From b193fb2851eaa64e20cc4c01f7298c0a8a076a8c Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 17 May 2017 19:20:11 -0400 Subject: gnu: shadow: Update to 4.5. This fixes a regression introduced by the fix for CVE-2017-2616. See for more information. * gnu/packages/admin.scm (shadow): Update to 4.5. [source]: Remove patches. * gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch, gnu/packages/patches/shadow-CVE-2017-2616.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/packages/admin.scm | 6 +- .../patches/shadow-4.4-su-snprintf-fix.patch | 31 ---------- gnu/packages/patches/shadow-CVE-2017-2616.patch | 72 ---------------------- 3 files changed, 2 insertions(+), 107 deletions(-) delete mode 100644 gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch delete mode 100644 gnu/packages/patches/shadow-CVE-2017-2616.patch (limited to 'gnu/packages') diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 1610729c44..aa6ccc0a73 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -281,17 +281,15 @@ client and server, a telnet client and server, and an rsh client and server.") (define-public shadow (package (name "shadow") - (version "4.4") + (version "4.5") (source (origin (method url-fetch) (uri (string-append "https://github.com/shadow-maint/shadow/releases/" "download/" version "/shadow-" version ".tar.xz")) - (patches (search-patches "shadow-4.4-su-snprintf-fix.patch" - "shadow-CVE-2017-2616.patch")) (sha256 (base32 - "0g7hf55ar2pafg5g3ldx0fwzjk36wf4xb21p4ndanbjm3c2a9ab1")))) + "0hdpai78n63l3v3fgr3kkiqzhd0awrpfnnzz4mf7lmxdh61qb37w")))) (build-system gnu-build-system) (arguments '(;; Assume System V `setpgrp (void)', which is the default on GNU diff --git a/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch deleted file mode 100644 index 3f357c4924..0000000000 --- a/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch +++ /dev/null @@ -1,31 +0,0 @@ -Patch copied from upstream source repository: - -https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194 - -From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Sun, 18 Sep 2016 21:31:18 -0500 -Subject: [PATCH] su.c: fix missing length argument to snprintf - ---- - src/su.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/su.c b/src/su.c -index 0c50a9456afd..93ffd2fbe2b4 100644 ---- a/src/su.c -+++ b/src/su.c -@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void) - stderr); - (void) kill (-pid_child, caught); - -- snprintf (kill_msg, _(" ...killed.\n")); -- snprintf (wait_msg, _(" ...waiting for child to terminate.\n")); -+ snprintf (kill_msg, 256, _(" ...killed.\n")); -+ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n")); - - (void) signal (SIGALRM, kill_child); - (void) alarm (2); --- -2.11.0.rc2 - diff --git a/gnu/packages/patches/shadow-CVE-2017-2616.patch b/gnu/packages/patches/shadow-CVE-2017-2616.patch deleted file mode 100644 index f88aac40bc..0000000000 --- a/gnu/packages/patches/shadow-CVE-2017-2616.patch +++ /dev/null @@ -1,72 +0,0 @@ -Fix CVE-2017-2616: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616 -http://seclists.org/oss-sec/2017/q1/490 -http://seclists.org/oss-sec/2017/q1/474 - -Patch copied from upstream source repository: - -https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 - -From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Thu, 23 Feb 2017 09:47:29 -0600 -Subject: [PATCH] su: properly clear child PID - -If su is compiled with PAM support, it is possible for any local user -to send SIGKILL to other processes with root privileges. There are -only two conditions. First, the user must be able to perform su with -a successful login. This does NOT have to be the root user, even using -su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL -can only be sent to processes which were executed after the su process. -It is not possible to send SIGKILL to processes which were already -running. I consider this as a security vulnerability, because I was -able to write a proof of concept which unlocked a screen saver of -another user this way. ---- - src/su.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/src/su.c b/src/su.c -index f20d230..d86aa86 100644 ---- a/src/su.c -+++ b/src/su.c -@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void) - /* wake child when resumed */ - kill (pid, SIGCONT); - stop = false; -+ } else { -+ pid_child = 0; - } - } while (!stop); - } - -- if (0 != caught) { -+ if (0 != caught && 0 != pid_child) { - (void) fputs ("\n", stderr); - (void) fputs (_("Session terminated, terminating shell..."), - stderr); -@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void) - snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n")); - - (void) signal (SIGALRM, kill_child); -+ (void) signal (SIGCHLD, catch_signals); - (void) alarm (2); - -- (void) wait (&status); -+ sigemptyset (&ourset); -+ if ((sigaddset (&ourset, SIGALRM) != 0) -+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) { -+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); -+ kill_child (0); -+ } else { -+ while (0 == waitpid (pid_child, &status, WNOHANG)) { -+ sigsuspend (&ourset); -+ } -+ pid_child = 0; -+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL); -+ } -+ - (void) fputs (_(" ...terminated.\n"), stderr); - } - -- cgit v1.2.3