Update changelog

su: properly clear child PID (CVE-2017-2616)
Closes: #855943
2017-02-24 01:50:13 +01:00 · 2017-02-24 01:50:09 +01:00 · 2017-01-25 16:43:47 +01:00 · 2017-01-20 20:53:36 +01:00 · 2017-01-20 20:41:49 +01:00 · 2017-01-20 20:11:49 +01:00
6 changed files with 106 additions and 5 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+shadow (1:4.4-4) unstable; urgency=high
+
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 24 Feb 2017 01:33:25 +0100
+
+shadow (1:4.4-3) unstable; urgency=medium
+
+  [ Balint Reczey ]
+  * Clean up stale locks on boot (Closes: #478771)
+  * Sync motd handling with sshd.
+    Using patch from Ubuntu (Closes: #757148)
+
+  [ Stéphane Graber ]
+  * Add missing /etc/{subgid|subuid} in postinst
+
+ -- Balint Reczey <balint@balintreczey.hu>  Wed, 25 Jan 2017 16:43:09 +0100
+
 shadow (1:4.4-2) unstable; urgency=medium

  [ Balint Reczey ]
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -92,8 +92,10 @@ session    optional   pam_lastlog.so

 # Prints the message of the day upon successful login.
 # (Replaces the `MOTD_FILE' option in login.defs)
-session    optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
-session    optional   pam_motd.so
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session    optional   pam_motd.so motd=/run/motd.dynamic
+session    optional   pam_motd.so noupdate

 # Prints the status of the user's mailbox upon successful login
 # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
--- a/debian/login.postinst
+++ b/debian/login.postinst
@@ -16,14 +16,26 @@ then
 fi
 rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null

-if [ "$1" = "configure" ] && [ "$2" = "" ]
-then
+if [ "$1" = "configure" ]; then
 	# Install faillog during initial installs only
-	if [ ! -f /var/log/faillog ] ; then
+	if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
 		touch /var/log/faillog
 		chown root:root /var/log/faillog
 		chmod 644 /var/log/faillog
 	fi
+
+	# Create subuid/subgid if missing
+	if [ ! -e /etc/subuid ]; then
+		touch /etc/subuid
+		chown root:root /etc/subuid
+		chmod 644 /etc/subuid
+	fi
+
+	if [ ! -e /etc/subgid ]; then
+		touch /etc/subgid
+		chown root:root /etc/subgid
+		chmod 644 /etc/subgid
+	fi
 fi

        # Create subuid/subgid if missing
--- a/debian/passwd.tmpfile
+++ b/debian/passwd.tmpfile
@@ -0,0 +1,8 @@
+# If a password operation is in progress and we lose power, stale lockfiles
+# can be left behind.  Clear them on boot.
+r! /etc/gshadow.lock
+r! /etc/shadow.lock
+r! /etc/passwd.lock
+r! /etc/group.lock
+r! /etc/subuid.lock
+r! /etc/subgid.lock
--- a/debian/patches/0008-su-properly-clear-child-PID.patch
+++ b/debian/patches/0008-su-properly-clear-child-PID.patch
@@ -0,0 +1,60 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
+++ b/src/su.c
+@@ -363,11 +363,13 @@
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+			} else {
+				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
+	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+@@ -377,9 +379,22 @@
+ 		snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+ 
+ 		(void) signal (SIGALRM, kill_child);
+		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
+		sigemptyset (&ourset);
+		if ((sigaddset (&ourset, SIGALRM) != 0)
+		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+			kill_child (0);
+		} else {
+			while (0 == waitpid (pid_child, &status, WNOHANG)) {
+				sigsuspend (&ourset);
+			}
+			pid_child = 0;
+			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+		}
+
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,6 +5,7 @@
 0005-Update-for-German-man-pages.patch
 0006-French-manpage-translation.patch
 0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
+0008-su-properly-clear-child-PID.patch
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov
Author	SHA1	Message	Date
Balint Reczey	f9176c3be3	Update changelog	2017-02-24 01:50:13 +01:00
Balint Reczey	bc6cd09194	su: properly clear child PID (CVE-2017-2616) Closes: #855943	2017-02-24 01:50:09 +01:00
Balint Reczey	b8a7c3ac04	Update changelog	2017-01-25 16:43:47 +01:00
Stéphane Graber	133b10b734	Add missing /etc/{subgid\|subuid} in postinst	2017-01-20 20:53:36 +01:00
Balint Reczey	40146019e6	Sync motd handling with sshd Using patch from Ubuntu Closes: #757148	2017-01-20 20:41:49 +01:00
Balint Reczey	3588f5d2a3	Clean up stale locks on boot Closes: #478771	2017-01-20 20:11:49 +01:00
Balint Reczey	af6b417156	Start working on next upload	2017-01-20 20:08:36 +01:00