aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch59
-rw-r--r--community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch46
-rw-r--r--community/shadow/APKBUILD22
3 files changed, 115 insertions, 12 deletions
diff --git a/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch b/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
new file mode 100644
index 0000000000..8f6f4e92e9
--- /dev/null
+++ b/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ /* wake child when resumed */
+ kill (pid, SIGCONT);
+ stop = false;
++ } else {
++ pid_child = 0;
+ }
+ } while (!stop);
+ }
+
+- if (0 != caught) {
++ if (0 != caught && 0 != pid_child) {
+ (void) fputs ("\n", stderr);
+ (void) fputs (_("Session terminated, terminating shell..."),
+ stderr);
+ (void) kill (-pid_child, caught);
+
+ (void) signal (SIGALRM, kill_child);
++ (void) signal (SIGCHLD, catch_signals);
+ (void) alarm (2);
+
+- (void) wait (&status);
++ sigemptyset (&ourset);
++ if ((sigaddset (&ourset, SIGALRM) != 0)
++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++ kill_child (0);
++ } else {
++ while (0 == waitpid (pid_child, &status, WNOHANG)) {
++ sigsuspend (&ourset);
++ }
++ pid_child = 0;
++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++ }
++
+ (void) fputs (_(" ...terminated.\n"), stderr);
+ }
+
diff --git a/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch b/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch
new file mode 100644
index 0000000000..2f2195b401
--- /dev/null
+++ b/community/shadow/302-CVE-2016-6252-fix-integer-overflow.patch
@@ -0,0 +1,46 @@
+From 1d5a926cc2d6078d23a96222b1ef3e558724dad1 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+ */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+- long long int val;
++ unsigned long int val;
+ char *endptr;
+
+ errno = 0;
+- val = strtoll (numstr, &endptr, 0);
++ val = strtoul (numstr, &endptr, 0);
+ if ( ('\0' == *numstr)
+ || ('\0' != *endptr)
+ || (ERANGE == errno)
+- /*@+ignoresigns@*/
+- || (val != (unsigned long int)val)
+- /*@=ignoresigns@*/
+ ) {
+ return 0;
+ }
+
+- *result = (unsigned long int)val;
++ *result = val;
+ return 1;
+ }
+
+--
+2.1.4
+
diff --git a/community/shadow/APKBUILD b/community/shadow/APKBUILD
index c5ac99edb4..042a0facce 100644
--- a/community/shadow/APKBUILD
+++ b/community/shadow/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
pkgname=shadow
pkgver=4.2.1
-pkgrel=6
+pkgrel=7
pkgdesc="PAM-using login and passwd utilities (usermod, useradd, ...)"
url="http://pkg-shadow.alioth.debian.org/"
arch="all"
@@ -16,7 +16,13 @@ source="http://pkg-shadow.alioth.debian.org/releases/shadow-$pkgver.tar.xz
dots-in-usernames.patch
cross-size-checks.patch
verbose-error-when-uid-doesnt-match.patch
+ 301-CVE-2017-2616-su-properly-clear-child-PID.patch
+ 302-CVE-2016-6252-fix-integer-overflow.patch
"
+# secfixes:
+# - CVE-2016-6252
+# - CVE-2017-2616
+
options="suid"
builddir="$srcdir/shadow-$pkgver"
@@ -79,18 +85,10 @@ uidmap() {
touch etc/subuid etc/subgid
}
-md5sums="2bfafe7d4962682d31b5eba65dba4fc8 shadow-4.2.1.tar.xz
-72dfc077a61ab7163e312640cc98bba8 login.pamd
-f5fe3d7351d5e4046588b652c482c170 dots-in-usernames.patch
-75bc0cafb44aa86075d2ec056816cc3e cross-size-checks.patch
-6d938a758cba620dde3b9e4ce6e87703 verbose-error-when-uid-doesnt-match.patch"
-sha256sums="3b0893d1476766868cd88920f4f1231c4795652aa407569faff802bcda0f3d41 shadow-4.2.1.tar.xz
-c0d0f2f77133b0663c5a578afeba45d5a9c703ff6f3f6aba3727dfe01877dac0 login.pamd
-ee58c622d1e8283dc4b17e93cc5e68f4ea4336654ebcfb48e46e0efaa864b77f dots-in-usernames.patch
-fc3e32ddfc8eeb284412e8df7ad045ad27b742f5ee733db1a0bc14c97480e013 cross-size-checks.patch
-7d9156d39afa3a937fc64130b1bfe0ddc1dd593caa629f29410ebbf84c258568 verbose-error-when-uid-doesnt-match.patch"
sha512sums="7a14bf8e08126f0402e37b6e4c559615ced7cf829e39156d929ed05cd8813de48a77ff1f7f6fe707da04cf662a2e9e84c22d63d88dd1ed13f935fde594db95f0 shadow-4.2.1.tar.xz
46a6f83f3698e101b58b8682852da749619412f75dfa85cecad03d0847f6c3dc452d984510db7094220e4570a0565b83b0556e16198ad894a3ec84b3e513d58d login.pamd
745eea04c054226feba165b635dbb8570b8a04537d41e914400a4c54633c3a9cf350da0aabfec754fb8cf3e58fc1c8cf597b895506312f19469071760c11f31d dots-in-usernames.patch
c46760254439176babeef24d93900914092655af3a48f54385adf6ef5a3af76799fb7e96083acd27853d6ab6d7392543dbaf70bb26f164519e92f677da7851a4 cross-size-checks.patch
-1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch"
+1b3513772a7a0294b587723213e4464cc5a1a42ae6a79e9b9f9ea20083684a21d81e362f44d87ce2e6de2daf396d8422b39019923c0b0cbb44fa4c4c24613c0c verbose-error-when-uid-doesnt-match.patch
+0954920ce9307948848d8f9ca5ea5bba4db8394793ef314ab5c6770948e96071748192b52ba8c31d543fe71ce0e6e2a7f3a2a92862966a940639a19df1048634 301-CVE-2017-2616-su-properly-clear-child-PID.patch
+36f494347cb980d85ea82331ec620a949be45f5f2c400a3b13f409a8d9c932c0f822cb0baa2ee78c6f356e7bf93de51c1b0f20730e8f3af36a746a5632d19bbe 302-CVE-2016-6252-fix-integer-overflow.patch"