From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: CVE-2017-2616 in `su`
Date: Thu, 23 Feb 2017 16:04:10 -0500
Message-ID: <20170223210410.GA24019@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55905)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ch0Yj-0001KM-U9
	for guix-devel@gnu.org; Thu, 23 Feb 2017 16:04:18 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1ch0Yg-0003G0-PU
	for guix-devel@gnu.org; Thu, 23 Feb 2017 16:04:17 -0500
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:56898)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1ch0Yg-0003Fp-LD
	for guix-devel@gnu.org; Thu, 23 Feb 2017 16:04:14 -0500
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id 7E6947E12B
	for <guix-devel@gnu.org>; Thu, 23 Feb 2017 16:04:12 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

In commit 1c851cbe0c562894bd38c0f9f39d12be306b3e59 I added a patch
to the shadow package that fixes CVE-2017-2616 in `su`.

This bug makes it possible for any local user to send SIGKILL to other
processes with root privileges. For example, you could use this bug to
make another user's screen locker exit.

It is recommended to update your GuixSD systems, since shadow provides
`su` on GuixSD.

More information:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
http://seclists.org/oss-sec/2017/q1/490
http://seclists.org/oss-sec/2017/q1/474
https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686

I also fixed the bug in util-linux by grafting this patch:

https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891

--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlivTkoACgkQJkb6MLrK
fwjc7BAAt4MY76nNMDJrgiQnm9OEvuTpQTrmZkgZZ1TEjbpGD7sFoF5j/fZym5vU
pUnbCuxcAeGg+OMJbieF8ZNrXiW4IaEUHQFD/MUFSkRFcTRXFw1C1HAjl21dt79U
8vjUNpVf/MVUOQb4hUhMd+yRV60JY6A/fKrpRATgiuNgfKj1UnKQPG9kDlxZt99f
KuItJBatG1+7F2VcCPfBVABguYSxnip7Sre1WJzG7cJeGX/p0iQr5Rh3An6PRKPT
tlRFesfi3YlTXU33OoVPFIU5qYTJWYvgRkeBlhRfZNCv1zCjk1hfFHXdzxswpDb8
FjEqVEh8FnWyUmQWu1R3p3bCXksVvPqAXGEP7IEzzWiBkABksJoc1zXhHnuybse8
c+BTT6rl7Yq7v+y3YAhYa1hpIj6yJ2LxwmcDrJFp9PgME65KjS0BlxRwwskIsiPj
Qss1EKlKFJPUN7tejYOmCeOJxJkjvzjbTVbgT4K59yfhA2Nv8MXhLFGaqigZ8PTZ
EItG+TWXlQBRn0Vdx7NNf0q7/CSP4K+DcdTnOALgQOAJ0swtYLe1ir5+tjgDrMz/
HsgbToh40sv/LvvR46jZaQwUD89HxE1dUcZmQb14lqlN9Zj5hLadiih4hft/DHh0
BAs58eSdAew3gNv4yJcqslC3DagOTVOWpqmjSZuG80TpRtD4Ojg=
=D2Ea
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--