shadow: fix CVE-2017-2616

(From OE-Core rev: 94a1e2794df15f0f2cb62ae030cd81e6c0798b1f) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2018-07-24 13:08:29 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-07-26 13:16:41 +0100
commit: b22e18b7a0e5979c7f80f8ca0ce1e21c8f04aa3c (patch)
tree: e62c1aa739dbf95ec63bce80b3e0eeda727e3021
parent: 3a6ccf52271e950b54a67862307c29da07ffd7a5 (diff)
download: poky-b22e18b7a0e5979c7f80f8ca0ce1e21c8f04aa3c.tar.gz
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
new file mode 100644
index 0000000000..ee728f0952
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
@@ -0,0 +1,64 @@
+shadow-4.2.1: Fix CVE-2017-2616
+[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
+su: properly clear child PID
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
+CVE: CVE-2017-2616
+bug: 855943
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
+++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+                                /* wake child when resumed */
+                                kill (pid, SIGCONT);
+                                stop = false;
+                       } else {
+                               pid_child = 0;
+                        }
+                } while (!stop);
+        }
+ 
+-       if (0 != caught) {
+       if (0 != caught && 0 != pid_child) {
+                (void) fputs ("\n", stderr);
+                (void) fputs (_("Session terminated, terminating shell..."),
+                              stderr);
+                (void) kill (-pid_child, caught);
+ 
+                (void) signal (SIGALRM, kill_child);
+               (void) signal (SIGCHLD, catch_signals);
+                (void) alarm (2);
+ 
+-               (void) wait (&status);
+               sigemptyset (&ourset);
+               if ((sigaddset (&ourset, SIGALRM) != 0)
+                   || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+                       fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+                       kill_child (0);
+               } else {
+                       while (0 == waitpid (pid_child, &status, WNOHANG)) {
+                               sigsuspend (&ourset);
+                       }
+                       pid_child = 0;
+                       (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+               }
+
+                (void) fputs (_(" ...terminated.\n"), stderr);
+        }
+ 
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 9a08918818..6efe4a9119 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
           file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
           file://0001-useradd-copy-extended-attributes-of-home.patch \
           file://0001-shadow-CVE-2017-12424 \
+           file://CVE-2017-2616.patch \
           ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
           "
author	Andrej Valek <andrej.valek@siemens.com>	2018-07-24 13:08:29 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-07-26 13:16:41 +0100
commit	b22e18b7a0e5979c7f80f8ca0ce1e21c8f04aa3c (patch)
tree	e62c1aa739dbf95ec63bce80b3e0eeda727e3021
parent	3a6ccf52271e950b54a67862307c29da07ffd7a5 (diff)
download	poky-b22e18b7a0e5979c7f80f8ca0ce1e21c8f04aa3c.tar.gz

diff --git a/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch new file mode 100644 index 0000000000..ee728f0952 --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
@@ -0,0 +1,64 @@
		1	shadow-4.2.1: Fix CVE-2017-2616
		2
		3	[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
		4
		5	su: properly clear child PID
		6
		7	If su is compiled with PAM support, it is possible for any local user
		8	to send SIGKILL to other processes with root privileges. There are
		9	only two conditions. First, the user must be able to perform su with
		10	a successful login. This does NOT have to be the root user, even using
		11	su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
		12	can only be sent to processes which were executed after the su process.
		13	It is not possible to send SIGKILL to processes which were already
		14	running. I consider this as a security vulnerability, because I was
		15	able to write a proof of concept which unlocked a screen saver of
		16	another user this way.
		17
		18	Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
		19	CVE: CVE-2017-2616
		20	bug: 855943
		21	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		22
		23	diff --git a/src/su.c b/src/su.c
		24	index 3704217..1efcd61 100644
		25	--- a/src/su.c
		26	+++ b/src/su.c
		27	@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
		28	/* wake child when resumed */
		29	kill (pid, SIGCONT);
		30	stop = false;
		31	+ } else {
		32	+ pid_child = 0;
		33	}
		34	} while (!stop);
		35	}
		36
		37	- if (0 != caught) {
		38	+ if (0 != caught && 0 != pid_child) {
		39	(void) fputs ("\n", stderr);
		40	(void) fputs (_("Session terminated, terminating shell..."),
		41	stderr);
		42	(void) kill (-pid_child, caught);
		43
		44	(void) signal (SIGALRM, kill_child);
		45	+ (void) signal (SIGCHLD, catch_signals);
		46	(void) alarm (2);
		47
		48	- (void) wait (&status);
		49	+ sigemptyset (&ourset);
		50	+ if ((sigaddset (&ourset, SIGALRM) != 0)
		51	+ \|\| (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
		52	+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
		53	+ kill_child (0);
		54	+ } else {
		55	+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
		56	+ sigsuspend (&ourset);
		57	+ }
		58	+ pid_child = 0;
		59	+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
		60	+ }
		61	+
		62	(void) fputs (_(" ...terminated.\n"), stderr);
		63	}
		64


diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 9a08918818..6efe4a9119 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
18	file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \	18	file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
19	file://0001-useradd-copy-extended-attributes-of-home.patch \	19	file://0001-useradd-copy-extended-attributes-of-home.patch \
20	file://0001-shadow-CVE-2017-12424 \	20	file://0001-shadow-CVE-2017-12424 \
		21	file://CVE-2017-2616.patch \
21	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \	22	${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
22	"	23	"
23		24