Insecure creation of /tmp/screen-exchange (symlink attack)

1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.

$ lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.

$ apt-cache policy screen
screen:
  Installed: 4.0.3-7ubuntu1
  Candidate: 4.0.3-7ubuntu1
  Version table:
 *** 4.0.3-7ubuntu1 0
        500 http://gb.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status

3) What you expected to happen

/tmp/screen-exchange should be created in a secure manner. In particular:

(a) The file should be readable and writable only to the owner (fix for #433338 didn't really fix it, and instead changed the race condition into no-race, making the issue worse)
(b) Symlink attack should be impossible

4) What happened instead

The code responsible for the error does: open("/tmp/screen-exchange", O_WRONLY, 0666);

(a) the file is created with default permissions, depending on the user umask value, which means world-readable under default install settings
(b) Symlink attack is possible. There used to be a race condition, but it seems it was removed when #433338 was closed, as the fix didn't really fix the problem. Now there is no race condition, and any pre-existing symbolic link will result in a file overwrite/creation.

I have created a patch that fixes the problem. The changelog shows three previous patches related to /tmp/screen-exchange. I have commented the source so that future readers can understand better what is going on, and there is hopefully no regression.

I have tested the patched version, and it works under all conditions. The patch applies with an offset to current Debian unstable version (4.0.3-11), and I can only presume it would work.