Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610804 - <sys-apps/shadow-4.4-r2: su: user can send SIGKILL with root privileges to other processes (CVE-2017-2616)
Summary: <sys-apps/shadow-4.4-r2: su: user can send SIGKILL with root privileges to ot...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-2616
  Show dependency tree
 
Reported: 2017-02-24 12:27 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-06-06 06:37 UTC (History)
2 users (show)

See Also:
Package list:
=sys-apps/shadow-4.4-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-24 12:27:22 UTC
If su is compiled with PAM support, it is possible for any local user to send SIGKILL to other processes with root privileges. There are only two conditions. First, the user must be able to perform su with a successful login. This does NOT have to be the root user, even using su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. I consider this as a security vulnerability, because I was able to write a proof of concept which unlocked a screen saver of another user this way.

Upstream patch:

https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-02-24 12:46:38 UTC
commit 8df93785b284c765f254f65922fb699e151d0f6e
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Feb 24 13:42:44 2017

    sys-apps/shadow: Security revbump to fix CVE-2017-2616 (bug #610804).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1



Arches please test and mar stable =sys-apps/shadow-4.4-r2 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2017-02-24 13:35:41 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-02-24 13:38:54 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-24 13:52:18 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-24 14:10:22 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-25 10:06:27 UTC
sparc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-28 11:23:39 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2017-02-28 17:33:10 UTC
arm stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-05 01:07:44 UTC
Stable for HPPA.

commit 2c4b242d41c2414cb02d6825d5811f57acf2d640
Author: Mike Frysinger <vapier@gentoo.org>
Date:   Wed Mar 1 15:27:11 2017 -0700

    sys-apps/shadow: mark arm64/ia64/m68k/s390/sh stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-03-07 23:10:52 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 11 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-03-13 12:38:56 UTC
commit 4d5d0eac6f3ae936d0bdcd291ef01a39bfb8fd03
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Mar 13 13:36:50 2017

    sys-apps/shadow: Security cleanup (bug #610804).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 06:37:27 UTC
This issue was resolved and addressed in
 GLSA 201706-02 at https://security.gentoo.org/glsa/201706-02
by GLSA coordinator Yury German (BlueKnight).