Control: tags -1 + patch
Hi
Attached is my proposed debdiff for jessie-security!
Upstream fix is
https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
Regards,
Salvatore
diff -Nru shadow-4.2/debian/changelog shadow-4.2/debian/changelog
--- shadow-4.2/debian/changelog 2015-11-18 09:07:26.000000000 +0100
+++ shadow-4.2/debian/changelog 2017-02-23 17:21:08.000000000 +0100
@@ -1,3 +1,10 @@
+shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Thu, 23 Feb 2017 17:21:08 +0100
+
shadow (1:4.2-3+deb8u1) jessie; urgency=medium
* Non-maintainer upload.
diff -Nru
shadow-4.2/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
shadow-4.2/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
---
shadow-4.2/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
1970-01-01 01:00:00.000000000 +0100
+++
shadow-4.2/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
2017-02-23 17:21:08.000000000 +0100
@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ /* wake child when resumed */
+ kill (pid, SIGCONT);
+ stop = false;
++ } else {
++ pid_child = 0;
+ }
+ } while (!stop);
+ }
+
+- if (0 != caught) {
++ if (0 != caught && 0 != pid_child) {
+ (void) fputs ("\n", stderr);
+ (void) fputs (_("Session terminated, terminating shell..."),
+ stderr);
+ (void) kill (-pid_child, caught);
+
+ (void) signal (SIGALRM, kill_child);
++ (void) signal (SIGCHLD, catch_signals);
+ (void) alarm (2);
+
+- (void) wait (&status);
++ sigemptyset (&ourset);
++ if ((sigaddset (&ourset, SIGALRM) != 0)
++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++ fprintf (stderr, _("%s: signal masking malfunction\n"),
Prog);
++ kill_child (0);
++ } else {
++ while (0 == waitpid (pid_child, &status, WNOHANG)) {
++ sigsuspend (&ourset);
++ }
++ pid_child = 0;
++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++ }
++
+ (void) fputs (_(" ...terminated.\n"), stderr);
+ }
+
diff -Nru shadow-4.2/debian/patches/series shadow-4.2/debian/patches/series
--- shadow-4.2/debian/patches/series 2015-11-17 16:20:08.000000000 +0100
+++ shadow-4.2/debian/patches/series 2017-02-23 17:21:08.000000000 +0100
@@ -4,6 +4,7 @@
503_shadowconfig.8
008_login_log_failure_in_FTMP
+301-CVE-2017-2616-su-properly-clear-child-PID.patch
429_login_FAILLOG_ENAB
401_cppw_src.dpatch
# 402 should be merged in 401, but should be reviewed by SE Linux experts first
