gnu: shadow: Update to 4.5.
This fixes a regression introduced by the fix for CVE-2017-2616. See <https://github.com/shadow-maint/shadow/pull/72> for more information. * gnu/packages/admin.scm (shadow): Update to 4.5. [source]: Remove patches. * gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch, gnu/packages/patches/shadow-CVE-2017-2616.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.master
parent
6aa095f10c
commit
b193fb2851
|
@ -967,8 +967,6 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/screen-fix-info-syntax-error.patch \
|
%D%/packages/patches/screen-fix-info-syntax-error.patch \
|
||||||
%D%/packages/patches/sdl-libx11-1.6.patch \
|
%D%/packages/patches/sdl-libx11-1.6.patch \
|
||||||
%D%/packages/patches/seq24-rename-mutex.patch \
|
%D%/packages/patches/seq24-rename-mutex.patch \
|
||||||
%D%/packages/patches/shadow-4.4-su-snprintf-fix.patch \
|
|
||||||
%D%/packages/patches/shadow-CVE-2017-2616.patch \
|
|
||||||
%D%/packages/patches/slim-session.patch \
|
%D%/packages/patches/slim-session.patch \
|
||||||
%D%/packages/patches/slim-config.patch \
|
%D%/packages/patches/slim-config.patch \
|
||||||
%D%/packages/patches/slim-sigusr1.patch \
|
%D%/packages/patches/slim-sigusr1.patch \
|
||||||
|
|
|
@ -281,17 +281,15 @@ client and server, a telnet client and server, and an rsh client and server.")
|
||||||
(define-public shadow
|
(define-public shadow
|
||||||
(package
|
(package
|
||||||
(name "shadow")
|
(name "shadow")
|
||||||
(version "4.4")
|
(version "4.5")
|
||||||
(source (origin
|
(source (origin
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append
|
(uri (string-append
|
||||||
"https://github.com/shadow-maint/shadow/releases/"
|
"https://github.com/shadow-maint/shadow/releases/"
|
||||||
"download/" version "/shadow-" version ".tar.xz"))
|
"download/" version "/shadow-" version ".tar.xz"))
|
||||||
(patches (search-patches "shadow-4.4-su-snprintf-fix.patch"
|
|
||||||
"shadow-CVE-2017-2616.patch"))
|
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"0g7hf55ar2pafg5g3ldx0fwzjk36wf4xb21p4ndanbjm3c2a9ab1"))))
|
"0hdpai78n63l3v3fgr3kkiqzhd0awrpfnnzz4mf7lmxdh61qb37w"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
'(;; Assume System V `setpgrp (void)', which is the default on GNU
|
'(;; Assume System V `setpgrp (void)', which is the default on GNU
|
||||||
|
|
|
@ -1,31 +0,0 @@
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://github.com/shadow-maint/shadow/commit/67d2bb6e0a5ac124ce1f026dd5723217b1493194
|
|
||||||
|
|
||||||
From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Serge Hallyn <serge@hallyn.com>
|
|
||||||
Date: Sun, 18 Sep 2016 21:31:18 -0500
|
|
||||||
Subject: [PATCH] su.c: fix missing length argument to snprintf
|
|
||||||
|
|
||||||
---
|
|
||||||
src/su.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/su.c b/src/su.c
|
|
||||||
index 0c50a9456afd..93ffd2fbe2b4 100644
|
|
||||||
--- a/src/su.c
|
|
||||||
+++ b/src/su.c
|
|
||||||
@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
|
|
||||||
stderr);
|
|
||||||
(void) kill (-pid_child, caught);
|
|
||||||
|
|
||||||
- snprintf (kill_msg, _(" ...killed.\n"));
|
|
||||||
- snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
|
|
||||||
+ snprintf (kill_msg, 256, _(" ...killed.\n"));
|
|
||||||
+ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
|
|
||||||
|
|
||||||
(void) signal (SIGALRM, kill_child);
|
|
||||||
(void) alarm (2);
|
|
||||||
--
|
|
||||||
2.11.0.rc2
|
|
||||||
|
|
|
@ -1,72 +0,0 @@
|
||||||
Fix CVE-2017-2616:
|
|
||||||
|
|
||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
|
|
||||||
http://seclists.org/oss-sec/2017/q1/490
|
|
||||||
http://seclists.org/oss-sec/2017/q1/474
|
|
||||||
|
|
||||||
Patch copied from upstream source repository:
|
|
||||||
|
|
||||||
https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
|
|
||||||
|
|
||||||
From 08fd4b69e84364677a10e519ccb25b71710ee686 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
||||||
Date: Thu, 23 Feb 2017 09:47:29 -0600
|
|
||||||
Subject: [PATCH] su: properly clear child PID
|
|
||||||
|
|
||||||
If su is compiled with PAM support, it is possible for any local user
|
|
||||||
to send SIGKILL to other processes with root privileges. There are
|
|
||||||
only two conditions. First, the user must be able to perform su with
|
|
||||||
a successful login. This does NOT have to be the root user, even using
|
|
||||||
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
|
|
||||||
can only be sent to processes which were executed after the su process.
|
|
||||||
It is not possible to send SIGKILL to processes which were already
|
|
||||||
running. I consider this as a security vulnerability, because I was
|
|
||||||
able to write a proof of concept which unlocked a screen saver of
|
|
||||||
another user this way.
|
|
||||||
---
|
|
||||||
src/su.c | 19 +++++++++++++++++--
|
|
||||||
1 file changed, 17 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/su.c b/src/su.c
|
|
||||||
index f20d230..d86aa86 100644
|
|
||||||
--- a/src/su.c
|
|
||||||
+++ b/src/su.c
|
|
||||||
@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
|
|
||||||
/* wake child when resumed */
|
|
||||||
kill (pid, SIGCONT);
|
|
||||||
stop = false;
|
|
||||||
+ } else {
|
|
||||||
+ pid_child = 0;
|
|
||||||
}
|
|
||||||
} while (!stop);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (0 != caught) {
|
|
||||||
+ if (0 != caught && 0 != pid_child) {
|
|
||||||
(void) fputs ("\n", stderr);
|
|
||||||
(void) fputs (_("Session terminated, terminating shell..."),
|
|
||||||
stderr);
|
|
||||||
@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
|
|
||||||
snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
|
|
||||||
|
|
||||||
(void) signal (SIGALRM, kill_child);
|
|
||||||
+ (void) signal (SIGCHLD, catch_signals);
|
|
||||||
(void) alarm (2);
|
|
||||||
|
|
||||||
- (void) wait (&status);
|
|
||||||
+ sigemptyset (&ourset);
|
|
||||||
+ if ((sigaddset (&ourset, SIGALRM) != 0)
|
|
||||||
+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
|
|
||||||
+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
|
|
||||||
+ kill_child (0);
|
|
||||||
+ } else {
|
|
||||||
+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
|
|
||||||
+ sigsuspend (&ourset);
|
|
||||||
+ }
|
|
||||||
+ pid_child = 0;
|
|
||||||
+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
(void) fputs (_(" ...terminated.\n"), stderr);
|
|
||||||
}
|
|
||||||
|
|
Reference in New Issue