oss-sec mailing list archives
util-linux 2.29.2 fixes CVE-2017-2616
From: Marcus Meissner <meissner () suse de>
Date: Thu, 23 Feb 2017 08:46:30 +0100
Hi, util-linux 2.29.2 fixes CVE-2017-2616, a race condition which allowed local users to kill other processes. https://www.kernel.org/pub/linux/utils/util-linux/v2.29/v2.29.2-ReleaseNotes " It is possible for any local user to send SIGKILL to other processes with root privileges. To exploit this, the user must be able to perform su with a successful login. SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. " Root cause of the flaw that a regular exit of the child process and the su ctrl-c kill of the child PID could race and so you would be able to later started process with this specific PID. The fix is here: https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891 Ciao, Marcus
Current thread:
- util-linux 2.29.2 fixes CVE-2017-2616 Marcus Meissner (Feb 22)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Hanno Böck (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Marcus Meissner (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Assaf Gordon (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Hanno Böck (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Bálint Réczey (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Emilio Pozuelo Monfort (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Serge E. Hallyn (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Leo Famulari (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Tobias Stöckmann (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Marcus Meissner (Feb 23)
- Re: util-linux 2.29.2 fixes CVE-2017-2616 Hanno Böck (Feb 23)