diff options
-rw-r--r-- | community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch | 59 | ||||
-rw-r--r-- | community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch | 46 | ||||
-rw-r--r-- | community/shadow/APKBUILD | 22 |
3 files changed, 115 insertions, 12 deletions
diff --git a/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch b/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch new file mode 100644 index 0000000000..8f6f4e92e9 --- /dev/null +++ b/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch @@ -0,0 +1,59 @@ +From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Thu, 23 Feb 2017 09:47:29 -0600 +Subject: [PATCH] su: properly clear child PID + +If su is compiled with PAM support, it is possible for any local user +to send SIGKILL to other processes with root privileges. There are +only two conditions. First, the user must be able to perform su with +a successful login. This does NOT have to be the root user, even using +su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL +can only be sent to processes which were executed after the su process. +It is not possible to send SIGKILL to processes which were already +running. I consider this as a security vulnerability, because I was +able to write a proof of concept which unlocked a screen saver of +another user this way. +--- + src/su.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/src/su.c ++++ b/src/su.c +@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; ++ } else { ++ pid_child = 0; + } + } while (!stop); + } + +- if (0 != caught) { ++ if (0 != caught && 0 != pid_child) { + (void) fputs ("\n", stderr); + (void) fputs (_("Session terminated, terminating shell..."), + stderr); + (void) kill (-pid_child, caught); + + (void) signal (SIGALRM, kill_child); ++ (void) signal (SIGCHLD, catch_signals); + (void) alarm (2); + +- (void) wait (&status); ++ sigemptyset (&ourset); ++ if ((sigaddset (&ourset, SIGALRM) != 0) ++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { ++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); ++ kill_child (0); ++ } else { ++ while (0 == waitpid (pid_child, &status, WNOHANG)) { ++ sigsuspend (&ourset); ++ } ++ pid_child = 0; ++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); ++ } ++ + (void) fputs (_(" ...terminated.\n"), stderr); + } + diff --git a/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch b/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch new file mode 100644 index 0000000000..2f2195b401 --- /dev/null +++ b/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch @@ -0,0 +1,46 @@ +From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer <krahmer@suse.com> +Date: Wed, 3 Aug 2016 11:51:07 -0500 +Subject: [PATCH] Simplify getulong + +Use strtoul to read an unsigned long, rather than reading +a signed long long and casting it. + +https://bugzilla.suse.com/show_bug.cgi?id=979282 +--- + lib/getulong.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/lib/getulong.c b/lib/getulong.c +index 61579ca..08d2c1a 100644 +--- a/lib/getulong.c ++++ b/lib/getulong.c +@@ -44,22 +44,19 @@ + */ + int getulong (const char *numstr, /*@out@*/unsigned long int *result) + { +- long long int val; ++ unsigned long int val; + char *endptr; + + errno = 0; +- val = strtoll (numstr, &endptr, 0); ++ val = strtoul (numstr, &endptr, 0); + if ( ('\0' == *numstr) + || ('\0' != *endptr) + || (ERANGE == errno) +- /*@+ignoresigns@*/ +- || (val != (unsigned long int)val) +- /*@=ignoresigns@*/ + ) { + return 0; + } + +- *result = (unsigned long int)val; ++ *result = val; + return 1; + } + +-- +2.1.4 + diff --git a/community/shadow/APKBUILD b/community/shadow/APKBUILD index c5ac99edb4..042a0facce 100644 --- a/community/shadow/APKBUILD +++ b/community/shadow/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Stuart Cardall <developer@it-offshore.co.uk> pkgname=shadow pkgver=4.2.1 -pkgrel=6 +pkgrel=7 pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)" url="http://pkg-shadow.alioth.debian.org/" arch="all" @@ -16,7 +16,13 @@ source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz dots-in-usernames.patch cross-size-checks.patch verbose-error-when-uid-doesnt-match.patch + 301-CVE-2017-2616-su-properly-clear-child-PID.patch + 302-CVE-2016-6252-fix-integer-overflow.patch " +# secfixes: +# - CVE-2016-6252 +# - CVE-2017-2616 + options="suid" builddir="$srcdir/shadow-$pkgver" @@ -79,18 +85,10 @@ uidmap() { touch etc/subuid etc/subgid } -md5sums="2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz -72dfc077a61ab7163e312640cc98bba8 login.pamd -f5fe3d7351d5e4046588b652c482c170 dots-in-usernames.patch -75bc0cafb44aa86075d2ec056816cc3e cross-size-checks.patch -6d938a758cba620dde3b9e4ce6e87703 verbose-error-when-uid-doesnt-match.patch" -sha256sums="3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 shadow-4.2.1.tar.xz -c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd -ee58c622d1e8283dc4b17e93cc5e68f4ea4336654ebcfb48e46e0efaa864b77f dots-in-usernames.patch -fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013 cross-size-checks.patch -7d9156d39afa3a937fc64130b1bfe0ddc1dd593caa629f29410ebbf84c258568 verbose-error-when-uid-doesnt-match.patch" sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz 46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd 745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch -1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch" +1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch +0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch +36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch" |