Imported Debian patch 1:4.2-3+deb8u2

Closes: #832170

debian/changelog

@@ -1,3 +1,59 @@
+shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 23 Feb 2017 17:21:08 +0100
+
+shadow (1:4.2-3+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix error handling in busy user detection. (Closes: #778287)
+
+ -- Bastian Blank <bastian.blank@credativ.de>  Wed, 18 Nov 2015 08:07:09 +0000
+
+shadow (1:4.2-3) unstable; urgency=low
+
+  * Enforce hardened builds to workaround cdbs sometimes not building
+    with hardening flags as in 1:4.2-2+b1
+    Thanks to Dr. Markus Waldeck for pointing the issue and Simon Ruderich
+    For providing a working patch.
+
+ -- Christian Perrier <bubulle@debian.org>  Wed, 19 Nov 2014 21:59:09 +0100
+
+shadow (1:4.2-2) unstable; urgency=low
+
+  * The "Soumaintrain" release
+  * The "Rigotte de Condrieu" release was 4.2-1
+  * Upload to unstable
+  * Last upload integrates the use of dh_autoreconf which has the same
+    effect then Eric Dorland's patch in 1:4.1.5.1-1.1 NMU to drop the
+    use of automake1.9. Closes: #724434
+
+  [ Samuel Thibault ]
+  * Enable the login package on hurd-any, but without /bin/login, still provided
+    by the hurd package. Closes: #737805.
+    This fix was accidentally forgotten in 1:4.2-1
+
+  [ Josh Triplett ]
+  * use the new pam_exec functionality from pam 1.1.8-1 to implement the
+    dynamic motd, rather than using /run/motd.dynamic from initscripts.
+    This will allow initscripts to drop /etc/init.d/motd.
+    Closes: #741129
+
+  [ Laurent Bigonville ]
+  * Enable libaudit support. Closes: #745774
+
+  [ Trần Ngọc Quân ]
+  * Vietnamese translation update.
+
+  [ Christian Perrier ]
+  * Add a lintian override for newuidmap and newgidmap setuid binaries
+  * Add upstream signing key as debian/upstream-signing-key.asc
+  * Check upstream signing key in debian/watch
+
+ -- Christian Perrier <bubulle@debian.org>  Sun, 04 May 2014 19:39:07 +0200
+
 shadow (1:4.2-1) experimental; urgency=low
 
   [ Nicolas FRANCOIS (Nekral) ]
@@ -59,6 +115,19 @@ shadow (1:4.2-1) experimental; urgency=low
 
  -- Christian Perrier <bubulle@debian.org>  Tue, 22 Apr 2014 09:01:42 +0200
 
+shadow (1:4.1.5.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+
+  [ Eric Dorland ]
+  * Switch to automake1.11. (Closes: #724434)
+
+  [ Samuel Thibault ]
+  * Enable the login package on hurd-any, but without /bin/login, still provided
+    by the hurd package. Closes: #737805.
+
+ -- Samuel Thibault <sthibault@debian.org>  Sun, 16 Mar 2014 20:58:24 +0100
+
 shadow (1:4.1.5.1-1) unstable; urgency=low
 
   * The "Gruyère" release.

debian/control

@@ -4,7 +4,8 @@ Priority: required
 Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
 Standards-Version: 3.9.5
 Uploaders: Christian Perrier <bubulle@debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
-Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison
+Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
+ ,hardening-wrapper
 Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shadow/shadow.git;a=summary
 Homepage: http://pkg-shadow.alioth.debian.org/
@@ -22,9 +23,10 @@ Description: change and administer password and group data
 
 Package: login
 Architecture: any
-Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime, libpam-modules
+Pre-Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime, libpam-modules (>= 1.1.8-1)
 Conflicts: gnunet (<< 0.7.0c-2), amavisd-new (<<2.3.3-8), python-4suite (<< 0.99cvs20060405-1), backupninja (<< 0.9.3-5), echolot (<< 2.1.8-4)
-Replaces: manpages-de (<< 0.5-3), manpages-tr (<<1.0.5), manpages-zh (<<1.5.1-1)
+Breaks: coreutils (<< 8.21~) [hurd-any], passwd (<< 1:4.1.5.1-2~) [hurd-any], hurd (<< 20140206~) [hurd-any]
+Replaces: manpages-de (<< 0.5-3), manpages-tr (<<1.0.5), manpages-zh (<<1.5.1-1), passwd (<< 1:4.1.5.1-2~) [hurd-any], coreutils (<< 8.21~) [hurd-any], hurd (<< 20140206~) [hurd-any]
 Essential: yes
 Description: system login tools
  These tools are required to be able to login and use your system. The

debian/login.pam

@@ -82,9 +82,7 @@ session    optional   pam_lastlog.so
 
 # Prints the message of the day upon succesful login.
 # (Replaces the `MOTD_FILE' option in login.defs)
-# This includes a dynamically generated part from /run/motd.dynamic
-# and a static (admin-editable) part from /etc/motd.
-session    optional   pam_motd.so  motd=/run/motd.dynamic  noupdate
+session    optional   pam_exec.so type=open_session stdout /bin/uname -snrvm
 session    optional   pam_motd.so
 
 # Prints the status of the user's mailbox upon succesful login

debian/patches/1020_fix_user_busy_errors

@@ -0,0 +1,38 @@
+Description: Fix user_busy to not leave subuid open in case of error.
+Author: William Grant <wgrant@ubuntu.com>
+Bug: https://bugs.launchpad.net/ubuntu/vivid/+source/shadow/+bug/1436937
+
+Index: shadow-4.2/libmisc/user_busy.c
+===================================================================
+--- shadow-4.2.orig/libmisc/user_busy.c
++++ shadow-4.2/libmisc/user_busy.c
+@@ -175,6 +175,9 @@ static int user_busy_processes (const ch
+ 	if (stat ("/", &sbroot) != 0) {
+ 		perror ("stat (\"/\")");
+ 		(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++		sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 		return 0;
+ 	}
+ 
+@@ -212,6 +215,9 @@ static int user_busy_processes (const ch
+ 
+ 		if (check_status (name, tmp_d_name, uid) != 0) {
+ 			(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++			sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 			fprintf (stderr,
+ 			         _("%s: user %s is currently used by process %d\n"),
+ 			         Prog, name, pid);
+@@ -232,6 +238,9 @@ static int user_busy_processes (const ch
+ 				}
+ 				if (check_status (name, task_path+6, uid) != 0) {
+ 					(void) closedir (proc);
++#ifdef ENABLE_SUBIDS
++					sub_uid_close();
++#endif				/* ENABLE_SUBIDS */
+ 					fprintf (stderr,
+ 					         _("%s: user %s is currently used by process %d\n"),
+ 					         Prog, name, pid);

debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch

@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 

debian/patches/series

@@ -4,6 +4,7 @@
 
 503_shadowconfig.8
 008_login_log_failure_in_FTMP
+301-CVE-2017-2616-su-properly-clear-child-PID.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first
@@ -33,3 +34,5 @@
 #userns/manpagetypo
 #userns/16_add-argument-sanity-checking.patch
 1000_configure_userns
+1010_vietnamese_translation
+1020_fix_user_busy_errors

debian/rules

@@ -3,10 +3,7 @@
 
 DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
 
-ifeq ($(DEB_HOST_ARCH_OS),hurd)
-# Do not build login on The Hurd
-override DEB_ARCH_PACKAGES=passwd
-endif
+export DEB_BUILD_HARDENING=1
 
 # Enable PIE, BINDNOW, and possible future flags.
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
@@ -24,7 +21,7 @@ DEB_DESTDIR=$(CURDIR)/debian/tmp
 include /usr/share/cdbs/1/class/autotools.mk
 
 # Adds extra options when calling the configure script:
-DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared --without-libcrack --without-audit --mandir=/usr/share/man --with-libpam --enable-shadowgrp --enable-man --disable-account-tools-setuid --with-group-name-max-length=32 --without-acl --without-attr --without-tcb
+DEB_CONFIGURE_EXTRA_FLAGS := --disable-shared --without-libcrack --mandir=/usr/share/man --with-libpam --enable-shadowgrp --enable-man --disable-account-tools-setuid --with-group-name-max-length=32 --without-acl --without-attr --without-tcb
 ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
   DEB_CONFIGURE_EXTRA_FLAGS += --host=$(DEB_HOST_GNU_TYPE)
 endif
@@ -34,6 +31,10 @@ CFLAGS += -DDEFAULT_EDITOR=\\\"sensible-editor\\\"
 
 # Add extras to the install process:
 binary-install/login::
+ifeq ($(DEB_HOST_ARCH_OS),hurd)
+	# /bin/login is provided by the hurd package.
+	rm -f debian/login/bin/login
+endif
 	dh_installpam -p login
 	dh_installpam -p login --name=su
 	install -c -m 444 debian/login.defs debian/login/etc/login.defs
@@ -52,11 +53,6 @@ binary-install/passwd::
 	dh_installpam -p passwd --name=chsh
 	dh_installpam -p passwd --name=chpasswd
 	dh_installpam -p passwd --name=newusers
-ifeq ($(DEB_HOST_ARCH_OS),hurd)
-# login is not built on The Hurd, but some utilities of passwd depends on
-# /etc/login.defs.
-	install -c -m 444 debian/login.defs debian/passwd/etc/login.defs
-endif
 	install -c -m 644 debian/useradd.default debian/passwd/etc/default/useradd
 	install -d debian/passwd/sbin
 	install -c -m 555 debian/shadowconfig.sh debian/passwd/sbin/shadowconfig

debian/uidmap.lintian-overrides

@@ -0,0 +1,2 @@
+uidmap: setuid-binary usr/bin/newgidmap 4755 root/root
+uidmap: setuid-binary usr/bin/newuidmap 4755 root/root

debian/watch

@@ -1,3 +1,3 @@
 version=3
-ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-(.*)\.tar\.gz \
+opts=pgpsigurlmangle=s/$/.sig/ http://pkg-shadow.alioth.debian.org/releases/shadow-(.*)\.tar\.xz \
   debian  uupdate