* CVE-2017-2616 in `su`
@ 2017-02-23 21:04 Leo Famulari
2017-02-24 3:03 ` Maxim Cournoyer
0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2017-02-23 21:04 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 790 bytes --]
In commit 1c851cbe0c562894bd38c0f9f39d12be306b3e59 I added a patch
to the shadow package that fixes CVE-2017-2616 in `su`.
This bug makes it possible for any local user to send SIGKILL to other
processes with root privileges. For example, you could use this bug to
make another user's screen locker exit.
It is recommended to update your GuixSD systems, since shadow provides
`su` on GuixSD.
More information:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
http://seclists.org/oss-sec/2017/q1/490
http://seclists.org/oss-sec/2017/q1/474
https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
I also fixed the bug in util-linux by grafting this patch:
https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: CVE-2017-2616 in `su`
2017-02-23 21:04 CVE-2017-2616 in `su` Leo Famulari
@ 2017-02-24 3:03 ` Maxim Cournoyer
0 siblings, 0 replies; 2+ messages in thread
From: Maxim Cournoyer @ 2017-02-24 3:03 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 927 bytes --]
Thanks, Leo!
Maxim
On Thu, Feb 23, 2017 at 1:04 PM, Leo Famulari <leo@famulari.name> wrote:
> In commit 1c851cbe0c562894bd38c0f9f39d12be306b3e59 I added a patch
> to the shadow package that fixes CVE-2017-2616 in `su`.
>
> This bug makes it possible for any local user to send SIGKILL to other
> processes with root privileges. For example, you could use this bug to
> make another user's screen locker exit.
>
> It is recommended to update your GuixSD systems, since shadow provides
> `su` on GuixSD.
>
> More information:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
> http://seclists.org/oss-sec/2017/q1/490
> http://seclists.org/oss-sec/2017/q1/474
> https://github.com/shadow-maint/shadow/commit/
> 08fd4b69e84364677a10e519ccb25b71710ee686
>
> I also fixed the bug in util-linux by grafting this patch:
>
> https://github.com/karelzak/util-linux/commit/
> dffab154d29a288aa171ff50263ecc8f2e14a891
>
[-- Attachment #2: Type: text/html, Size: 1902 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-24 3:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-23 21:04 CVE-2017-2616 in `su` Leo Famulari
2017-02-24 3:03 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).