From f6afcbbc796f404b70cfea1fdef72fa5e7ed0896 Mon Sep 17 00:00:00 2001 From: Henrik Riomar Date: Wed, 17 May 2017 21:15:07 +0200 Subject: community/shadow: CVE-2017-2616 regression fix https://lists.debian.org/debian-security-announce/2017/msg00114.html --- ...-pid_child-only-if-waitpid-was-successful.patch | 29 ++++++++++++++++++++++ community/shadow/APKBUILD | 6 +++-- 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch (limited to 'community/shadow') diff --git a/community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch b/community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch new file mode 100644 index 0000000000..64aeb34131 --- /dev/null +++ b/community/shadow/303-Reset-pid_child-only-if-waitpid-was-successful.patch @@ -0,0 +1,29 @@ +From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Sun, 14 May 2017 17:58:10 +0200 +Subject: [PATCH] Reset pid_child only if waitpid was successful. + +Do not reset the pid_child to 0 if the child process is still +running. This else-condition can be reached with pid being -1, +therefore explicitly test this condition. + +This is a regression fix for CVE-2017-2616. If su receives a +signal like SIGTERM, it is not propagated to the child. + +Reported-by: Radu Duta +Signed-off-by: Tobias Stoeckmann +--- + src/su.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/su.c ++++ b/src/su.c +@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; +- } else { ++ } else if ( (pid_t)-1 != pid) { + pid_child = 0; + } + } while (!stop); diff --git a/community/shadow/APKBUILD b/community/shadow/APKBUILD index 453d578d2d..3264772979 100644 --- a/community/shadow/APKBUILD +++ b/community/shadow/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Stuart Cardall pkgname=shadow pkgver=4.2.1 -pkgrel=10 +pkgrel=11 pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)" url="http://pkg-shadow.alioth.debian.org/" arch="all" @@ -18,12 +18,13 @@ source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz verbose-error-when-uid-doesnt-match.patch 301-CVE-2017-2616-su-properly-clear-child-PID.patch 302-CVE-2016-6252-fix-integer-overflow.patch + 303-Reset-pid_child-only-if-waitpid-was-successful.patch useradd-usergroups.patch pam-useradd.patch " # secfixes: # - CVE-2016-6252 -# - CVE-2017-2616 +# - CVE-2017-2616 (+ regression fix) options="suid" builddir="$srcdir/shadow-$pkgver" @@ -110,5 +111,6 @@ c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27 1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch 0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch 36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch +e36d54759b71d48c62aefc4032e63deccafa69d22f8bae772b4c0ca135b431db9cd35a1a2a2adf5c76996e76e13ab82e1cf19bba70c6ca4414b3979a43c292c2 303-Reset-pid_child-only-if-waitpid-was-successful.patch 49f1d5ded82d2d479805c77d7cc6274c30233596e375b28306b31a33f8fbfc3611dbc77d606081b8300247908c267297dbb6c5d1a30d56095dda53c6a636fb56 useradd-usergroups.patch 0b4587e263cb6be12fa5ae6bc3b3fc4d3696dae355bc67d085dc58c52ff96edb4d163b95db2092b8c2f3310839430cac03c7af356641b42e24ee4aa6410f5cf1 pam-useradd.patch" -- cgit v1.2.3