diff options
author | Anuj Mittal <anuj.mittal@intel.com> | 2021-02-06 15:57:55 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-11 17:46:12 +0000 |
commit | ac41e4a597da00748823967a653565ac041b11e5 (patch) | |
tree | 6daa67d7acb31d2e691347c30c176e4ebeb7f9af | |
parent | 9df355c5f1dceeba11c4d15aef3b41fb551ae6f3 (diff) | |
download | poky-ac41e4a597da00748823967a653565ac041b11e5.tar.gz |
sudo: fix CVE-2021-3156
(From OE-Core rev: 2f6c7aae835c75a350686b058fba732005e4c923)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
6 files changed, 301 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch new file mode 100644 index 0000000000..83c277575e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416639 25200 | ||
8 | # Node ID 9b97f1787804aedccaec63c379053b1a91a0e409 | ||
9 | # Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d | ||
10 | Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. | ||
11 | This is consistent with how the -e option is handled. | ||
12 | Also reject -H and -P flags for sudoedit as was done in sudo 1.7. | ||
13 | Found by Qualys, this is part of the fix for CVE-2021-3156. | ||
14 | |||
15 | diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c | ||
16 | --- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100 | ||
17 | +++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700 | ||
18 | @@ -117,7 +117,10 @@ | ||
19 | /* | ||
20 | * Default flags allowed when running a command. | ||
21 | */ | ||
22 | -#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) | ||
23 | +#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL) | ||
24 | +#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE | ||
25 | +#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST) | ||
26 | +#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE | ||
27 | |||
28 | /* Option number for the --host long option due to ambiguity of the -h flag. */ | ||
29 | #define OPT_HOSTNAME 256 | ||
30 | @@ -262,6 +265,7 @@ | ||
31 | progname = "sudoedit"; | ||
32 | mode = MODE_EDIT; | ||
33 | sudo_settings[ARG_SUDOEDIT].value = "true"; | ||
34 | + valid_flags = EDIT_VALID_FLAGS; | ||
35 | } | ||
36 | |||
37 | /* Load local IP addresses and masks. */ | ||
38 | @@ -365,7 +369,7 @@ | ||
39 | usage_excl(); | ||
40 | mode = MODE_EDIT; | ||
41 | sudo_settings[ARG_SUDOEDIT].value = "true"; | ||
42 | - valid_flags = MODE_NONINTERACTIVE; | ||
43 | + valid_flags = EDIT_VALID_FLAGS; | ||
44 | break; | ||
45 | case 'g': | ||
46 | assert(optarg != NULL); | ||
47 | @@ -377,6 +381,7 @@ | ||
48 | break; | ||
49 | case 'H': | ||
50 | sudo_settings[ARG_SET_HOME].value = "true"; | ||
51 | + SET(flags, MODE_RESET_HOME); | ||
52 | break; | ||
53 | case 'h': | ||
54 | if (optarg == NULL) { | ||
55 | @@ -431,7 +436,7 @@ | ||
56 | usage_excl(); | ||
57 | } | ||
58 | mode = MODE_LIST; | ||
59 | - valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST; | ||
60 | + valid_flags = LIST_VALID_FLAGS; | ||
61 | break; | ||
62 | case 'n': | ||
63 | SET(flags, MODE_NONINTERACTIVE); | ||
64 | @@ -439,6 +444,7 @@ | ||
65 | break; | ||
66 | case 'P': | ||
67 | sudo_settings[ARG_PRESERVE_GROUPS].value = "true"; | ||
68 | + SET(flags, MODE_PRESERVE_GROUPS); | ||
69 | break; | ||
70 | case 'p': | ||
71 | /* An empty prompt is allowed. */ | ||
72 | @@ -505,7 +511,7 @@ | ||
73 | if (mode && mode != MODE_VALIDATE) | ||
74 | usage_excl(); | ||
75 | mode = MODE_VALIDATE; | ||
76 | - valid_flags = MODE_NONINTERACTIVE; | ||
77 | + valid_flags = VALIDATE_VALID_FLAGS; | ||
78 | break; | ||
79 | case 'V': | ||
80 | if (mode && mode != MODE_VERSION) | ||
81 | @@ -533,7 +539,7 @@ | ||
82 | if (!mode) { | ||
83 | /* Defer -k mode setting until we know whether it is a flag or not */ | ||
84 | if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) { | ||
85 | - if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) { | ||
86 | + if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) { | ||
87 | mode = MODE_INVALIDATE; /* -k by itself */ | ||
88 | sudo_settings[ARG_IGNORE_TICKET].value = NULL; | ||
89 | valid_flags = 0; | ||
90 | @@ -601,7 +607,7 @@ | ||
91 | /* | ||
92 | * For shell mode we need to rewrite argv | ||
93 | */ | ||
94 | - if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { | ||
95 | + if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) { | ||
96 | char **av, *cmnd = NULL; | ||
97 | int ac = 1; | ||
98 | |||
99 | |||
100 | |||
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch new file mode 100644 index 0000000000..6d051252cb --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001 | ||
2 | From: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | Date: Sat, 6 Feb 2021 15:57:55 +0800 | ||
4 | Subject: [PATCH] sudo: fix CVE-2021-3156 | ||
5 | |||
6 | Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b] | ||
7 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
8 | CVE: CVE-2021-3156 | ||
9 | |||
10 | # HG changeset patch | ||
11 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
12 | # Date 1611416639 25200 | ||
13 | # Node ID a97dc92eae6b60ae285055441341d493c17262ff | ||
14 | # Parent 9b97f1787804aedccaec63c379053b1a91a0e409 | ||
15 | Add sudoedit flag checks in plugin that are consistent with front-end. | ||
16 | Don't assume the sudo front-end is sending reasonable mode flags. | ||
17 | These checks need to be kept consistent between the sudo front-end | ||
18 | and the sudoers plugin. | ||
19 | |||
20 | --- | ||
21 | plugins/sudoers/policy.c | 9 ++++++++- | ||
22 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c | ||
25 | index c4749a6..2f18fe1 100644 | ||
26 | --- a/plugins/sudoers/policy.c | ||
27 | +++ b/plugins/sudoers/policy.c | ||
28 | @@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval) | ||
29 | int | ||
30 | sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) | ||
31 | { | ||
32 | + const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE; | ||
33 | struct sudoers_open_info *info = v; | ||
34 | - char * const *cur; | ||
35 | const char *p, *errstr, *groups = NULL; | ||
36 | const char *remhost = NULL; | ||
37 | + char * const *cur; | ||
38 | int flags = 0; | ||
39 | debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN); | ||
40 | |||
41 | @@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) | ||
42 | #endif | ||
43 | } | ||
44 | |||
45 | + /* Sudo front-end should restrict mode flags for sudoedit. */ | ||
46 | + if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) { | ||
47 | + sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags); | ||
48 | + goto bad; | ||
49 | + } | ||
50 | + | ||
51 | user_gid = (gid_t)-1; | ||
52 | user_sid = (pid_t)-1; | ||
53 | user_uid = (gid_t)-1; | ||
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch new file mode 100644 index 0000000000..30a574d05c --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416639 25200 | ||
8 | # Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86 | ||
9 | # Parent a97dc92eae6b60ae285055441341d493c17262ff | ||
10 | Fix potential buffer overflow when unescaping backslashes in user_args. | ||
11 | Also, do not try to unescaping backslashes unless in run mode *and* | ||
12 | we are running the command via a shell. | ||
13 | Found by Qualys, this fixes CVE-2021-3156. | ||
14 | |||
15 | diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c | ||
16 | --- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 | ||
17 | +++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 | ||
18 | @@ -547,7 +547,7 @@ | ||
19 | |||
20 | /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ | ||
21 | /* XXX - causes confusion when root is not listed in sudoers */ | ||
22 | - if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) { | ||
23 | + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) { | ||
24 | if (user_uid == 0 && strcmp(prev_user, "root") != 0) { | ||
25 | struct passwd *pw; | ||
26 | |||
27 | @@ -932,8 +932,8 @@ | ||
28 | if (user_cmnd == NULL) | ||
29 | user_cmnd = NewArgv[0]; | ||
30 | |||
31 | - if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { | ||
32 | - if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { | ||
33 | + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) { | ||
34 | + if (!ISSET(sudo_mode, MODE_EDIT)) { | ||
35 | const char *runchroot = user_runchroot; | ||
36 | if (runchroot == NULL && def_runchroot != NULL && | ||
37 | strcmp(def_runchroot, "*") != 0) | ||
38 | @@ -961,7 +961,8 @@ | ||
39 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
40 | debug_return_int(NOT_FOUND_ERROR); | ||
41 | } | ||
42 | - if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { | ||
43 | + if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) && | ||
44 | + ISSET(sudo_mode, MODE_RUN)) { | ||
45 | /* | ||
46 | * When running a command via a shell, the sudo front-end | ||
47 | * escapes potential meta chars. We unescape non-spaces | ||
48 | @@ -969,10 +970,22 @@ | ||
49 | */ | ||
50 | for (to = user_args, av = NewArgv + 1; (from = *av); av++) { | ||
51 | while (*from) { | ||
52 | - if (from[0] == '\\' && !isspace((unsigned char)from[1])) | ||
53 | + if (from[0] == '\\' && from[1] != '\0' && | ||
54 | + !isspace((unsigned char)from[1])) { | ||
55 | from++; | ||
56 | + } | ||
57 | + if (size - (to - user_args) < 1) { | ||
58 | + sudo_warnx(U_("internal error, %s overflow"), | ||
59 | + __func__); | ||
60 | + debug_return_int(NOT_FOUND_ERROR); | ||
61 | + } | ||
62 | *to++ = *from++; | ||
63 | } | ||
64 | + if (size - (to - user_args) < 1) { | ||
65 | + sudo_warnx(U_("internal error, %s overflow"), | ||
66 | + __func__); | ||
67 | + debug_return_int(NOT_FOUND_ERROR); | ||
68 | + } | ||
69 | *to++ = ' '; | ||
70 | } | ||
71 | *--to = '\0'; | ||
72 | |||
73 | |||
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch new file mode 100644 index 0000000000..c1b00c740e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416640 25200 | ||
8 | # Node ID 09f98816fc8978f1d8623a857073d2d5746f0379 | ||
9 | # Parent 049ad90590be1e5dfb7df2675d2eb3e37c96ab86 | ||
10 | Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL. | ||
11 | We want to zero the struct starting at flags, not type (which was just set). | ||
12 | Found by Qualys. | ||
13 | |||
14 | diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c | ||
15 | --- a/plugins/sudoers/timestamp.c Sat Jan 23 08:43:59 2021 -0700 | ||
16 | +++ b/plugins/sudoers/timestamp.c Sat Jan 23 08:44:00 2021 -0700 | ||
17 | @@ -643,8 +643,8 @@ | ||
18 | if (entry.size == sizeof(struct timestamp_entry_v1)) { | ||
19 | /* Old sudo record, convert it to TS_LOCKEXCL. */ | ||
20 | entry.type = TS_LOCKEXCL; | ||
21 | - memset((char *)&entry + offsetof(struct timestamp_entry, type), 0, | ||
22 | - nread - offsetof(struct timestamp_entry, type)); | ||
23 | + memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0, | ||
24 | + nread - offsetof(struct timestamp_entry, flags)); | ||
25 | if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1) | ||
26 | debug_return_bool(false); | ||
27 | } else { | ||
28 | |||
29 | |||
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch new file mode 100644 index 0000000000..c04b8e72a6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416640 25200 | ||
8 | # Node ID c125fbe6878395d10f01d891d3c09b1229ada404 | ||
9 | # Parent 09f98816fc8978f1d8623a857073d2d5746f0379 | ||
10 | Don't assume that argv is allocated as a single flat buffer. | ||
11 | While this is how the kernel behaves it is not a portable assumption. | ||
12 | The assumption may also be violated if getopt_long(3) permutes arguments. | ||
13 | Found by Qualys. | ||
14 | |||
15 | diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c | ||
16 | --- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 | ||
17 | +++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 | ||
18 | @@ -614,16 +614,16 @@ | ||
19 | if (argc != 0) { | ||
20 | /* shell -c "command" */ | ||
21 | char *src, *dst; | ||
22 | - size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) + | ||
23 | - strlen(argv[argc - 1]) + 1; | ||
24 | + size_t size = 0; | ||
25 | |||
26 | - cmnd = dst = reallocarray(NULL, cmnd_size, 2); | ||
27 | - if (cmnd == NULL) | ||
28 | + for (av = argv; *av != NULL; av++) | ||
29 | + size += strlen(*av) + 1; | ||
30 | + if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL) | ||
31 | sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
32 | if (!gc_add(GC_PTR, cmnd)) | ||
33 | exit(EXIT_FAILURE); | ||
34 | |||
35 | - for (av = argv; *av != NULL; av++) { | ||
36 | + for (dst = cmnd, av = argv; *av != NULL; av++) { | ||
37 | for (src = *av; *src != '\0'; src++) { | ||
38 | /* quote potential meta characters */ | ||
39 | if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') | ||
40 | |||
41 | |||
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb index 4edcbfc607..37fd6386dd 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb | |||
@@ -5,6 +5,11 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | |||
5 | file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ | 5 | file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ |
6 | file://CVE-2021-23239.patch \ | 6 | file://CVE-2021-23239.patch \ |
7 | file://CVE-2021-23240.patch \ | 7 | file://CVE-2021-23240.patch \ |
8 | file://CVE-2021-3156-1.patch \ | ||
9 | file://CVE-2021-3156-2.patch \ | ||
10 | file://CVE-2021-3156-3.patch \ | ||
11 | file://CVE-2021-3156-4.patch \ | ||
12 | file://CVE-2021-3156-5.patch \ | ||
8 | " | 13 | " |
9 | 14 | ||
10 | PAM_SRC_URI = "file://sudo.pam" | 15 | PAM_SRC_URI = "file://sudo.pam" |