See: https://www.kernel.org/pub/linux/utils/util-linux/v2.29/v2.29.2-ReleaseNotes It is possible for any local user to send SIGKILL to other processes with root privileges. To exploit this, the user must be able to perform su with a successful login. SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. 2.29.2 fixes this.
# qfile -Cv $(which su) sys-apps/shadow-4.4-r1 (/bin/su) We are not using su from util-linux. So I doubt we are affected by this...
Thanks, wasn't aware of that. I'll ask on oss-security if anyone's aware whether the issue also affects the shadow version of su, but I doubt it, their code doesn't look similar.
yes, upstream contacted me before the release and i pointed out we've never used su from util-linux (or coreutils), and have never made it an option.
shadow's su is also affected: https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 (appart from that on oss-security several people pointed out that debian is discussing moving from shadow's su to util-linux's - so it might be that the ecosystem wants to move to a single su implementation and gentoo might want to follow, but that's probably a separate discussion.)
Let's keep this bug report for sys-apps/util-linux so we can keep track that our util-linux package wasn't affected. I am going to create a tracker bug for CVE-2017-2616.
Closing this as invalid because Gentoo never used su from sys-apps/util-linux (see comment #3).
