diff options
Diffstat (limited to 'source/a/shadow')
| -rw-r--r-- | source/a/shadow/shadow.CVE-2017-2616.diff | 55 | ||||
| -rwxr-xr-x | source/a/shadow/shadow.SlackBuild | 33 | ||||
| -rw-r--r-- | source/a/shadow/shadow.login.display.short.hostname.diff | 18 | ||||
| -rw-r--r-- | source/a/shadow/slack-desc | 10 |
4 files changed, 104 insertions, 12 deletions
diff --git a/source/a/shadow/shadow.CVE-2017-2616.diff b/source/a/shadow/shadow.CVE-2017-2616.diff new file mode 100644 index 000000000..4a5c44222 --- /dev/null +++ b/source/a/shadow/shadow.CVE-2017-2616.diff @@ -0,0 +1,55 @@ +su: properly clear child PID + +If su is compiled with PAM support, it is possible for any local user +to send SIGKILL to other processes with root privileges. There are +only two conditions. First, the user must be able to perform su with +a successful login. This does NOT have to be the root user, even using +su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL +can only be sent to processes which were executed after the su process. +It is not possible to send SIGKILL to processes which were already +running. I consider this as a security vulnerability, because I was +able to write a proof of concept which unlocked a screen saver of +another user this way. + +diff --git a/src/su.c b/src/su.c +index f20d230..d86aa86 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void) + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; ++ } else { ++ pid_child = 0; + } + } while (!stop); + } + +- if (0 != caught) { ++ if (0 != caught && 0 != pid_child) { + (void) fputs ("\n", stderr); + (void) fputs (_("Session terminated, terminating shell..."), + stderr); +@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void) + snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n")); + + (void) signal (SIGALRM, kill_child); ++ (void) signal (SIGCHLD, catch_signals); + (void) alarm (2); + +- (void) wait (&status); ++ sigemptyset (&ourset); ++ if ((sigaddset (&ourset, SIGALRM) != 0) ++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { ++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); ++ kill_child (0); ++ } else { ++ while (0 == waitpid (pid_child, &status, WNOHANG)) { ++ sigsuspend (&ourset); ++ } ++ pid_child = 0; ++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); ++ } ++ + (void) fputs (_(" ...terminated.\n"), stderr); + } diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild index 633d38514..992944e8f 100755 --- a/source/a/shadow/shadow.SlackBuild +++ b/source/a/shadow/shadow.SlackBuild @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash -# Copyright 2005-2014 Patrick J. Volkerding, Sebeka, Minnesota, USA +# Copyright 2005-2018 Patrick J. Volkerding, Sebeka, Minnesota, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -20,28 +20,37 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +cd $(dirname $0) ; CWD=$(pwd) + PKGNAM=shadow VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-4} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then case "$( uname -m )" in - i?86) export ARCH=i486 ;; + i?86) export ARCH=i586 ;; arm*) export ARCH=arm ;; # Unless $ARCH is already set, use uname -m for all other archs: *) export ARCH=$( uname -m ) ;; esac fi +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + NUMJOBS=${NUMJOBS:--j6} -CWD=$(pwd) TMP=${TMP:-/tmp} PKG=$TMP/package-shadow -if [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" elif [ "$ARCH" = "s390" ]; then SLKCFLAGS="-O2" elif [ "$ARCH" = "x86_64" ]; then @@ -69,10 +78,20 @@ done # breakage: zcat $CWD/shadow.CVE-2005-4890.relax.diff.gz | patch -p1 --verbose || exit 1 +# Patch a race condition that allows a user to kill processes that they don't +# own. Note that the bug requires that shadow is using PAM, which is not yet +# the case on Slackware. So we're unaffected, but patching this anyway in +# -current, because you never know... +zcat $CWD/shadow.CVE-2017-2616.diff.gz | patch -p1 --verbose || exit 1 + # Re-run automake because of r3299 patch to man/ru/Makefile.am: # (not used because it doesn't work... above patch does the intended fix) #automake -f +# Even if gethostname() returns the FQDN (long hostname), just display the +# short version up to the first '.' on the login prompt: +zcat $CWD/shadow.login.display.short.hostname.diff.gz | patch -p1 --verbose || exit 1 + chown -R root:root . find . \ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ diff --git a/source/a/shadow/shadow.login.display.short.hostname.diff b/source/a/shadow/shadow.login.display.short.hostname.diff new file mode 100644 index 000000000..ad5c3eba6 --- /dev/null +++ b/source/a/shadow/shadow.login.display.short.hostname.diff @@ -0,0 +1,18 @@ +--- ./libmisc/loginprompt.c.orig 2014-03-01 12:59:51.000000000 -0600 ++++ ./libmisc/loginprompt.c 2017-11-21 18:17:27.492000123 -0600 +@@ -99,6 +99,15 @@ + } + } + (void) gethostname (buf, sizeof buf); ++ /* Trim away everything after the first '.': */ ++ i = 0; ++ while (buf[i] != '\0' && i < sizeof(buf) - 1) { ++ if (buf[i] == '.') { ++ buf[i] = '\0'; ++ break; ++ } ++ i++; ++ } + printf (prompt, buf); + (void) fflush (stdout); + } diff --git a/source/a/shadow/slack-desc b/source/a/shadow/slack-desc index 57749146e..d8b2266de 100644 --- a/source/a/shadow/slack-desc +++ b/source/a/shadow/slack-desc @@ -1,17 +1,17 @@ # HOW TO EDIT THIS FILE: -# The "handy ruler" below makes it easier to edit a package description. Line +# The "handy ruler" below makes it easier to edit a package description. Line # up the first '|' above the ':' following the base package name, and the '|' -# on the right side marks the last column you can put a character in. You must -# make exactly 11 lines for the formatting to be correct. It's also +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also # customary to leave one space after the ':'. |-----handy-ruler------------------------------------------------------| shadow: shadow (shadow password suite) shadow: shadow: This set of login related programs utilizes an alternate, non-readable -shadow: file to contain the actual encrypted passwords. This is presumed to +shadow: file to contain the actual encrypted passwords. This is presumed to shadow: increase system security by increasing the difficulty with which -shadow: system crackers obtain encrypted passwords. It was written by +shadow: system crackers obtain encrypted passwords. It was written by shadow: Julianne Frances Haugh and the Linux port is maintained by Tomasz shadow: Kloczko. shadow: |