diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2018-11-17 03:03:49 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2018-11-17 08:59:42 +0100 |
| commit | 6a677844125bf74f4dac1fc2e4e7181281f7ae39 (patch) | |
| tree | 98b369fae8f7a395a683c04e58410caa993736c3 /source/a/shadow/shadow.CVE-2017-2616.diff | |
| parent | 3a6358fa3e26f0d5263d575ff8a3065cab653365 (diff) | |
| download | current-6a677844125bf74f4dac1fc2e4e7181281f7ae39.tar.gz current-6a677844125bf74f4dac1fc2e4e7181281f7ae39.tar.xz | |
Sat Nov 17 03:03:49 UTC 201820181117030349
a/acpid-2.0.31-x86_64-1.txz: Upgraded.
a/shadow-4.6-x86_64-1.txz: Upgraded.
l/gsettings-desktop-schemas-3.28.1-x86_64-1.txz: Upgraded.
l/libkarma-0.1.2-x86_64-1.txz: Upgraded.
l/v4l-utils-1.16.2-x86_64-1.txz: Upgraded.
xap/mozilla-thunderbird-60.3.1-x86_64-1.txz: Upgraded.
This is a bugfix release. For more information, see:
https://www.mozilla.org/en-US/thunderbird/60.3.1/releasenotes/
Diffstat (limited to 'source/a/shadow/shadow.CVE-2017-2616.diff')
| -rw-r--r-- | source/a/shadow/shadow.CVE-2017-2616.diff | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/source/a/shadow/shadow.CVE-2017-2616.diff b/source/a/shadow/shadow.CVE-2017-2616.diff deleted file mode 100644 index 4a5c44222..000000000 --- a/source/a/shadow/shadow.CVE-2017-2616.diff +++ /dev/null @@ -1,55 +0,0 @@ -su: properly clear child PID - -If su is compiled with PAM support, it is possible for any local user -to send SIGKILL to other processes with root privileges. There are -only two conditions. First, the user must be able to perform su with -a successful login. This does NOT have to be the root user, even using -su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL -can only be sent to processes which were executed after the su process. -It is not possible to send SIGKILL to processes which were already -running. I consider this as a security vulnerability, because I was -able to write a proof of concept which unlocked a screen saver of -another user this way. - -diff --git a/src/su.c b/src/su.c -index f20d230..d86aa86 100644 ---- a/src/su.c -+++ b/src/su.c -@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void) - /* wake child when resumed */ - kill (pid, SIGCONT); - stop = false; -+ } else { -+ pid_child = 0; - } - } while (!stop); - } - -- if (0 != caught) { -+ if (0 != caught && 0 != pid_child) { - (void) fputs ("\n", stderr); - (void) fputs (_("Session terminated, terminating shell..."), - stderr); -@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void) - snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n")); - - (void) signal (SIGALRM, kill_child); -+ (void) signal (SIGCHLD, catch_signals); - (void) alarm (2); - -- (void) wait (&status); -+ sigemptyset (&ourset); -+ if ((sigaddset (&ourset, SIGALRM) != 0) -+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { -+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); -+ kill_child (0); -+ } else { -+ while (0 == waitpid (pid_child, &status, WNOHANG)) { -+ sigsuspend (&ourset); -+ } -+ pid_child = 0; -+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); -+ } -+ - (void) fputs (_(" ...terminated.\n"), stderr); - } |