CVE-2017-2616

Name	CVE-2017-2616
Description	A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-838-1, DSA-3793-1
Debian Bugs	855943

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
coreutils (PTS)	bullseye	8.32-4	fixed
	bookworm	9.1-1	fixed
	trixie, sid	9.7-2	fixed
shadow (PTS)	bullseye	1:4.8.1-1	fixed
	bullseye (security)	1:4.8.1-1+deb11u1	fixed
	bookworm	1:4.13+dfsg1-1+deb12u1	fixed
	trixie, sid	1:4.17.4-2	fixed
util-linux (PTS)	bullseye (security), bullseye	2.36.1-8+deb11u2	fixed
	bookworm	2.38.1-5+deb12u3	fixed
	bookworm (security)	2.38.1-5+deb12u1	fixed
	trixie	2.41-4	fixed
	sid	2.41-5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
coreutils	source	(unstable)	8.20-1	unimportant
shadow	source	wheezy	1:4.1.5.1-1+deb7u1		DLA-838-1
shadow	source	jessie	1:4.2-3+deb8u3		DSA-3793-1
shadow	source	(unstable)	1:4.4-4			855943
util-linux	source	(unstable)	2.29.2-1	unimportant

Notes

https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891
Coreutils: Removed from source in https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=928dd737
and not installed by default since 2007.