Hello community,
here is the log from the commit of package coreutils for openSUSE:11.4
checked in at Thu Jun 30 16:39:52 CEST 2011.
--------
--- old-versions/11.4/UPDATES/all/coreutils/coreutils.changes 2011-06-07
12:14:47.000000000 +0200
+++ 11.4/coreutils/coreutils.changes 2011-06-08 18:20:59.000000000 +0200
@@ -1,0 +2,5 @@
+Wed Jun 8 15:40:52 CEST 2011 - p...@suse.de
+
+- Fix vulnerability in su (bnc#697897).
+
+-------------------------------------------------------------------
calling whatdependson for 11.4-i586
New:
----
coreutils-bnc#697897-setsid.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _service:set_version:coreutils.spec ++++++
--- /var/tmp/diff_new_pack.7Qwv4z/_old 2011-06-30 16:38:49.000000000 +0200
+++ /var/tmp/diff_new_pack.7Qwv4z/_new 2011-06-30 16:38:49.000000000 +0200
@@ -56,8 +56,7 @@
Patch31: coreutils-getaddrinfo.patch
Patch32: coreutils-ptr_int_casts.patch
Patch33: coreutils-8.9-singlethreaded-sort.patch
-# this patch is needed for coreutils 8.0 - 8.10 (openSUSE 11.3 and 11.4)
-Patch34: coreutils-cp-al-symlink-timestamp.patch
+Patch34: coreutils-bnc#697897-setsid.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# this will create a cycle, broken up randomly - coreutils is just too core to
have other
# prerequires
@@ -98,7 +97,8 @@
%patch31
%patch32
%patch33
-%patch34 -p1
+%patch34
+
cp %{S:4} po/de.po
%build
++++++ coreutils.spec ++++++
--- /var/tmp/diff_new_pack.7Qwv4z/_old 2011-06-30 16:38:49.000000000 +0200
+++ /var/tmp/diff_new_pack.7Qwv4z/_new 2011-06-30 16:38:49.000000000 +0200
@@ -24,7 +24,7 @@
License: GFDLv1.2 ; GPLv2+ ; GPLv3+
Group: System/Base
Version: 8.9
-Release: 5.<RELEASE7>
+Release: 5.<RELEASE9>
Provides: fileutils = %{version}, sh-utils = %{version}, stat =
%version}, textutils = %{version}, mktemp = %{version}
Obsoletes: fileutils < %{version}, sh-utils < %{version}, stat <
%version}, textutils < %{version}, mktemp < %{version}
Obsoletes: libselinux <= 1.23.11-3 libselinux-32bit = 9 libselinux-64bit
= 9 libselinux-x86 = 9
@@ -56,8 +56,7 @@
Patch31: coreutils-getaddrinfo.patch
Patch32: coreutils-ptr_int_casts.patch
Patch33: coreutils-8.9-singlethreaded-sort.patch
-# this patch is needed for coreutils 8.0 - 8.10 (openSUSE 11.3 and 11.4)
-Patch34: coreutils-cp-al-symlink-timestamp.patch
+Patch34: coreutils-bnc#697897-setsid.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# this will create a cycle, broken up randomly - coreutils is just too core to
have other
# prerequires
@@ -98,7 +97,8 @@
%patch31
%patch32
%patch33
-%patch34 -p1
+%patch34
+
cp %{S:4} po/de.po
%build
++++++ coreutils-bnc#697897-setsid.patch ++++++
Index: src/su.c
===================================================================
--- src/su.c.orig 2011-06-08 15:44:23.305685113 +0200
+++ src/su.c 2011-06-08 15:47:18.916280506 +0200
@@ -141,6 +141,9 @@ static bool simulate_login;
/* If true, change some environment vars to indicate the user su'd to. */
static bool change_environment;
+/* If true, then don't call setsid() with a command. */
+int same_session = 0;
+
#ifdef USE_PAM
static bool _pam_session_opened;
static bool _pam_cred_established;
@@ -149,6 +152,7 @@ static bool _pam_cred_established;
static struct option const longopts[] =
{
{"command", required_argument, NULL, 'c'},
+ {"session-command", required_argument, NULL, 'C'},
{"fast", no_argument, NULL, 'f'},
{"login", no_argument, NULL, 'l'},
{"preserve-environment", no_argument, NULL, 'p'},
@@ -323,14 +327,29 @@ create_watching_parent (void)
sigemptyset (&action.sa_mask);
action.sa_flags = 0;
sigemptyset (&ourset);
- if (sigaddset (&ourset, SIGTERM)
- || sigaddset (&ourset, SIGALRM)
- || sigaction (SIGTERM, &action, NULL)
- || sigprocmask (SIG_UNBLOCK, &ourset, NULL))
- {
+
+ if (!same_session)
+ {
+ if (sigaddset(&ourset, SIGINT) || sigaddset(&ourset, SIGQUIT))
+ {
+ error (0, errno, _("cannot set signal handler"));
+ caught_signal = true;
+ }
+ }
+ if (!caught_signal && (sigaddset(&ourset, SIGTERM)
+ || sigaddset(&ourset, SIGALRM)
+ || sigaction(SIGTERM, &action, NULL)
+ || sigprocmask(SIG_UNBLOCK, &ourset, NULL)))
+ {
error (0, errno, _("cannot set signal handler"));
caught_signal = true;
}
+ if (!caught_signal && !same_session && (sigaction(SIGINT, &action, NULL)
+ || sigaction(SIGQUIT, &action, NULL)))
+ {
+ error (0, errno, _("cannot set signal handler"));
+ caught_signal = true;
+ }
}
if (!caught_signal)
{
@@ -748,6 +767,8 @@ Change the effective user id and group i
\n\
-, -l, --login make the shell a login shell\n\
-c, --command=COMMAND pass a single COMMAND to the shell with -c\n\
+ --session-command=COMMAND pass a single COMMAND to the shell with -c\n\
+ and do not create a new session\n\
-f, --fast pass -f to the shell (for csh or tcsh)\n\
-m, --preserve-environment do not reset environment variables\n\
-p same as -m\n\
@@ -770,6 +791,7 @@ main (int argc, char **argv)
int optc;
const char *new_user = DEFAULT_USER;
char *command = NULL;
+ int request_same_session = 0;
char *shell = NULL;
struct passwd *pw;
struct passwd pw_copy;
@@ -795,6 +817,11 @@ main (int argc, char **argv)
command = optarg;
break;
+ case 'C':
+ command = optarg;
+ request_same_session = 1;
+ break;
+
case 'f':
fast_startup = true;
break;
@@ -865,6 +892,9 @@ main (int argc, char **argv)
}
#endif
+ if (request_same_session || !command || !pw->pw_uid)
+ same_session = 1;
+
if (!shell && !change_environment)
shell = getenv ("SHELL");
if (shell && getuid () != 0 && restricted_shell (pw->pw_shell))
@@ -886,6 +916,8 @@ main (int argc, char **argv)
#endif
change_identity (pw);
+ if (!same_session)
+ setsid ();
/* Set environment after pam_open_session, which may put KRB5CCNAME
into the pam_env, etc. */
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
