Author: <bpkroth@gmail.com>
Description: Some patches stolen from the fedora package for better error checking and tty security.
Index: screen/utmp.c
===================================================================
--- screen.orig/utmp.c	2014-04-17 14:21:36.843412125 +0200
+++ screen/utmp.c	2014-04-17 14:21:36.815412195 +0200
@@ -361,7 +361,7 @@
       char *tty;
       debug("couln't zap slot -> do mesg n\n");
       D_loginttymode = 0;
-      if ((tty = ttyname(D_userfd)) && stat(tty, &stb) == 0 && (int)stb.st_uid == real_uid && ((int)stb.st_mode & 0777) != 0666)
+      if ((tty = ttyname(D_userfd)) && stat(tty, &stb) == 0 && (int)stb.st_uid == real_uid && !CheckTtyname(tty) && ((int)stb.st_mode & 0777) != 0666)
 	{
 	  D_loginttymode = (int)stb.st_mode & 0777;
 	  chmod(D_usertty, stb.st_mode & 0600);
@@ -387,7 +387,7 @@
     }
   UT_CLOSE;
   D_loginslot = (slot_t)0;
-  if (D_loginttymode && (tty = ttyname(D_userfd)))
+  if (D_loginttymode && (tty = ttyname(D_userfd)) && !CheckTtyname(tty))
     chmod(tty, D_loginttymode);
 }
 
@@ -575,7 +575,7 @@
     return ut_delete_user(slot, u.ut_pid, 0, 0) != 0;
 #endif
 #ifdef HAVE_UTEMPTER
-  if (eff_uid && wi->w_ptyfd != -1)
+  if (eff_uid && wi && wi->w_ptyfd != -1)
     {
       /* sigh, linux hackers made the helper functions void */
       if (SLOT_USED(u))
@@ -853,7 +853,7 @@
 
   for (fd = 0; fd <= 2 && (tty = ttyname(fd)) == NULL; fd++)
     ;
-  if ((tty == NULL) || ((fd = open(UTMP_FILE, O_RDONLY)) < 0))
+  if ((tty == NULL) || CheckTtyname(tty) || ((fd = open(UTMP_FILE, O_RDONLY)) < 0))
     return NULL;
   tty = stripdev(tty);
   retbuf[0] = '\0';
Index: screen/extern.h
===================================================================
--- screen.orig/extern.h	2014-04-17 14:21:36.843412125 +0200
+++ screen/extern.h	2014-04-17 14:21:36.819412181 +0200
@@ -110,6 +110,7 @@
 extern struct baud_values *lookup_baud __P((int bps));
 extern int   SetBaud __P((struct mode *, int, int));
 extern int   SttyMode __P((struct mode *, char *));
+extern int   CheckTtyname __P((char *));
 
 
 /* mark.c */
Index: screen/screen.c
===================================================================
--- screen.orig/screen.c	2014-04-17 14:21:36.843412125 +0200
+++ screen/screen.c	2014-04-17 14:21:36.823412180 +0200
@@ -972,8 +972,13 @@
 	else \
 	  attach_tty = ""; \
       } \
-    else if (stat(attach_tty, &st)) \
-      Panic(errno, "Cannot access '%s'", attach_tty); \
+    else \
+      { \
+	if (stat(attach_tty, &st)) \
+	  Panic(errno, "Cannot access '%s'", attach_tty); \
+	if (CheckTtyname(attach_tty)) \
+	  Panic(0, "Bad tty '%s'", attach_tty); \
+      } \
     if (strlen(attach_tty) >= MAXPATHLEN) \
       Panic(0, "TtyName too long - sorry."); \
   } while (0)
Index: screen/tty.sh
===================================================================
--- screen.orig/tty.sh	2014-04-17 14:21:36.843412125 +0200
+++ screen/tty.sh	2014-04-17 14:21:36.827412192 +0200
@@ -60,6 +60,7 @@
 #include <sys/types.h>
 #include <signal.h>
 #include <fcntl.h>
+#include <sys/stat.h>
 #ifndef sgi
 # include <sys/file.h>
 #endif
@@ -1499,6 +1500,19 @@
   return 0;
 }
 
+
+int
+CheckTtyname (tty)
+char *tty;
+{
+  struct stat st;
+
+  if (lstat(tty, &st) || !S_ISCHR(st.st_mode) ||
+     (st.st_nlink > 1 && strncmp(tty, "/dev/", 5)))
+    return -1;
+  return 0;
+}
+
 /*
  *  Write out the mode struct in a readable form
  */
Index: screen/socket.c
===================================================================
--- screen.orig/socket.c	2014-04-17 14:21:36.843412125 +0200
+++ screen/socket.c	2014-04-17 14:21:36.827412192 +0200
@@ -722,6 +722,7 @@
   char *args[MAXARGS];
   register int n;
   register char **pp = args, *p = mp->m.create.line;
+  char buf[20];
 
   nwin = nwin_undef;
   n = mp->m.create.nargs;
@@ -731,7 +732,6 @@
   if (n)
     {
       int l, num;
-      char buf[20];
 
       l = strlen(p);
       if (IsNumColon(p, 10, buf, sizeof(buf)))
Index: screen/braille_tsi.c
===================================================================
--- screen.orig/braille_tsi.c	2014-04-17 14:21:36.843412125 +0200
+++ screen/braille_tsi.c	2014-04-17 14:21:36.831412183 +0200
@@ -127,7 +127,6 @@
   r = read(bd.bd_fd,ibuf,1);
   if (r != 1)
     return -1;
-  if (r != -1)
   if (ibuf[0] == 'V')
     r = read(bd.bd_fd, ibuf, 3);
   else
Index: screen/fileio.c
===================================================================
--- screen.orig/fileio.c	2014-04-17 14:21:36.843412125 +0200
+++ screen/fileio.c	2014-04-17 14:21:36.831412183 +0200
@@ -80,8 +80,6 @@
     }
   else
     {
-      if (len1 == 0)
-	return 0;
       if ((cp = malloc((unsigned) len1 + add_colon + 1)) == NULL)
 	Panic(0, "%s", strnomem);
       cp[len1 + add_colon] = '\0';
Index: screen/attacher.c
===================================================================
--- screen.orig/attacher.c	2014-04-17 14:21:36.843412125 +0200
+++ screen/attacher.c	2014-04-17 14:21:36.831412183 +0200
@@ -185,8 +185,8 @@
 	  if (ret == SIG_POWER_BYE)
 	    {
 	      int ppid;
-	      setgid(real_gid);
-	      setuid(real_uid);
+	      if (setgid(real_gid) || setuid(real_uid))
+		Panic(errno, "setuid/gid");
 	      if ((ppid = getppid()) > 1)
 		Kill(ppid, SIGHUP);
 	      exit(0);
@@ -282,7 +282,10 @@
 #ifdef MULTIUSER
   if (!multiattach)
 #endif
-    setuid(real_uid);
+    {
+      if (setuid(real_uid))
+        Panic(errno, "setuid");
+    }
 #if defined(MULTIUSER) && defined(USE_SETEUID)
   else
     {
@@ -290,7 +293,8 @@
       xseteuid(real_uid); /* multi_uid, allow backend to send signals */
     }
 #endif
-  setgid(real_gid);
+  if (setgid(real_gid))
+    Panic(errno, "setgid");
   eff_uid = real_uid;
   eff_gid = real_gid;
 
@@ -486,7 +490,8 @@
 #ifdef MULTIUSER
   if (tty_oldmode >= 0)
     {
-      setuid(own_uid);
+      if (setuid(own_uid))
+        Panic(errno, "setuid");
       chmod(attach_tty, tty_oldmode);
     }
 #endif
@@ -504,11 +509,14 @@
   if (multiattach)
     exit(SIG_POWER_BYE);
 #endif
-  setgid(real_gid);
+  if (setgid(real_gid))
+    Panic(errno, "setgid");
 #ifdef MULTIUSER
-  setuid(own_uid);
+  if (setuid(own_uid))
+    Panic(errno, "setuid");
 #else
-  setuid(real_uid);
+  if (setuid(real_uid))
+    Panic(errno, "setuid");
 #endif
   /* we don't want to disturb init (even if we were root), eh? jw */
   if ((ppid = getppid()) > 1)
@@ -679,11 +687,14 @@
 LockHup SIGDEFARG
 {
   int ppid = getppid();
-  setgid(real_gid);
+  if (setgid(real_gid))
+    Panic(errno, "setgid");
 #ifdef MULTIUSER
-  setuid(own_uid);
+  if (setuid(own_uid))
+    Panic(errno, "setuid");
 #else
-  setuid(real_uid);
+  if (setuid(real_uid))
+    Panic(errno, "setuid");
 #endif
   if (ppid > 1)
     Kill(ppid, SIGHUP);
@@ -710,11 +721,14 @@
       if ((pid = fork()) == 0)
         {
           /* Child */
-          setgid(real_gid);
+          if (setgid(real_gid))
+            Panic(errno, "setgid");
 #ifdef MULTIUSER
-          setuid(own_uid);
+          if (setuid(own_uid))
+            Panic(errno, "setuid");
 #else
-          setuid(real_uid);	/* this should be done already */
+          if (setuid(real_uid))   /* this should be done already */
+            Panic(errno, "setuid");
 #endif
           closeallfiles(0);	/* important: /etc/shadow may be open */
           execl(prg, "SCREEN-LOCK", NULL);
@@ -847,6 +861,7 @@
 #ifdef USE_PAM
   pam_handle_t *pamh = 0;
   int pam_error;
+  char *tty_name;
 #endif
   char *pass = 0, mypass[16 + 1], salt[3];
   int using_pam = 1;
@@ -932,6 +947,15 @@
       pam_error = pam_start("screen", ppp->pw_name, &PAM_conversation, &pamh);
       if (pam_error != PAM_SUCCESS)
 	AttacherFinit(SIGARG);		/* goodbye */
+
+      if (strncmp(attach_tty, "/dev/", 5) == 0)
+	tty_name = attach_tty + 5;
+      else
+	tty_name = attach_tty;
+      pam_error = pam_set_item(pamh, PAM_TTY, tty_name);
+      if (pam_error != PAM_SUCCESS)
+	AttacherFinit(SIGARG);		/* goodbye */
+
       pam_error = pam_authenticate(pamh, 0);
       pam_end(pamh, pam_error);
       PAM_conversation.appdata_ptr = 0;