20337 – util-linux new security issue CVE-2017-2616

Bug 20337 - util-linux new security issue CVE-2017-2616

Summary: util-linux new security issue CVE-2017-2616

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	advisory MGA5-64-OK MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-02-23 12:21 CET by David Walser
Modified:	2017-03-03 11:10 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	util-linux-2.25.2-3.4.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-02-23 12:21:20 CET

A CVE has been announced for a security issue fixed in util-linux 2.29.2:
http://openwall.com/lists/oss-security/2017/02/23/2

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated util-linux packages fix security vulnerability:

With the su command from util-linux before 2.29.2, it is possible for any local
user to send SIGKILL to other processes with root privileges.  To exploit this,
the user must be able to perform su with a successful login.  SIGKILL can only
be sent to processes which were executed after the su process.  It is not
possible to send SIGKILL to processes which were already running (CVE-2017-2616).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616
http://openwall.com/lists/oss-security/2017/02/23/2
========================

Updated packages in core/updates_testing:
========================
util-linux-2.25.2-3.5.mga5
libblkid1-2.25.2-3.5.mga5
libblkid-devel-2.25.2-3.5.mga5
libuuid1-2.25.2-3.5.mga5
libuuid-devel-2.25.2-3.5.mga5
uuidd-2.25.2-3.5.mga5
python-libmount-2.25.2-3.5.mga5
libmount1-2.25.2-3.5.mga5
libmount-devel-2.25.2-3.5.mga5
libsmartcols1-2.25.2-3.5.mga5
libsmartcols-devel-2.25.2-3.5.mga5

from util-linux-2.25.2-3.5.mga5.src.rpm

Comment 1 Len Lawrence 2017-02-23 17:55:43 CET

x86_64 real hardware

Not sure how to interpret this.

1) Started MCC from a panel icon and checked the pids:
$ ps aux | grep drakconf
lcl      13716  0.0  0.1  80552 10876 ?        S    14:51   0:00 /usr/bin/perl /usr/bin/drakconf
root     13721  0.3  1.2 2792956 103684 ?      Sl   14:51   0:00 /usr/bin/perl /usr/libexec/drakconf
$ su
.....
$ strace kill -s SIGKILL 13721
This certainly killed MCC, started before root login.
The trace showed:
kill(13721, SIGKILL)                    = 0

Installed these:

util-linux-2.25.2-3.5.mga5
lib64blkid1-2.25.2-3.5.mga5
lib64blkid-devel-2.25.2-3.5.mga5
lib64uuid1-2.25.2-3.5.mga5
lib64uuid-devel-2.25.2-3.5.mga5
uuidd-2.25.2-3.5.mga5
python-libmount-2.25.2-3.5.mga5
lib64mount1-2.25.2-3.5.mga5
lib64mount-devel-2.25.2-3.5.mga5
lib64smartcols1-2.25.2-3.5.mga5
libsmartcols-devel-2.25.2-3.5.mga5

2) Carried out the same procedure, with the same result.  It made no difference whether the privileged process was started before or after the su login.

Either I have entirely missed the point of this update or it requires a different approach.

CC: (none) => tarazed25

Comment 2 Dave Hodgins 2017-02-23 19:10:22 CET

I can't recreate the bug either.
konsole 1
  su -
  htop
konsole 2
  su -c 'strace htop'
konsole 3
  su -c 'kill $pid-of-strace'

Results in strace stopping, and htop continuing, as I would expect, both
before and after installing the update.

I may also be misunderstanding how the bug can be replicated, or what the
bug is. The fact that it's described as a race condition, indicates to me
that it may only work "if you're lucky".

I don't see how we can test this one.

As such, the update will be accepted as long as util-linux passes basic tests
for functionality (and hope that the fix does work).

Since it seems to be so hard to replicate, and given the number of commands
included in util-linux, let's give this one a day or so of normal usage to
see if any problems are noticed.

CC: (none) => davidwhodgins

Lewis Smith 2017-02-25 08:36:09 CET

CC: (none) => lewyssmith
Whiteboard: (none) => advisory

Comment 3 Lewis Smith 2017-02-27 21:29:28 CET

Trying M5 64-bit

I tried the described fault before the update, and the targeted root process (started after 'su') was always killed.

Updated to:
 lib64blkid1-2.25.2-3.5.mga5
 lib64mount1-2.25.2-3.5.mga5
 lib64smartcols1-2.25.2-3.5.mga5
 lib64uuid1-2.25.2-3.5.mga5
 util-linux-2.25.2-3.5.mga5

and tried more thoroughly:
From a *terminal*,
 $ su
 Password: 
 #
From a *console* logged in as root,
 # top            [hence it keeps running]
From the terminal:
# ps -aux | grep top
root     11285  0.5  0.0  20376  2956 tty2     S+   21:15   0:00 top
# kill -s SIGKILL 11285
and console 'top' process was killed.

So like my predecessors, this update is enigmatic.
I agree with from Comment 2 "given the number of commands included in util-linux, let's give this one a day or so of normal usage to see if any problems are noticed".

Comment 4 Herman Viaene 2017-03-02 12:04:34 CET

MGA5-32 on Asus A6000VM Xfce
No installation issues.
No immediate ill effects, so I'll wait and see as suggested above.

CC: (none) => herman.viaene

Comment 5 Dave Hodgins 2017-03-02 19:55:01 CET

Validating the update.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-03-03 11:10:27 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0072.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.