+   nwin = nwin_undef;
+   n = mp->m.create.nargs;
+@@ -731,7 +732,6 @@
+   if (n)
+     {
+       int l, num;
+-      char buf[20];
+ 
+       l = strlen(p);
+       if (IsNumColon(p, 10, buf, sizeof(buf)))
+--- a/braille_tsi.c
++++ b/braille_tsi.c
+@@ -127,7 +127,6 @@
+   r = read(bd.bd_fd,ibuf,1);
+   if (r != 1)
+     return -1;
+-  if (r != -1)
+   if (ibuf[0] == 'V')
+     r = read(bd.bd_fd, ibuf, 3);
+   else
+--- a/fileio.c
++++ b/fileio.c
+@@ -80,8 +80,6 @@
+     }
+   else
+     {
+-      if (len1 == 0)
+-	return 0;
+       if ((cp = malloc((unsigned) len1 + add_colon + 1)) == NULL)
+ 	Panic(0, "%s", strnomem);
+       cp[len1 + add_colon] = '\0';
+--- a/attacher.c
++++ b/attacher.c
+@@ -185,8 +185,8 @@
+ 	  if (ret == SIG_POWER_BYE)
+ 	    {
+ 	      int ppid;
+-	      setgid(real_gid);
+-	      setuid(real_uid);
++	      if (setgid(real_gid) || setuid(real_uid))
++		Panic(errno, "setuid/gid");
+ 	      if ((ppid = getppid()) > 1)
+ 		Kill(ppid, SIGHUP);
+ 	      exit(0);
+@@ -282,7 +282,10 @@
+ #ifdef MULTIUSER
+   if (!multiattach)
+ #endif
+-    setuid(real_uid);
++    {
++      if (setuid(real_uid))
++        Panic(errno, "setuid");
++    }
+ #if defined(MULTIUSER) && defined(USE_SETEUID)
+   else
+     {
+@@ -290,7 +293,8 @@
+       xseteuid(real_uid); /* multi_uid, allow backend to send signals */
+     }
+ #endif
+-  setgid(real_gid);
++  if (setgid(real_gid))
++    Panic(errno, "setgid");
+   eff_uid = real_uid;
+   eff_gid = real_gid;
+ 
+@@ -486,7 +490,8 @@
+ #ifdef MULTIUSER
+   if (tty_oldmode >= 0)
+     {
+-      setuid(own_uid);
++      if (setuid(own_uid))
++        Panic(errno, "setuid");
+       chmod(attach_tty, tty_oldmode);
+     }
+ #endif
+@@ -504,11 +509,14 @@
+   if (multiattach)
+     exit(SIG_POWER_BYE);
+ #endif
+-  setgid(real_gid);
++  if (setgid(real_gid))
++    Panic(errno, "setgid");
+ #ifdef MULTIUSER
+-  setuid(own_uid);
++  if (setuid(own_uid))
++    Panic(errno, "setuid");
+ #else
+-  setuid(real_uid);
++  if (setuid(real_uid))
++    Panic(errno, "setuid");
+ #endif
+   /* we don't want to disturb init (even if we were root), eh? jw */
+   if ((ppid = getppid()) > 1)
+@@ -679,11 +687,14 @@
+ LockHup SIGDEFARG
+ {
+   int ppid = getppid();
+-  setgid(real_gid);
++  if (setgid(real_gid))
++    Panic(errno, "setgid");
+ #ifdef MULTIUSER
+-  setuid(own_uid);
++  if (setuid(own_uid))
++    Panic(errno, "setuid");
+ #else
+-  setuid(real_uid);
++  if (setuid(real_uid))
++    Panic(errno, "setuid");
+ #endif
+   if (ppid > 1)
+     Kill(ppid, SIGHUP);
+@@ -710,11 +721,14 @@
+       if ((pid = fork()) == 0)
+         {
+           /* Child */
+-          setgid(real_gid);
++          if (setgid(real_gid))
++            Panic(errno, "setgid");
+ #ifdef MULTIUSER
+-          setuid(own_uid);
++          if (setuid(own_uid))
++            Panic(errno, "setuid");
+ #else
+-          setuid(real_uid);	/* this should be done already */
++          if (setuid(real_uid))   /* this should be done already */
++            Panic(errno, "setuid");
+ #endif
+           closeallfiles(0);	/* important: /etc/shadow may be open */
+           execl(prg, "SCREEN-LOCK", NULL);
+@@ -847,6 +861,7 @@
+ #ifdef USE_PAM
+   pam_handle_t *pamh = 0;
+   int pam_error;
++  char *tty_name;
+ #else
+   char *pass, mypass[16 + 1], salt[3];
+ #endif
+@@ -918,6 +933,15 @@
+       pam_error = pam_start("screen", ppp->pw_name, &PAM_conversation, &pamh);
+       if (pam_error != PAM_SUCCESS)
+ 	AttacherFinit(SIGARG);		/* goodbye */
++
++      if (strncmp(attach_tty, "/dev/", 5) == 0)
++	tty_name = attach_tty + 5;
++      else
++	tty_name = attach_tty;
++      pam_error = pam_set_item(pamh, PAM_TTY, tty_name);
++      if (pam_error != PAM_SUCCESS)
++	AttacherFinit(SIGARG);		/* goodbye */
++
+       pam_error = pam_authenticate(pamh, 0);
+       pam_end(pamh, pam_error);
+       PAM_conversation.appdata_ptr = 0;