shadow: fix CVE-2017-2616

(From OE-Core rev: 94a1e2794df15f0f2cb62ae030cd81e6c0798b1f) (From OE-Core rev: 8894c70ae5a44974f74434d251def3148818a866) (From OE-Core rev: eec9169658733335c6f8251b5122706fa8ab467d) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2018-07-24 13:08:29 +02:00 · 2018-07-24 13:08:29 +02:00 · 2f89032e5f
commit 2f89032e5f
parent f29617bf18
2 changed files with 65 additions and 0 deletions
--- a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
+++ b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
@ -0,0 +1,64 @@
+shadow-4.2.1: Fix CVE-2017-2616
+
+[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
+
+su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
+CVE: CVE-2017-2616
+bug: 855943
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
+++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+			} else {
+				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
+	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
+		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
+		sigemptyset (&ourset);
+		if ((sigaddset (&ourset, SIGALRM) != 0)
+		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+			kill_child (0);
+		} else {
+			while (0 == waitpid (pid_child, &status, WNOHANG)) {
+				sigsuspend (&ourset);
+			}
+			pid_child = 0;
+			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+		}
+
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@ -19,6 +19,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
           file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
           file://0001-useradd-copy-extended-attributes-of-home.patch \
           file://0001-shadow-CVE-2017-12424 \
+           file://CVE-2017-2616.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
           "