Imported Debian patch 1:4.2-3+deb8u2

Update changelog
Add myself to uploaders replacing Nicolas FRANCOIS (Nekral)
2017-02-26 11:36:51 +01:00 · 2017-02-24 00:58:22 +01:00 · 2017-02-24 00:57:02 +01:00 · 2017-02-24 00:51:09 +01:00 · 2017-02-24 00:49:51 +01:00 · 2017-02-24 00:41:23 +01:00
4 changed files with 113 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+shadow (1:4.2-3+deb8u2) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 23 Feb 2017 17:21:08 +0100
+
+shadow (1:4.2-3+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix error handling in busy user detection. (Closes: #778287)
+
+ -- Bastian Blank <bastian.blank@credativ.de>  Wed, 18 Nov 2015 08:07:09 +0000
+
 shadow (1:4.2-3) unstable; urgency=low

  * Enforce hardened builds to workaround cdbs sometimes not building
--- a/debian/patches/1020_fix_user_busy_errors
+++ b/debian/patches/1020_fix_user_busy_errors
@@ -0,0 +1,38 @@
+Description: Fix user_busy to not leave subuid open in case of error.
+Author: William Grant <wgrant@ubuntu.com>
+Bug: https://bugs.launchpad.net/ubuntu/vivid/+source/shadow/+bug/1436937
+
+Index: shadow-4.2/libmisc/user_busy.c
+===================================================================
+--- shadow-4.2.orig/libmisc/user_busy.c
+++ shadow-4.2/libmisc/user_busy.c
+@@ -175,6 +175,9 @@ static int user_busy_processes (const ch
+ 	if (stat ("/", &sbroot) != 0) {
+ 		perror ("stat (\"/\")");
+ 		(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
+		sub_uid_close();
+#endif				/* ENABLE_SUBIDS */
+ 		return 0;
+ 	}
+ 
+@@ -212,6 +215,9 @@ static int user_busy_processes (const ch
+ 
+ 		if (check_status (name, tmp_d_name, uid) != 0) {
+ 			(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
+			sub_uid_close();
+#endif				/* ENABLE_SUBIDS */
+ 			fprintf (stderr,
+ 			         _("%s: user %s is currently used by process %d\n"),
+ 			         Prog, name, pid);
+@@ -232,6 +238,9 @@ static int user_busy_processes (const ch
+ 				}
+ 				if (check_status (name, task_path+6, uid) != 0) {
+ 					(void) closedir (proc);
+#ifdef ENABLE_SUBIDS
+					sub_uid_close();
+#endif				/* ENABLE_SUBIDS */
+ 					fprintf (stderr,
+ 					         _("%s: user %s is currently used by process %d\n"),
+ 					         Prog, name, pid);
--- a/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
+++ b/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch
@@ -0,0 +1,59 @@
+From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+---
+ src/su.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/src/su.c
+++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+			} else {
+				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
+	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
+		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
+		sigemptyset (&ourset);
+		if ((sigaddset (&ourset, SIGALRM) != 0)
+		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+			kill_child (0);
+		} else {
+			while (0 == waitpid (pid_child, &status, WNOHANG)) {
+				sigsuspend (&ourset);
+			}
+			pid_child = 0;
+			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+		}
+
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,6 +4,7 @@

 503_shadowconfig.8
 008_login_log_failure_in_FTMP
+301-CVE-2017-2616-su-properly-clear-child-PID.patch
 429_login_FAILLOG_ENAB
 401_cppw_src.dpatch
 # 402 should be merged in 401, but should be reviewed by SE Linux experts first
@@ -34,3 +35,4 @@
 #userns/16_add-argument-sanity-checking.patch
 1000_configure_userns
 1010_vietnamese_translation
+1020_fix_user_busy_errors
Author	SHA1	Message	Date
Salvatore Bonaccorso	ba9a0dec9d	Imported Debian patch 1:4.2-3+deb8u2	2017-02-26 11:36:51 +01:00
Balint Reczey	75e2a3b103	Update changelog	2017-02-24 00:58:22 +01:00
Balint Reczey	e5e623f4ca	Add myself to uploaders replacing Nicolas FRANCOIS (Nekral)	2017-02-24 00:57:02 +01:00
Balint Reczey	5fd2757d66	Update changelog	2017-02-24 00:51:09 +01:00
Balint Reczey	bef0d93006	Refresh patches	2017-02-24 00:49:51 +01:00
Balint Reczey	dd729b3572	Fix integer overflow in getulong.c (CVE-2016-6252) Closes: #832170	2017-02-24 00:41:23 +01:00
Salvatore Bonaccorso	1edacbf29a	su: properly clear child PID Closes: #855943	2017-02-24 00:27:53 +01:00
Bastian Blank	a784e094c4	Imported Debian patch 1:4.2-3+deb8u1	2017-02-24 00:16:58 +01:00