From ffb63803eac6ba97d1b9e1f3d648bc4d81bf0276 Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Fri, 27 Jul 2018 16:04:34 +0800 Subject: shadow: upgrade 4.2.1 -> 4.6 The following patches are removed because problems have been fixed in this version. 0001-shadow-CVE-2017-12424 fix-installation-failure-with-subids-disabled.patch usermod-fix-compilation-failure-with-subids-disabled.patch CVE-2017-2616.patch check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch 0001-Do-not-read-login.defs-before-doing-chroot.patch The following patches are rebased. 0001-Disable-use-of-syslog-for-sysroot.patch 0001-useradd-copy-extended-attributes-of-home.patch 0001-useradd.c-create-parent-directories-when-necessary.patch allow-for-setting-password-in-clear-text.patch (From OE-Core rev: 79dd22729d5b8a2f2cf4294ff6b261c9d6ecd977) Signed-off-by: Chen Qi Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- .../shadow/files/CVE-2017-2616.patch | 64 ---------------------- 1 file changed, 64 deletions(-) delete mode 100644 meta/recipes-extended/shadow/files/CVE-2017-2616.patch (limited to 'meta/recipes-extended/shadow/files/CVE-2017-2616.patch') diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch deleted file mode 100644 index ee728f0952..0000000000 --- a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch +++ /dev/null @@ -1,64 +0,0 @@ -shadow-4.2.1: Fix CVE-2017-2616 - -[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943 - -su: properly clear child PID - -If su is compiled with PAM support, it is possible for any local user -to send SIGKILL to other processes with root privileges. There are -only two conditions. First, the user must be able to perform su with -a successful login. This does NOT have to be the root user, even using -su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL -can only be sent to processes which were executed after the su process. -It is not possible to send SIGKILL to processes which were already -running. I consider this as a security vulnerability, because I was -able to write a proof of concept which unlocked a screen saver of -another user this way. - -Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686] -CVE: CVE-2017-2616 -bug: 855943 -Signed-off-by: Andrej Valek - -diff --git a/src/su.c b/src/su.c -index 3704217..1efcd61 100644 ---- a/src/su.c -+++ b/src/su.c -@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) - /* wake child when resumed */ - kill (pid, SIGCONT); - stop = false; -+ } else { -+ pid_child = 0; - } - } while (!stop); - } - -- if (0 != caught) { -+ if (0 != caught && 0 != pid_child) { - (void) fputs ("\n", stderr); - (void) fputs (_("Session terminated, terminating shell..."), - stderr); - (void) kill (-pid_child, caught); - - (void) signal (SIGALRM, kill_child); -+ (void) signal (SIGCHLD, catch_signals); - (void) alarm (2); - -- (void) wait (&status); -+ sigemptyset (&ourset); -+ if ((sigaddset (&ourset, SIGALRM) != 0) -+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { -+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); -+ kill_child (0); -+ } else { -+ while (0 == waitpid (pid_child, &status, WNOHANG)) { -+ sigsuspend (&ourset); -+ } -+ pid_child = 0; -+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); -+ } -+ - (void) fputs (_(" ...terminated.\n"), stderr); - } - -- cgit v1.2.3-54-g00ecf