Date: Thu, 23 Feb 2017 08:46:30 +0100 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: util-linux 2.29.2 fixes CVE-2017-2616 Hi, util-linux 2.29.2 fixes CVE-2017-2616, a race condition which allowed local users to kill other processes. https://www.kernel.org/pub/linux/utils/util-linux/v2.29/v2.29.2-ReleaseNotes " It is possible for any local user to send SIGKILL to other processes with root privileges. To exploit this, the user must be able to perform su with a successful login. SIGKILL can only be sent to processes which were executed after the su process. It is not possible to send SIGKILL to processes which were already running. " Root cause of the flaw that a regular exit of the child process and the su ctrl-c kill of the child PID could race and so you would be able to later started process with this specific PID. The fix is here: https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891 Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ