If su is compiled with PAM support, it is possible for any local user to send SIGKILL to other processes with root privileges. There are only two conditions. First, the user must be able to perform su with a successful login. This does NOT have to be the root user, even using su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. I consider this as a security vulnerability, because I was able to write a proof of concept which unlocked a screen saver of another user this way. Upstream patch: https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
commit 8df93785b284c765f254f65922fb699e151d0f6e Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Feb 24 13:42:44 2017 sys-apps/shadow: Security revbump to fix CVE-2017-2616 (bug #610804). Package-Manager: Portage-2.3.3, Repoman-2.3.1 Arches please test and mar stable =sys-apps/shadow-4.4-r2 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86
amd64 stable
x86 stable
ppc64 stable
ppc stable
sparc stable
Stable on alpha.
arm stable
Stable for HPPA. commit 2c4b242d41c2414cb02d6825d5811f57acf2d640 Author: Mike Frysinger <vapier@gentoo.org> Date: Wed Mar 1 15:27:11 2017 -0700 sys-apps/shadow: mark arm64/ia64/m68k/s390/sh stable
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
commit 4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Mar 13 13:36:50 2017 sys-apps/shadow: Security cleanup (bug #610804). Package-Manager: Portage-2.3.4, Repoman-2.3.2
This issue was resolved and addressed in GLSA 201706-02 at https://security.gentoo.org/glsa/201706-02 by GLSA coordinator Yury German (BlueKnight).