USN-3276-2: shadow regression

Publication date

17 May 2017

Overview

USN-3276-1 introduced a regression in su.


Packages

Details

USN-3276-1 intended to fix a vulnerability in su. The solution introduced
a regression in su signal handling. This update modifies the security fix.
We apologize for the inconvenience.

Original advisory details:

Sebastian Krahmer discovered integer overflows in shadow utilities.
A local attacker could possibly cause them to crash or potentially
gain privileges via crafted input. (CVE-2016-6252)

Tobias Stöckmann discovered a race condition in su. A local
attacker could cause su to send SIGKILL to other processes with
root privileges. (CVE-2017-2616)

USN-3276-1 intended to fix a vulnerability in su. The solution introduced
a regression in su signal handling. This update modifies the security fix.
We apologize for the inconvenience.

Original advisory details:

Sebastian Krahmer discovered integer overflows in shadow utilities.
A local attacker could possibly cause them to crash or potentially
gain privileges via crafted input. (CVE-2016-6252)

Tobias Stöckmann discovered a race condition in su. A local
attacker could cause su to send SIGKILL to other processes with
root privileges. (CVE-2017-2616)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:


Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›