gnu: shadow: Update to 4.5.

This fixes a regression introduced by the fix for CVE-2017-2616.
See <https://github.com/shadow-maint/shadow/pull/72> for more information.

* gnu/packages/admin.scm (shadow): Update to 4.5.
[source]: Remove patches.
* gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch,
gnu/packages/patches/shadow-CVE-2017-2616.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Leo Famulari 2017-05-17 19:20:11 -04:00
parent 6aa095f10c
commit b193fb2851
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
4 changed files with 2 additions and 109 deletions

View File

@ -967,8 +967,6 @@ dist_patch_DATA = \
%D%/packages/patches/screen-fix-info-syntax-error.patch \ %D%/packages/patches/screen-fix-info-syntax-error.patch \
%D%/packages/patches/sdl-libx11-1.6.patch \ %D%/packages/patches/sdl-libx11-1.6.patch \
%D%/packages/patches/seq24-rename-mutex.patch \ %D%/packages/patches/seq24-rename-mutex.patch \
%D%/packages/patches/shadow-4.4-su-snprintf-fix.patch \
%D%/packages/patches/shadow-CVE-2017-2616.patch \
%D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \ %D%/packages/patches/slim-config.patch \
%D%/packages/patches/slim-sigusr1.patch \ %D%/packages/patches/slim-sigusr1.patch \

View File

@ -281,17 +281,15 @@ client and server, a telnet client and server, and an rsh client and server.")
(define-public shadow (define-public shadow
(package (package
(name "shadow") (name "shadow")
(version "4.4") (version "4.5")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append (uri (string-append
"https://github.com/shadow-maint/shadow/releases/" "https://github.com/shadow-maint/shadow/releases/"
"download/" version "/shadow-" version ".tar.xz")) "download/" version "/shadow-" version ".tar.xz"))
(patches (search-patches "shadow-4.4-su-snprintf-fix.patch"
"shadow-CVE-2017-2616.patch"))
(sha256 (sha256
(base32 (base32
"0g7hf55ar2pafg5g3ldx0fwzjk36wf4xb21p4ndanbjm3c2a9ab1")))) "0hdpai78n63l3v3fgr3kkiqzhd0awrpfnnzz4mf7lmxdh61qb37w"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(arguments (arguments
'(;; Assume System V `setpgrp (void)', which is the default on GNU '(;; Assume System V `setpgrp (void)', which is the default on GNU

View File

@ -1,31 +0,0 @@
Patch copied from upstream source repository:
https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194
From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sun, 18 Sep 2016 21:31:18 -0500
Subject: [PATCH] su.c: fix missing length argument to snprintf
---
src/su.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/su.c b/src/su.c
index 0c50a9456afd..93ffd2fbe2b4 100644
--- a/src/su.c
+++ b/src/su.c
@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
stderr);
(void) kill (-pid_child, caught);
- snprintf (kill_msg, _(" ...killed.\n"));
- snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
+ snprintf (kill_msg, 256, _(" ...killed.\n"));
+ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
(void) signal (SIGALRM, kill_child);
(void) alarm (2);
--
2.11.0.rc2

View File

@ -1,72 +0,0 @@
Fix CVE-2017-2616:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
http://seclists.org/oss-sec/2017/q1/490
http://seclists.org/oss-sec/2017/q1/474
Patch copied from upstream source repository:
https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 23 Feb 2017 09:47:29 -0600
Subject: [PATCH] su: properly clear child PID
If su is compiled with PAM support, it is possible for any local user
to send SIGKILL to other processes with root privileges. There are
only two conditions. First, the user must be able to perform su with
a successful login. This does NOT have to be the root user, even using
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
can only be sent to processes which were executed after the su process.
It is not possible to send SIGKILL to processes which were already
running. I consider this as a security vulnerability, because I was
able to write a proof of concept which unlocked a screen saver of
another user this way.
---
src/su.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/su.c b/src/su.c
index f20d230..d86aa86 100644
--- a/src/su.c
+++ b/src/su.c
@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
/* wake child when resumed */
kill (pid, SIGCONT);
stop = false;
+ } else {
+ pid_child = 0;
}
} while (!stop);
}
- if (0 != caught) {
+ if (0 != caught && 0 != pid_child) {
(void) fputs ("\n", stderr);
(void) fputs (_("Session terminated, terminating shell..."),
stderr);
@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
(void) signal (SIGALRM, kill_child);
+ (void) signal (SIGCHLD, catch_signals);
(void) alarm (2);
- (void) wait (&status);
+ sigemptyset (&ourset);
+ if ((sigaddset (&ourset, SIGALRM) != 0)
+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
+ kill_child (0);
+ } else {
+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
+ sigsuspend (&ourset);
+ }
+ pid_child = 0;
+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
+ }
+
(void) fputs (_(" ...terminated.\n"), stderr);
}