Hello community, here is the log from the commit of package coreutils for openSUSE:11.4 checked in at Thu Jun 30 16:39:52 CEST 2011. -------- --- old-versions/11.4/UPDATES/all/coreutils/coreutils.changes 2011-06-07 12:14:47.000000000 +0200 +++ 11.4/coreutils/coreutils.changes 2011-06-08 18:20:59.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jun 8 15:40:52 CEST 2011 - pth@suse.de + +- Fix vulnerability in su (bnc#697897). + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- coreutils-bnc#697897-setsid.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _service:set_version:coreutils.spec ++++++ --- /var/tmp/diff_new_pack.7Qwv4z/_old 2011-06-30 16:38:49.000000000 +0200 +++ /var/tmp/diff_new_pack.7Qwv4z/_new 2011-06-30 16:38:49.000000000 +0200 @@ -56,8 +56,7 @@ Patch31: coreutils-getaddrinfo.patch Patch32: coreutils-ptr_int_casts.patch Patch33: coreutils-8.9-singlethreaded-sort.patch -# this patch is needed for coreutils 8.0 - 8.10 (openSUSE 11.3 and 11.4) -Patch34: coreutils-cp-al-symlink-timestamp.patch +Patch34: coreutils-bnc#697897-setsid.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # this will create a cycle, broken up randomly - coreutils is just too core to have other # prerequires @@ -98,7 +97,8 @@ %patch31 %patch32 %patch33 -%patch34 -p1 +%patch34 + cp %{S:4} po/de.po %build ++++++ coreutils.spec ++++++ --- /var/tmp/diff_new_pack.7Qwv4z/_old 2011-06-30 16:38:49.000000000 +0200 +++ /var/tmp/diff_new_pack.7Qwv4z/_new 2011-06-30 16:38:49.000000000 +0200 @@ -24,7 +24,7 @@ License: GFDLv1.2 ; GPLv2+ ; GPLv3+ Group: System/Base Version: 8.9 -Release: 5.<RELEASE7> +Release: 5.<RELEASE9> Provides: fileutils = %{version}, sh-utils = %{version}, stat = %version}, textutils = %{version}, mktemp = %{version} Obsoletes: fileutils < %{version}, sh-utils < %{version}, stat < %version}, textutils < %{version}, mktemp < %{version} Obsoletes: libselinux <= 1.23.11-3 libselinux-32bit = 9 libselinux-64bit = 9 libselinux-x86 = 9 @@ -56,8 +56,7 @@ Patch31: coreutils-getaddrinfo.patch Patch32: coreutils-ptr_int_casts.patch Patch33: coreutils-8.9-singlethreaded-sort.patch -# this patch is needed for coreutils 8.0 - 8.10 (openSUSE 11.3 and 11.4) -Patch34: coreutils-cp-al-symlink-timestamp.patch +Patch34: coreutils-bnc#697897-setsid.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # this will create a cycle, broken up randomly - coreutils is just too core to have other # prerequires @@ -98,7 +97,8 @@ %patch31 %patch32 %patch33 -%patch34 -p1 +%patch34 + cp %{S:4} po/de.po %build ++++++ coreutils-bnc#697897-setsid.patch ++++++ Index: src/su.c =================================================================== --- src/su.c.orig 2011-06-08 15:44:23.305685113 +0200 +++ src/su.c 2011-06-08 15:47:18.916280506 +0200 @@ -141,6 +141,9 @@ static bool simulate_login; /* If true, change some environment vars to indicate the user su'd to. */ static bool change_environment; +/* If true, then don't call setsid() with a command. */ +int same_session = 0; + #ifdef USE_PAM static bool _pam_session_opened; static bool _pam_cred_established; @@ -149,6 +152,7 @@ static bool _pam_cred_established; static struct option const longopts[] = { {"command", required_argument, NULL, 'c'}, + {"session-command", required_argument, NULL, 'C'}, {"fast", no_argument, NULL, 'f'}, {"login", no_argument, NULL, 'l'}, {"preserve-environment", no_argument, NULL, 'p'}, @@ -323,14 +327,29 @@ create_watching_parent (void) sigemptyset (&action.sa_mask); action.sa_flags = 0; sigemptyset (&ourset); - if (sigaddset (&ourset, SIGTERM) - || sigaddset (&ourset, SIGALRM) - || sigaction (SIGTERM, &action, NULL) - || sigprocmask (SIG_UNBLOCK, &ourset, NULL)) - { + + if (!same_session) + { + if (sigaddset(&ourset, SIGINT) || sigaddset(&ourset, SIGQUIT)) + { + error (0, errno, _("cannot set signal handler")); + caught_signal = true; + } + } + if (!caught_signal && (sigaddset(&ourset, SIGTERM) + || sigaddset(&ourset, SIGALRM) + || sigaction(SIGTERM, &action, NULL) + || sigprocmask(SIG_UNBLOCK, &ourset, NULL))) + { error (0, errno, _("cannot set signal handler")); caught_signal = true; } + if (!caught_signal && !same_session && (sigaction(SIGINT, &action, NULL) + || sigaction(SIGQUIT, &action, NULL))) + { + error (0, errno, _("cannot set signal handler")); + caught_signal = true; + } } if (!caught_signal) { @@ -748,6 +767,8 @@ Change the effective user id and group i \n\ -, -l, --login make the shell a login shell\n\ -c, --command=COMMAND pass a single COMMAND to the shell with -c\n\ + --session-command=COMMAND pass a single COMMAND to the shell with -c\n\ + and do not create a new session\n\ -f, --fast pass -f to the shell (for csh or tcsh)\n\ -m, --preserve-environment do not reset environment variables\n\ -p same as -m\n\ @@ -770,6 +791,7 @@ main (int argc, char **argv) int optc; const char *new_user = DEFAULT_USER; char *command = NULL; + int request_same_session = 0; char *shell = NULL; struct passwd *pw; struct passwd pw_copy; @@ -795,6 +817,11 @@ main (int argc, char **argv) command = optarg; break; + case 'C': + command = optarg; + request_same_session = 1; + break; + case 'f': fast_startup = true; break; @@ -865,6 +892,9 @@ main (int argc, char **argv) } #endif + if (request_same_session || !command || !pw->pw_uid) + same_session = 1; + if (!shell && !change_environment) shell = getenv ("SHELL"); if (shell && getuid () != 0 && restricted_shell (pw->pw_shell)) @@ -886,6 +916,8 @@ main (int argc, char **argv) #endif change_identity (pw); + if (!same_session) + setsid (); /* Set environment after pam_open_session, which may put KRB5CCNAME into the pam_env, etc. */ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org