Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 610804

Summary: <sys-apps/shadow-4.4-r2: su: user can send SIGKILL with root privileges to other processes (CVE-2017-2616)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system, pam-bugs+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 610802    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-24 12:27:22 UTC
If su is compiled with PAM support, it is possible for any local user to send SIGKILL to other processes with root privileges. There are only two conditions. First, the user must be able to perform su with a successful login. This does NOT have to be the root user, even using su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. I consider this as a security vulnerability, because I was able to write a proof of concept which unlocked a screen saver of another user this way.

Upstream patch:
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-02-24 12:46:38 UTC
commit 8df93785b284c765f254f65922fb699e151d0f6e
Author: Lars Wendler <>
Date:   Fri Feb 24 13:42:44 2017

    sys-apps/shadow: Security revbump to fix CVE-2017-2616 (bug #610804).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

Arches please test and mar stable =sys-apps/shadow-4.4-r2 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2017-02-24 13:35:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-02-24 13:38:54 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-24 13:52:18 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-24 14:10:22 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-25 10:06:27 UTC
sparc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-28 11:23:39 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2017-02-28 17:33:10 UTC
arm stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-05 01:07:44 UTC
Stable for HPPA.

commit 2c4b242d41c2414cb02d6825d5811f57acf2d640
Author: Mike Frysinger <>
Date:   Wed Mar 1 15:27:11 2017 -0700

    sys-apps/shadow: mark arm64/ia64/m68k/s390/sh stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-03-07 23:10:52 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 11 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-03-13 12:38:56 UTC
commit 4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03
Author: Lars Wendler <>
Date:   Mon Mar 13 13:36:50 2017

    sys-apps/shadow: Security cleanup (bug #610804).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 06:37:27 UTC
This issue was resolved and addressed in
 GLSA 201706-02 at
by GLSA coordinator Yury German (BlueKnight).