CVE-2017-2616

A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.

Weakness

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/58.html
• https://cwe.mitre.org/data/definitions/634.html
• https://cwe.mitre.org/data/definitions/637.html
• https://cwe.mitre.org/data/definitions/643.html
• https://cwe.mitre.org/data/definitions/648.html

References

• http://rhn.redhat.com/errata/RHSA-2017-0654.html
• http://www.securityfocus.com/bid/96404
• http://www.securitytracker.com/id/1038271
• https://access.redhat.com/errata/RHSA-2017:0907
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2616
• https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891
• https://security.gentoo.org/glsa/201706-02
• https://www.debian.org/security/2017/dsa-3793
• http://rhn.redhat.com/errata/RHSA-2017-0654.html
• http://www.securityfocus.com/bid/96404
• http://www.securitytracker.com/id/1038271
• https://access.redhat.com/errata/RHSA-2017:0907
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2616
• https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891
• https://security.gentoo.org/glsa/201706-02
• https://www.debian.org/security/2017/dsa-3793