* [PATCH v2 1/2] shadow: fix CVE-2017-2616
@ 2017-11-14 15:07 George McCollister
2017-11-14 15:07 ` [PATCH v2 2/2] shadow: fix CVE-2016-6252 George McCollister
0 siblings, 1 reply; 2+ messages in thread
From: George McCollister @ 2017-11-14 15:07 UTC (permalink / raw)
To: openembedded-core
Apply backported patch that fixes CVE-2017-2616
Sending SIGKILL to other processes with root privileges via su
Signed-off-by: George McCollister <george.mccollister@gmail.com>
---
Changes in v2:
- Add SOB to patch file.
.../files/0001-su-properly-clear-child-PID.patch | 72 ++++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
diff --git a/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
new file mode 100644
index 0000000000..9fefd9e599
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
@@ -0,0 +1,72 @@
+From 3ed6ba2105c7a35d6dc7e8b805202d0235df1fb1 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
+
+CVE: CVE-2017-2616
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+ /* wake child when resumed */
+ kill (pid, SIGCONT);
+ stop = false;
++ } else {
++ pid_child = 0;
+ }
+ } while (!stop);
+ }
+
+- if (0 != caught) {
++ if (0 != caught && 0 != pid_child) {
+ (void) fputs ("\n", stderr);
+ (void) fputs (_("Session terminated, terminating shell..."),
+ stderr);
+ (void) kill (-pid_child, caught);
+
+ (void) signal (SIGALRM, kill_child);
++ (void) signal (SIGCHLD, catch_signals);
+ (void) alarm (2);
+
+- (void) wait (&status);
++ sigemptyset (&ourset);
++ if ((sigaddset (&ourset, SIGALRM) != 0)
++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++ kill_child (0);
++ } else {
++ while (0 == waitpid (pid_child, &status, WNOHANG)) {
++ sigsuspend (&ourset);
++ }
++ pid_child = 0;
++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++ }
++
+ (void) fputs (_(" ...terminated.\n"), stderr);
+ }
+
+--
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index cc189649b2..031e880630 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
+ file://0001-su-properly-clear-child-PID.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
"
--
2.15.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH v2 2/2] shadow: fix CVE-2016-6252
2017-11-14 15:07 [PATCH v2 1/2] shadow: fix CVE-2017-2616 George McCollister
@ 2017-11-14 15:07 ` George McCollister
0 siblings, 0 replies; 2+ messages in thread
From: George McCollister @ 2017-11-14 15:07 UTC (permalink / raw)
To: openembedded-core
Apply backported patch that fixes CVE-2016-6252
Integer overflow in shadow 4.2.1 allows local users to gain privileges
via crafted input to newuidmap.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
---
Changes in v2:
- Add SOB to patch file.
.../shadow/files/0001-Simplify-getulong.patch | 54 ++++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
new file mode 100644
index 0000000000..8a41fb1dd6
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
@@ -0,0 +1,54 @@
+From 70723e568159f3130b6076463f0bf978763e3369 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1
+
+CVE: CVE-2016-6252
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+---
+ lib/getulong.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
++++ b/lib/getulong.c
+@@ -44,22 +44,19 @@
+ */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+- long long int val;
++ unsigned long int val;
+ char *endptr;
+
+ errno = 0;
+- val = strtoll (numstr, &endptr, 0);
++ val = strtoul (numstr, &endptr, 0);
+ if ( ('\0' == *numstr)
+ || ('\0' != *endptr)
+ || (ERANGE == errno)
+- /*@+ignoresigns@*/
+- || (val != (unsigned long int)val)
+- /*@=ignoresigns@*/
+ ) {
+ return 0;
+ }
+
+- *result = (unsigned long int)val;
++ *result = val;
+ return 1;
+ }
+
+--
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 031e880630..9fb1cd3d17 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
file://0001-su-properly-clear-child-PID.patch \
+ file://0001-Simplify-getulong.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
"
--
2.15.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-14 15:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-14 15:07 [PATCH v2 1/2] shadow: fix CVE-2017-2616 George McCollister
2017-11-14 15:07 ` [PATCH v2 2/2] shadow: fix CVE-2016-6252 George McCollister
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.