[Pkg-shadow-devel] [shadow] 02/05: su: properly clear child PID

[Balint Reczey]

This is an automated email from the git hooks/post-receive script.

rbalint pushed a commit to branch jessie
in repository shadow.

commit 1edacbf29a564b64282b09f0a3a37dd654e3a743
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Feb 24 00:24:06 2017 +0100

    su: properly clear child PID
    
    Closes: #855943
---
 ...CVE-2017-2616-su-properly-clear-child-PID.patch | 59 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 60 insertions(+)

diff --git a/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch b/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
new file mode 100644
index 0000000..8f6f4e9
--- /dev/null
+++ b/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias at stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 44a06f3..ceb25e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,7 @@
 
 503_shadowconfig.8
 008_login_log_failure_in_FTMP
+301-CVE-2017-2616-su-properly-clear-child-PID.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shadow/shadow.git