610804 – <sys-apps/shadow-4.4-r2: su: user can send SIGKILL with root privileges to other processes (CVE-2017-2616)

Bug 610804 - <sys-apps/shadow-4.4-r2: su: user can send SIGKILL with root privileges to other processes (CVE-2017-2616)

Summary: <sys-apps/shadow-4.4-r2: su: user can send SIGKILL with root privileges to ot...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:
Blocks:	CVE-2017-2616
	Show dependency tree

Reported:	2017-02-24 12:27 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-06-06 06:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=sys-apps/shadow-4.4-r2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-24 12:27:22 UTC

If su is compiled with PAM support, it is possible for any local user to send SIGKILL to other processes with root privileges. There are only two conditions. First, the user must be able to perform su with a successful login. This does NOT have to be the root user, even using su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. I consider this as a security vulnerability, because I was able to write a proof of concept which unlocked a screen saver of another user this way.

Upstream patch:

https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-02-24 12:46:38 UTC

commit 8df93785b284c765f254f65922fb699e151d0f6e
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Feb 24 13:42:44 2017

    sys-apps/shadow: Security revbump to fix CVE-2017-2616 (bug #610804).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1



Arches please test and mar stable =sys-apps/shadow-4.4-r2 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86

Comment 2 Agostino Sarubbo gentoo-dev

2017-02-24 13:35:41 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2017-02-24 13:38:54 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2017-02-24 13:52:18 UTC

ppc64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2017-02-24 14:10:22 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2017-02-25 10:06:27 UTC

sparc stable

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2017-02-28 11:23:39 UTC

Stable on alpha.

Comment 8 Markus Meier gentoo-dev

2017-02-28 17:33:10 UTC

arm stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2017-03-05 01:07:44 UTC

Stable for HPPA.

commit 2c4b242d41c2414cb02d6825d5811f57acf2d640
Author: Mike Frysinger <vapier@gentoo.org>
Date:   Wed Mar 1 15:27:11 2017 -0700

    sys-apps/shadow: mark arm64/ia64/m68k/s390/sh stable

Comment 10 Yury German Gentoo Infrastructure

2017-03-07 23:10:52 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 11 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-03-13 12:38:56 UTC

commit 4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Mar 13 13:36:50 2017

    sys-apps/shadow: Security cleanup (bug #610804).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2017-06-06 06:37:27 UTC

This issue was resolved and addressed in
 GLSA 201706-02 at https://security.gentoo.org/glsa/201706-02
by GLSA coordinator Yury German (BlueKnight).