diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2018-07-24 13:08:29 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-07-26 13:16:41 +0100 |
commit | b22e18b7a0e5979c7f80f8ca0ce1e21c8f04aa3c (patch) | |
tree | e62c1aa739dbf95ec63bce80b3e0eeda727e3021 /meta/recipes-extended/shadow | |
parent | 3a6ccf52271e950b54a67862307c29da07ffd7a5 (diff) | |
download | poky-b22e18b7a0e5979c7f80f8ca0ce1e21c8f04aa3c.tar.gz |
shadow: fix CVE-2017-2616
(From OE-Core rev: 94a1e2794df15f0f2cb62ae030cd81e6c0798b1f)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/shadow')
-rw-r--r-- | meta/recipes-extended/shadow/files/CVE-2017-2616.patch | 64 | ||||
-rw-r--r-- | meta/recipes-extended/shadow/shadow.inc | 1 |
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch new file mode 100644 index 0000000000..ee728f0952 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | shadow-4.2.1: Fix CVE-2017-2616 | ||
2 | |||
3 | [No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943 | ||
4 | |||
5 | su: properly clear child PID | ||
6 | |||
7 | If su is compiled with PAM support, it is possible for any local user | ||
8 | to send SIGKILL to other processes with root privileges. There are | ||
9 | only two conditions. First, the user must be able to perform su with | ||
10 | a successful login. This does NOT have to be the root user, even using | ||
11 | su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL | ||
12 | can only be sent to processes which were executed after the su process. | ||
13 | It is not possible to send SIGKILL to processes which were already | ||
14 | running. I consider this as a security vulnerability, because I was | ||
15 | able to write a proof of concept which unlocked a screen saver of | ||
16 | another user this way. | ||
17 | |||
18 | Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686] | ||
19 | CVE: CVE-2017-2616 | ||
20 | bug: 855943 | ||
21 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> | ||
22 | |||
23 | diff --git a/src/su.c b/src/su.c | ||
24 | index 3704217..1efcd61 100644 | ||
25 | --- a/src/su.c | ||
26 | +++ b/src/su.c | ||
27 | @@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) | ||
28 | /* wake child when resumed */ | ||
29 | kill (pid, SIGCONT); | ||
30 | stop = false; | ||
31 | + } else { | ||
32 | + pid_child = 0; | ||
33 | } | ||
34 | } while (!stop); | ||
35 | } | ||
36 | |||
37 | - if (0 != caught) { | ||
38 | + if (0 != caught && 0 != pid_child) { | ||
39 | (void) fputs ("\n", stderr); | ||
40 | (void) fputs (_("Session terminated, terminating shell..."), | ||
41 | stderr); | ||
42 | (void) kill (-pid_child, caught); | ||
43 | |||
44 | (void) signal (SIGALRM, kill_child); | ||
45 | + (void) signal (SIGCHLD, catch_signals); | ||
46 | (void) alarm (2); | ||
47 | |||
48 | - (void) wait (&status); | ||
49 | + sigemptyset (&ourset); | ||
50 | + if ((sigaddset (&ourset, SIGALRM) != 0) | ||
51 | + || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { | ||
52 | + fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); | ||
53 | + kill_child (0); | ||
54 | + } else { | ||
55 | + while (0 == waitpid (pid_child, &status, WNOHANG)) { | ||
56 | + sigsuspend (&ourset); | ||
57 | + } | ||
58 | + pid_child = 0; | ||
59 | + (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); | ||
60 | + } | ||
61 | + | ||
62 | (void) fputs (_(" ...terminated.\n"), stderr); | ||
63 | } | ||
64 | |||
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 9a08918818..6efe4a9119 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc | |||
@@ -18,6 +18,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \ | |||
18 | file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ | 18 | file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ |
19 | file://0001-useradd-copy-extended-attributes-of-home.patch \ | 19 | file://0001-useradd-copy-extended-attributes-of-home.patch \ |
20 | file://0001-shadow-CVE-2017-12424 \ | 20 | file://0001-shadow-CVE-2017-12424 \ |
21 | file://CVE-2017-2616.patch \ | ||
21 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ | 22 | ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ |
22 | " | 23 | " |
23 | 24 | ||