Apply backported patch that fixes CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su
Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Add SOB to patch file. .../files/0001-su-properly-clear-child-PID.patch | 72 ++++++++++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch diff --git a/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch new file mode 100644 index 0000000000..9fefd9e599 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch @@ -0,0 +1,72 @@ +From 3ed6ba2105c7a35d6dc7e8b805202d0235df1fb1 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Thu, 23 Feb 2017 09:47:29 -0600 +Subject: [PATCH] su: properly clear child PID + +If su is compiled with PAM support, it is possible for any local user +to send SIGKILL to other processes with root privileges. There are +only two conditions. First, the user must be able to perform su with +a successful login. This does NOT have to be the root user, even using +su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL +can only be sent to processes which were executed after the su process. +It is not possible to send SIGKILL to processes which were already +running. I consider this as a security vulnerability, because I was +able to write a proof of concept which unlocked a screen saver of +another user this way. + +Upstream-Status: Backport +https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch?h=jessie +https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 + +CVE: CVE-2017-2616 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + src/su.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 3704217..1efcd61 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; ++ } else { ++ pid_child = 0; + } + } while (!stop); + } + +- if (0 != caught) { ++ if (0 != caught && 0 != pid_child) { + (void) fputs ("\n", stderr); + (void) fputs (_("Session terminated, terminating shell..."), + stderr); + (void) kill (-pid_child, caught); + + (void) signal (SIGALRM, kill_child); ++ (void) signal (SIGCHLD, catch_signals); + (void) alarm (2); + +- (void) wait (&status); ++ sigemptyset (&ourset); ++ if ((sigaddset (&ourset, SIGALRM) != 0) ++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { ++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); ++ kill_child (0); ++ } else { ++ while (0 == waitpid (pid_child, &status, WNOHANG)) { ++ sigsuspend (&ourset); ++ } ++ pid_child = 0; ++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); ++ } ++ + (void) fputs (_(" ...terminated.\n"), stderr); + } + +-- +2.15.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index cc189649b2..031e880630 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -17,6 +17,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ file://0001-useradd-copy-extended-attributes-of-home.patch \ file://0001-shadow-CVE-2017-12424 \ + file://0001-su-properly-clear-child-PID.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.15.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core