Compare commits

...

9 Commits

Author SHA1 Message Date
Adrian Bunk abc4a04e95 Import 1:4.4-4.1+deb9u1 2024-10-27 03:25:11 +02:00
Salvatore Bonaccorso d7f24f954e Import Debian changes 1:4.4-4.1
shadow (1:4.4-4.1) unstable; urgency=high

  * Non-maintainer upload.
  * Reset pid_child only if waitpid was successful.
    This is a regression fix for CVE-2017-2616. If su receives a signal like
    SIGTERM, it is not propagated to the child. (Closes: #862806)
2017-08-10 18:25:45 -04:00
Balint Reczey f9176c3be3 Update changelog 2017-02-24 01:50:13 +01:00
Balint Reczey bc6cd09194 su: properly clear child PID (CVE-2017-2616)
Closes: #855943
2017-02-24 01:50:09 +01:00
Balint Reczey b8a7c3ac04 Update changelog 2017-01-25 16:43:47 +01:00
Stéphane Graber 133b10b734 Add missing /etc/{subgid|subuid} in postinst 2017-01-20 20:53:36 +01:00
Balint Reczey 40146019e6 Sync motd handling with sshd
Using patch from Ubuntu

Closes: #757148
2017-01-20 20:41:49 +01:00
Balint Reczey 3588f5d2a3 Clean up stale locks on boot
Closes: #478771
2017-01-20 20:11:49 +01:00
Balint Reczey af6b417156 Start working on next upload 2017-01-20 20:08:36 +01:00
10 changed files with 211 additions and 10 deletions
+1
View File
@@ -7,6 +7,7 @@ lib*.a
.deps
.libs
*.patch
*.rej
*.orig
+46
View File
@@ -1,3 +1,49 @@
shadow (1:4.4-4.1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
Adding pts/* defeats the purpose of securetty. Let containers add it
if needed as described in #830255.
(cherry-picked from 1:4.5-1)
See also #877374 (previous proposed update) and #914957
(/etc/securetty will be dropped in bullseye).
* CVE-2017-12424: the newusers tool could be made to manipulate internal
data structures in ways unintended by the authors. Malformed input may
lead to crashes (with a buffer overflow or other memory corruption) or
other unspecified behaviors. This crosses a privilege boundary in, for
example, certain web-hosting environments in which a Control Panel
allows an unprivileged user account to create subaccounts.
(Closes: #756630)
-- Sylvain Beucler <beuc@debian.org> Wed, 17 Mar 2021 10:27:01 +0100
shadow (1:4.4-4.1) unstable; urgency=high
* Non-maintainer upload.
* Reset pid_child only if waitpid was successful.
This is a regression fix for CVE-2017-2616. If su receives a signal like
SIGTERM, it is not propagated to the child. (Closes: #862806)
-- Salvatore Bonaccorso <carnil@debian.org> Wed, 17 May 2017 13:59:59 +0200
shadow (1:4.4-4) unstable; urgency=high
* su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
-- Balint Reczey <balint@balintreczey.hu> Fri, 24 Feb 2017 01:33:25 +0100
shadow (1:4.4-3) unstable; urgency=medium
[ Balint Reczey ]
* Clean up stale locks on boot (Closes: #478771)
* Sync motd handling with sshd.
Using patch from Ubuntu (Closes: #757148)
[ Stéphane Graber ]
* Add missing /etc/{subgid|subuid} in postinst
-- Balint Reczey <balint@balintreczey.hu> Wed, 25 Jan 2017 16:43:09 +0100
shadow (1:4.4-2) unstable; urgency=medium
[ Balint Reczey ]
+4 -2
View File
@@ -92,8 +92,10 @@ session optional pam_lastlog.so
# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
session optional pam_exec.so type=open_session stdout /bin/uname -snrvm
session optional pam_motd.so
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+15 -3
View File
@@ -16,14 +16,26 @@ then
fi
rm -f /etc/pam.d/login.pre-upgrade 2>/dev/null
if [ "$1" = "configure" ] && [ "$2" = "" ]
then
if [ "$1" = "configure" ]; then
# Install faillog during initial installs only
if [ ! -f /var/log/faillog ] ; then
if [ "$2" = "" ] && [ ! -f /var/log/faillog ] ; then
touch /var/log/faillog
chown root:root /var/log/faillog
chmod 644 /var/log/faillog
fi
# Create subuid/subgid if missing
if [ ! -e /etc/subuid ]; then
touch /etc/subuid
chown root:root /etc/subuid
chmod 644 /etc/subuid
fi
if [ ! -e /etc/subgid ]; then
touch /etc/subgid
chown root:root /etc/subgid
chmod 644 /etc/subgid
fi
fi
# Create subuid/subgid if missing
+8
View File
@@ -0,0 +1,8 @@
# If a password operation is in progress and we lose power, stale lockfiles
# can be left behind. Clear them on boot.
r! /etc/gshadow.lock
r! /etc/shadow.lock
r! /etc/passwd.lock
r! /etc/group.lock
r! /etc/subuid.lock
r! /etc/subgid.lock
+60
View File
@@ -0,0 +1,60 @@
From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 23 Feb 2017 09:47:29 -0600
Subject: [PATCH] su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
---
src/su.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
--- a/src/su.c
+++ b/src/su.c
@@ -363,11 +363,13 @@
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
+ } else {
+ pid_child = 0;
}
} while (!stop);
}
- if (0 != caught) {
+ if (0 != caught && 0 != pid_child) {
(void) fputs ("\n", stderr);
(void) fputs (_("Session terminated, terminating shell..."),
stderr);
@@ -377,9 +379,22 @@
snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
(void) signal (SIGALRM, kill_child);
+ (void) signal (SIGCHLD, catch_signals);
(void) alarm (2);
- (void) wait (&status);
+ sigemptyset (&ourset);
+ if ((sigaddset (&ourset, SIGALRM) != 0)
+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+ kill_child (0);
+ } else {
+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
+ sigsuspend (&ourset);
+ }
+ pid_child = 0;
+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+ }
+
(void) fputs (_(" ...terminated.\n"), stderr);
}
@@ -0,0 +1,29 @@
From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 14 May 2017 17:58:10 +0200
Subject: [PATCH] Reset pid_child only if waitpid was successful.
Do not reset the pid_child to 0 if the child process is still
running. This else-condition can be reached with pid being -1,
therefore explicitly test this condition.
This is a regression fix for CVE-2017-2616. If su receives a
signal like SIGTERM, it is not propagated to the child.
Reported-by: Radu Duta <raduduta@gmail.com>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
src/su.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/su.c
+++ b/src/su.c
@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
- } else {
+ } else if ( (pid_t)-1 != pid) {
pid_child = 0;
}
} while (!stop);
+43
View File
@@ -0,0 +1,43 @@
Origin: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2021-03-16
From 954e3d2e7113e9ac06632aee3c69b8d818cc8952 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 31 Mar 2017 16:25:06 +0200
Subject: [PATCH] Fix buffer overflow if NULL line is present in db.
If ptr->line == NULL for an entry, the first cycle will exit,
but the second one will happily write past entries buffer.
We actually do not want to exit the first cycle prematurely
on ptr->line == NULL.
Signed-off-by: Tomas Mraz <tmraz@fedoraproject.org>
---
lib/commonio.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Index: shadow-4.4/lib/commonio.c
===================================================================
--- shadow-4.4.orig/lib/commonio.c
+++ shadow-4.4/lib/commonio.c
@@ -755,16 +755,16 @@ commonio_sort (struct commonio_db *db, i
for (ptr = db->head;
(NULL != ptr)
#if KEEP_NIS_AT_END
- && (NULL != ptr->line)
- && ( ('+' != ptr->line[0])
- && ('-' != ptr->line[0]))
+ && ((NULL == ptr->line)
+ || (('+' != ptr->line[0])
+ && ('-' != ptr->line[0])))
#endif
;
ptr = ptr->next) {
n++;
}
#if KEEP_NIS_AT_END
- if ((NULL != ptr) && (NULL != ptr->line)) {
+ if (NULL != ptr) {
nis = ptr;
}
#endif
+5
View File
@@ -5,6 +5,9 @@
0005-Update-for-German-man-pages.patch
0006-French-manpage-translation.patch
0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
0008-su-properly-clear-child-PID.patch
301-Reset-pid_child-only-if-waitpid-was-successful.patch
# These patches are only for the testsuite:
#900_testsuite_groupmems
#901_testsuite_gcov
@@ -25,3 +28,5 @@
501_commonio_group_shadow
# does not apply cleanly, please merge at upstream
1010_vietnamese_translation
CVE-2017-12424.patch
-5
View File
@@ -164,11 +164,6 @@ ttyM0
ttyM1
#...
# Unix98 PTY slaves
pts/0
pts/1
#...
# Technology Concepts serial card
ttyT0
ttyT1