[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pkg-shadow-devel
Subject:    [Pkg-shadow-devel] Bug#862806: shadow: diff for NMU version 1:4.4-4.1
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-05-17 12:15:39
Message-ID: 20170517121539.tyjgizhqptpdz2lb () lorien ! valinor ! li
[Download RAW message or body]

Control: tags 862806 + pending

Dear shadow maintainer,

I've prepared an NMU for shadow (versioned as 1:4.4-4.1) and uploaded
it to DELAYED/5. Please feel free to tell me if I should delay it
longer or if I should reschedule. I'm fine with either. The RC
severity would be disputable, but since we introduced the issue due to
a previous security fix, we should get this into stretch as well IMHO.

Prepared as well the corresponding regression fix for jessie.

Regards,
Salvatore

["shadow-4.4-4.1-nmu.diff" (text/x-diff)]

diff -Nru shadow-4.4/debian/changelog shadow-4.4/debian/changelog
--- shadow-4.4/debian/changelog	2017-02-24 01:50:13.000000000 +0100
+++ shadow-4.4/debian/changelog	2017-05-17 13:59:59.000000000 +0200
@@ -1,3 +1,12 @@
+shadow (1:4.4-4.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Reset pid_child only if waitpid was successful.
+    This is a regression fix for CVE-2017-2616. If su receives a signal like
+    SIGTERM, it is not propagated to the child. (Closes: #862806)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 17 May 2017 13:59:59 +0200
+
 shadow (1:4.4-4) unstable; urgency=high
 
   * su: properly clear child PID (CVE-2017-2616) (Closes: #855943)
diff -Nru shadow-4.4/debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch \
                shadow-4.4/debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch
                
--- shadow-4.4/debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch	1970-01-01 \
                01:00:00.000000000 +0100
+++ shadow-4.4/debian/patches/301-Reset-pid_child-only-if-waitpid-was-successful.patch	2017-05-17 \
13:59:59.000000000 +0200 @@ -0,0 +1,29 @@
+From 7d82f203eeec881c584b2fa06539b39e82985d97 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 14 May 2017 17:58:10 +0200
+Subject: [PATCH] Reset pid_child only if waitpid was successful.
+
+Do not reset the pid_child to 0 if the child process is still
+running. This else-condition can be reached with pid being -1,
+therefore explicitly test this condition.
+
+This is a regression fix for CVE-2017-2616. If su receives a
+signal like SIGTERM, it is not propagated to the child.
+
+Reported-by: Radu Duta <raduduta@gmail.com>
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+---
+ src/su.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,7 +363,7 @@ static void prepare_pam_close_session (v
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
+-			} else {
++			} else if (   (pid_t)-1 != pid) {
+ 				pid_child = 0;
+ 			}
+ 		} while (!stop);
diff -Nru shadow-4.4/debian/patches/series shadow-4.4/debian/patches/series
--- shadow-4.4/debian/patches/series	2017-02-24 01:50:13.000000000 +0100
+++ shadow-4.4/debian/patches/series	2017-05-17 13:59:59.000000000 +0200
@@ -6,6 +6,8 @@
 0006-French-manpage-translation.patch
 0007-Fix-some-spelling-issues-in-the-Norwegian-translatio.patch
 0008-su-properly-clear-child-PID.patch
+301-Reset-pid_child-only-if-waitpid-was-successful.patch
+
 # These patches are only for the testsuite:
 #900_testsuite_groupmems
 #901_testsuite_gcov



_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel

[prev in list] [next in list] [prev in thread] [next in thread]