CVE-2017-2616 in `su`

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2017-2616 in `su`

From:	Leo Famulari
Subject:	CVE-2017-2616 in `su`
Date:	Thu, 23 Feb 2017 16:04:10 -0500
User-agent:	Mutt/1.7.2 (2016-11-26)

In commit 1c851cbe0c562894bd38c0f9f39d12be306b3e59 I added a patch
to the shadow package that fixes CVE-2017-2616 in `su`.

This bug makes it possible for any local user to send SIGKILL to other
processes with root privileges. For example, you could use this bug to
make another user's screen locker exit.

It is recommended to update your GuixSD systems, since shadow provides
`su` on GuixSD.

More information:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
http://seclists.org/oss-sec/2017/q1/490
http://seclists.org/oss-sec/2017/q1/474
https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686

I also fixed the bug in util-linux by grafting this patch:

https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

CVE-2017-2616 in `su`, Leo Famulari <=
- Re: CVE-2017-2616 in `su`, Maxim Cournoyer, 2017/02/23

Prev by Date: Re: [PATCH] gnu: Add lmms
Next by Date: Re: [PATCH 0/1] improvements to the lightweight desktop example
Previous by thread: [PATCH] gnu: Add lmms
Next by thread: Re: CVE-2017-2616 in `su`
Index(es):
- Date
- Thread