aboutsummaryrefslogtreecommitdiffstats
path: root/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2017-11-29 16:22:49 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2017-11-29 16:25:19 +0000
commitfe20e8da2f8b7fb6f208cccf8f369400d947a6a2 (patch)
tree70741c6972793be929492690674bf786596f43ca /community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
parentda5ea802a3975665ace500b89e647ebf4007b232 (diff)
downloadaports-fe20e8da2f8b7fb6f208cccf8f369400d947a6a2.tar.gz
aports-fe20e8da2f8b7fb6f208cccf8f369400d947a6a2.tar.bz2
aports-fe20e8da2f8b7fb6f208cccf8f369400d947a6a2.tar.xz
community/shadow: upgrade to 4.5
Diffstat (limited to 'community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch')
-rw-r--r--community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch59
1 files changed, 0 insertions, 59 deletions
diff --git a/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch b/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
deleted file mode 100644
index 8f6f4e92e9..0000000000
--- a/community/shadow/301-CVE-2017-2616-su-properly-clear-child-PID.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Thu, 23 Feb 2017 09:47:29 -0600
-Subject: [PATCH] su: properly clear child PID
-
-If su is compiled with PAM support, it is possible for any local user
-to send SIGKILL to other processes with root privileges. There are
-only two conditions. First, the user must be able to perform su with
-a successful login. This does NOT have to be the root user, even using
-su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
-can only be sent to processes which were executed after the su process.
-It is not possible to send SIGKILL to processes which were already
-running. I consider this as a security vulnerability, because I was
-able to write a proof of concept which unlocked a screen saver of
-another user this way.
----
- src/su.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
---- a/src/su.c
-+++ b/src/su.c
-@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
- /* wake child when resumed */
- kill (pid, SIGCONT);
- stop = false;
-+ } else {
-+ pid_child = 0;
- }
- } while (!stop);
- }
-
-- if (0 != caught) {
-+ if (0 != caught && 0 != pid_child) {
- (void) fputs ("\n", stderr);
- (void) fputs (_("Session terminated, terminating shell..."),
- stderr);
- (void) kill (-pid_child, caught);
-
- (void) signal (SIGALRM, kill_child);
-+ (void) signal (SIGCHLD, catch_signals);
- (void) alarm (2);
-
-- (void) wait (&status);
-+ sigemptyset (&ourset);
-+ if ((sigaddset (&ourset, SIGALRM) != 0)
-+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
-+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
-+ kill_child (0);
-+ } else {
-+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
-+ sigsuspend (&ourset);
-+ }
-+ pid_child = 0;
-+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
-+ }
-+
- (void) fputs (_(" ...terminated.\n"), stderr);
- }
-