summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrej Valek <andrej.valek@siemens.com>2018-07-24 11:08:29 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-10-10 12:27:02 (GMT)
commit2f89032e5fcaa248400d3b84287f4ce8c4954547 (patch)
treeaa120893a83366607cdd55934baadbf59031238a
parentf29617bf1831cf1c680f24185591dcf8391c2358 (diff)
downloadpoky-2f89032e5fcaa248400d3b84287f4ce8c4954547.tar.gz
shadow: fix CVE-2017-2616
(From OE-Core rev: 94a1e2794df15f0f2cb62ae030cd81e6c0798b1f) (From OE-Core rev: 8894c70ae5a44974f74434d251def3148818a866) (From OE-Core rev: eec9169658733335c6f8251b5122706fa8ab467d) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/shadow/files/CVE-2017-2616.patch64
-rw-r--r--meta/recipes-extended/shadow/shadow.inc1
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
new file mode 100644
index 0000000..ee728f0
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
@@ -0,0 +1,64 @@
1shadow-4.2.1: Fix CVE-2017-2616
2
3[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
4
5su: properly clear child PID
6
7If su is compiled with PAM support, it is possible for any local user
8to send SIGKILL to other processes with root privileges. There are
9only two conditions. First, the user must be able to perform su with
10a successful login. This does NOT have to be the root user, even using
11su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
12can only be sent to processes which were executed after the su process.
13It is not possible to send SIGKILL to processes which were already
14running. I consider this as a security vulnerability, because I was
15able to write a proof of concept which unlocked a screen saver of
16another user this way.
17
18Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
19CVE: CVE-2017-2616
20bug: 855943
21Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
22
23diff --git a/src/su.c b/src/su.c
24index 3704217..1efcd61 100644
25--- a/src/su.c
26+++ b/src/su.c
27@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
28 /* wake child when resumed */
29 kill (pid, SIGCONT);
30 stop = false;
31+ } else {
32+ pid_child = 0;
33 }
34 } while (!stop);
35 }
36
37- if (0 != caught) {
38+ if (0 != caught && 0 != pid_child) {
39 (void) fputs ("\n", stderr);
40 (void) fputs (_("Session terminated, terminating shell..."),
41 stderr);
42 (void) kill (-pid_child, caught);
43
44 (void) signal (SIGALRM, kill_child);
45+ (void) signal (SIGCHLD, catch_signals);
46 (void) alarm (2);
47
48- (void) wait (&status);
49+ sigemptyset (&ourset);
50+ if ((sigaddset (&ourset, SIGALRM) != 0)
51+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
52+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
53+ kill_child (0);
54+ } else {
55+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
56+ sigsuspend (&ourset);
57+ }
58+ pid_child = 0;
59+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
60+ }
61+
62 (void) fputs (_(" ...terminated.\n"), stderr);
63 }
64
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index ccae091..5a49385 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -19,6 +19,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
19 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ 19 file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
20 file://0001-useradd-copy-extended-attributes-of-home.patch \ 20 file://0001-useradd-copy-extended-attributes-of-home.patch \
21 file://0001-shadow-CVE-2017-12424 \ 21 file://0001-shadow-CVE-2017-12424 \
22 file://CVE-2017-2616.patch \
22 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ 23 ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
23 " 24 "
24 25