diff options
author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-06-14 19:52:03 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-28 03:22:11 +0300 |
commit | d5ae7d902a40f26a8c26f4c6d300226689738716 (patch) | |
tree | 85c711404990dd5e37447cd7492c3017815790b7 /poky/meta/recipes-extended/shadow/files | |
parent | 0639c5b2c542e0ed9465cc9d8e5100ac0063038f (diff) | |
download | openbmc-d5ae7d902a40f26a8c26f4c6d300226689738716.tar.xz |
Sumo refresh
Update external subtrees to latest Yocto sumo.
Change-Id: I8364f32bef079841c6e57f1c587f4b1bedf62fef
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-extended/shadow/files')
3 files changed, 68 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch new file mode 100644 index 000000000..ee728f095 --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch @@ -0,0 +1,64 @@ +shadow-4.2.1: Fix CVE-2017-2616 + +[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943 + +su: properly clear child PID + +If su is compiled with PAM support, it is possible for any local user +to send SIGKILL to other processes with root privileges. There are +only two conditions. First, the user must be able to perform su with +a successful login. This does NOT have to be the root user, even using +su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL +can only be sent to processes which were executed after the su process. +It is not possible to send SIGKILL to processes which were already +running. I consider this as a security vulnerability, because I was +able to write a proof of concept which unlocked a screen saver of +another user this way. + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686] +CVE: CVE-2017-2616 +bug: 855943 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> + +diff --git a/src/su.c b/src/su.c +index 3704217..1efcd61 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; ++ } else { ++ pid_child = 0; + } + } while (!stop); + } + +- if (0 != caught) { ++ if (0 != caught && 0 != pid_child) { + (void) fputs ("\n", stderr); + (void) fputs (_("Session terminated, terminating shell..."), + stderr); + (void) kill (-pid_child, caught); + + (void) signal (SIGALRM, kill_child); ++ (void) signal (SIGCHLD, catch_signals); + (void) alarm (2); + +- (void) wait (&status); ++ sigemptyset (&ourset); ++ if ((sigaddset (&ourset, SIGALRM) != 0) ++ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { ++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); ++ kill_child (0); ++ } else { ++ while (0 == waitpid (pid_child, &status, WNOHANG)) { ++ sigsuspend (&ourset); ++ } ++ pid_child = 0; ++ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); ++ } ++ + (void) fputs (_(" ...terminated.\n"), stderr); + } + diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd index 9e3efa68b..b769d92ba 100644 --- a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd +++ b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd @@ -1,4 +1,6 @@ # The PAM configuration file for the Shadow 'chpasswd' service # +auth sufficient pam_rootok.so +account required pam_permit.so password include common-password diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/newusers b/poky/meta/recipes-extended/shadow/files/pam.d/newusers index 4aa3dde48..4c59dfa47 100644 --- a/poky/meta/recipes-extended/shadow/files/pam.d/newusers +++ b/poky/meta/recipes-extended/shadow/files/pam.d/newusers @@ -1,4 +1,6 @@ # The PAM configuration file for the Shadow 'newusers' service # +auth sufficient pam_rootok.so +account required pam_permit.so password include common-password |