sudo: fix CVE-2021-3156

(From OE-Core rev: 2f6c7aae835c75a350686b058fba732005e4c923) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2021-02-06 15:57:55 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-11 17:46:12 +0000
commit: ac41e4a597da00748823967a653565ac041b11e5 (patch)
tree: 6daa67d7acb31d2e691347c30c176e4ebeb7f9af
parent: 9df355c5f1dceeba11c4d15aef3b41fb551ae6f3 (diff)
download: poky-ac41e4a597da00748823967a653565ac041b11e5.tar.gz
6 files changed, 301 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
new file mode 100644
index 0000000000..83c277575e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
+# Parent  90aba6ba6e03f3bc33b4eabf16358396ed83642d
+Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
+This is consistent with how the -e option is handled.
+Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
+Found by Qualys, this is part of the fix for CVE-2021-3156.
+diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
+--- a/src/parse_args.c  Mon Jan 18 12:30:52 2021 +0100
+++ b/src/parse_args.c  Sat Jan 23 08:43:59 2021 -0700
+@@ -117,7 +117,10 @@
+ /*
+  * Default flags allowed when running a command.
+  */
+-#define DEFAULT_VALID_FLAGS    (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
+#define DEFAULT_VALID_FLAGS    (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
+#define EDIT_VALID_FLAGS       MODE_NONINTERACTIVE
+#define LIST_VALID_FLAGS       (MODE_NONINTERACTIVE|MODE_LONG_LIST)
+#define VALIDATE_VALID_FLAGS   MODE_NONINTERACTIVE
+ 
+ /* Option number for the --host long option due to ambiguity of the -h flag. */
+ #define OPT_HOSTNAME   256
+@@ -262,6 +265,7 @@
+        progname = "sudoedit";
+        mode = MODE_EDIT;
+        sudo_settings[ARG_SUDOEDIT].value = "true";
+       valid_flags = EDIT_VALID_FLAGS;
+     }
+ 
+     /* Load local IP addresses and masks. */
+@@ -365,7 +369,7 @@
+                        usage_excl();
+                    mode = MODE_EDIT;
+                    sudo_settings[ARG_SUDOEDIT].value = "true";
+-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = EDIT_VALID_FLAGS;
+                    break;
+                case 'g':
+                    assert(optarg != NULL);
+@@ -377,6 +381,7 @@
+                    break;
+                case 'H':
+                    sudo_settings[ARG_SET_HOME].value = "true";
+                   SET(flags, MODE_RESET_HOME);
+                    break;
+                case 'h':
+                    if (optarg == NULL) {
+@@ -431,7 +436,7 @@
+                            usage_excl();
+                    }
+                    mode = MODE_LIST;
+-                   valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
+                   valid_flags = LIST_VALID_FLAGS;
+                    break;
+                case 'n':
+                    SET(flags, MODE_NONINTERACTIVE);
+@@ -439,6 +444,7 @@
+                    break;
+                case 'P':
+                    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
+                   SET(flags, MODE_PRESERVE_GROUPS);
+                    break;
+                case 'p':
+                    /* An empty prompt is allowed. */
+@@ -505,7 +511,7 @@
+                    if (mode && mode != MODE_VALIDATE)
+                        usage_excl();
+                    mode = MODE_VALIDATE;
+-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = VALIDATE_VALID_FLAGS;
+                    break;
+                case 'V':
+                    if (mode && mode != MODE_VERSION)
+@@ -533,7 +539,7 @@
+     if (!mode) {
+        /* Defer -k mode setting until we know whether it is a flag or not */
+        if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
+-           if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
+           if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
+                mode = MODE_INVALIDATE; /* -k by itself */
+                sudo_settings[ARG_IGNORE_TICKET].value = NULL;
+                valid_flags = 0;
+@@ -601,7 +607,7 @@
+     /*
+      * For shell mode we need to rewrite argv
+      */
+-    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
+    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
+        char **av, *cmnd = NULL;
+        int ac = 1;
+ 
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
new file mode 100644
index 0000000000..6d051252cb
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
+From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
+From: Anuj Mittal <anuj.mittal@intel.com>
+Date: Sat, 6 Feb 2021 15:57:55 +0800
+Subject: [PATCH] sudo: fix CVE-2021-3156
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID a97dc92eae6b60ae285055441341d493c17262ff
+# Parent  9b97f1787804aedccaec63c379053b1a91a0e409
+Add sudoedit flag checks in plugin that are consistent with front-end.
+Don't assume the sudo front-end is sending reasonable mode flags.
+These checks need to be kept consistent between the sudo front-end
+and the sudoers plugin.
+---
+ plugins/sudoers/policy.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index c4749a6..2f18fe1 100644
+--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
+@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
+ int
+ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ {
+    const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
+     struct sudoers_open_info *info = v;
+-    char * const *cur;
+     const char *p, *errstr, *groups = NULL;
+     const char *remhost = NULL;
+    char * const *cur;
+     int flags = 0;
+     debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
+ 
+@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ #endif
+     }
+ 
+    /* Sudo front-end should restrict mode flags for sudoedit. */
+    if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
+       sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
+       goto bad;
+    }
+
+     user_gid = (gid_t)-1;
+     user_sid = (pid_t)-1;
+     user_uid = (gid_t)-1;
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
new file mode 100644
index 0000000000..30a574d05c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+# Parent  a97dc92eae6b60ae285055441341d493c17262ff
+Fix potential buffer overflow when unescaping backslashes in user_args.
+Also, do not try to unescaping backslashes unless in run mode *and*
+we are running the command via a shell.
+Found by Qualys, this fixes CVE-2021-3156.
+diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c
+--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
+++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
+@@ -547,7 +547,7 @@
+ 
+     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
+     /* XXX - causes confusion when root is not listed in sudoers */
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
+        if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
+            struct passwd *pw;
+ 
+@@ -932,8 +932,8 @@
+     if (user_cmnd == NULL)
+        user_cmnd = NewArgv[0];
+ 
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
+-       if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
+       if (!ISSET(sudo_mode, MODE_EDIT)) {
+            const char *runchroot = user_runchroot;
+            if (runchroot == NULL && def_runchroot != NULL &&
+                    strcmp(def_runchroot, "*") != 0)
+@@ -961,7 +961,8 @@
+                sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+                debug_return_int(NOT_FOUND_ERROR);
+            }
+-           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
+           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
+                   ISSET(sudo_mode, MODE_RUN)) {
+                /*
+                 * When running a command via a shell, the sudo front-end
+                 * escapes potential meta chars.  We unescape non-spaces
+@@ -969,10 +970,22 @@
+                 */
+                for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
+                    while (*from) {
+-                       if (from[0] == '\\' && !isspace((unsigned char)from[1]))
+                       if (from[0] == '\\' && from[1] != '\0' &&
+                               !isspace((unsigned char)from[1])) {
+                            from++;
+                       }
+                       if (size - (to - user_args) < 1) {
+                           sudo_warnx(U_("internal error, %s overflow"),
+                               __func__);
+                           debug_return_int(NOT_FOUND_ERROR);
+                       }
+                        *to++ = *from++;
+                    }
+                   if (size - (to - user_args) < 1) {
+                       sudo_warnx(U_("internal error, %s overflow"),
+                           __func__);
+                       debug_return_int(NOT_FOUND_ERROR);
+                   }
+                    *to++ = ' ';
+                }
+                *--to = '\0';
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
new file mode 100644
index 0000000000..c1b00c740e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
@@ -0,0 +1,29 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID 09f98816fc8978f1d8623a857073d2d5746f0379
+# Parent  049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL.
+We want to zero the struct starting at flags, not type (which was just set).
+Found by Qualys.
+diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c
+--- a/plugins/sudoers/timestamp.c       Sat Jan 23 08:43:59 2021 -0700
+++ b/plugins/sudoers/timestamp.c       Sat Jan 23 08:44:00 2021 -0700
+@@ -643,8 +643,8 @@
+        if (entry.size == sizeof(struct timestamp_entry_v1)) {
+            /* Old sudo record, convert it to TS_LOCKEXCL. */
+            entry.type = TS_LOCKEXCL;
+-           memset((char *)&entry + offsetof(struct timestamp_entry, type), 0,
+-               nread - offsetof(struct timestamp_entry, type));
+           memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
+               nread - offsetof(struct timestamp_entry, flags));
+            if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
+                debug_return_bool(false);
+        } else {
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
new file mode 100644
index 0000000000..c04b8e72a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
+# Parent  09f98816fc8978f1d8623a857073d2d5746f0379
+Don't assume that argv is allocated as a single flat buffer.
+While this is how the kernel behaves it is not a portable assumption.
+The assumption may also be violated if getopt_long(3) permutes arguments.
+Found by Qualys.
+diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
+--- a/src/parse_args.c  Sat Jan 23 08:44:00 2021 -0700
+++ b/src/parse_args.c  Sat Jan 23 08:44:00 2021 -0700
+@@ -614,16 +614,16 @@
+        if (argc != 0) {
+            /* shell -c "command" */
+            char *src, *dst;
+-           size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
+-               strlen(argv[argc - 1]) + 1;
+           size_t size = 0;
+ 
+-           cmnd = dst = reallocarray(NULL, cmnd_size, 2);
+-           if (cmnd == NULL)
+           for (av = argv; *av != NULL; av++)
+               size += strlen(*av) + 1;
+           if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
+                sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+            if (!gc_add(GC_PTR, cmnd))
+                exit(EXIT_FAILURE);
+ 
+-           for (av = argv; *av != NULL; av++) {
+           for (dst = cmnd, av = argv; *av != NULL; av++) {
+                for (src = *av; *src != '\0'; src++) {
+                    /* quote potential meta characters */
+                    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb
index 4edcbfc607..37fd6386dd 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.3.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -5,6 +5,11 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
           file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
           file://CVE-2021-23239.patch \
           file://CVE-2021-23240.patch \
+           file://CVE-2021-3156-1.patch \
+           file://CVE-2021-3156-2.patch \
+           file://CVE-2021-3156-3.patch \
+           file://CVE-2021-3156-4.patch \
+           file://CVE-2021-3156-5.patch \
           "
 PAM_SRC_URI = "file://sudo.pam"
author	Anuj Mittal <anuj.mittal@intel.com>	2021-02-06 15:57:55 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-11 17:46:12 +0000
commit	ac41e4a597da00748823967a653565ac041b11e5 (patch)
tree	6daa67d7acb31d2e691347c30c176e4ebeb7f9af
parent	9df355c5f1dceeba11c4d15aef3b41fb551ae6f3 (diff)
download	poky-ac41e4a597da00748823967a653565ac041b11e5.tar.gz

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch new file mode 100644 index 0000000000..83c277575e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
		1	Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
		2	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		3	CVE: CVE-2021-3156
		4
		5	# HG changeset patch
		6	# User Todd C. Miller <Todd.Miller@sudo.ws>
		7	# Date 1611416639 25200
		8	# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
		9	# Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d
		10	Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
		11	This is consistent with how the -e option is handled.
		12	Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
		13	Found by Qualys, this is part of the fix for CVE-2021-3156.
		14
		15	diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
		16	--- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100
		17	+++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700
		18	@@ -117,7 +117,10 @@
		19	/*
		20	* Default flags allowed when running a command.
		21	*/
		22	-#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND\|MODE_PRESERVE_ENV\|MODE_RESET_HOME\|MODE_LOGIN_SHELL\|MODE_NONINTERACTIVE\|MODE_SHELL)
		23	+#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND\|MODE_PRESERVE_ENV\|MODE_RESET_HOME\|MODE_LOGIN_SHELL\|MODE_NONINTERACTIVE\|MODE_PRESERVE_GROUPS\|MODE_SHELL)
		24	+#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
		25	+#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE\|MODE_LONG_LIST)
		26	+#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
		27
		28	/* Option number for the --host long option due to ambiguity of the -h flag. */
		29	#define OPT_HOSTNAME 256
		30	@@ -262,6 +265,7 @@
		31	progname = "sudoedit";
		32	mode = MODE_EDIT;
		33	sudo_settings[ARG_SUDOEDIT].value = "true";
		34	+ valid_flags = EDIT_VALID_FLAGS;
		35	}
		36
		37	/* Load local IP addresses and masks. */
		38	@@ -365,7 +369,7 @@
		39	usage_excl();
		40	mode = MODE_EDIT;
		41	sudo_settings[ARG_SUDOEDIT].value = "true";
		42	- valid_flags = MODE_NONINTERACTIVE;
		43	+ valid_flags = EDIT_VALID_FLAGS;
		44	break;
		45	case 'g':
		46	assert(optarg != NULL);
		47	@@ -377,6 +381,7 @@
		48	break;
		49	case 'H':
		50	sudo_settings[ARG_SET_HOME].value = "true";
		51	+ SET(flags, MODE_RESET_HOME);
		52	break;
		53	case 'h':
		54	if (optarg == NULL) {
		55	@@ -431,7 +436,7 @@
		56	usage_excl();
		57	}
		58	mode = MODE_LIST;
		59	- valid_flags = MODE_NONINTERACTIVE\|MODE_LONG_LIST;
		60	+ valid_flags = LIST_VALID_FLAGS;
		61	break;
		62	case 'n':
		63	SET(flags, MODE_NONINTERACTIVE);
		64	@@ -439,6 +444,7 @@
		65	break;
		66	case 'P':
		67	sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
		68	+ SET(flags, MODE_PRESERVE_GROUPS);
		69	break;
		70	case 'p':
		71	/* An empty prompt is allowed. */
		72	@@ -505,7 +511,7 @@
		73	if (mode && mode != MODE_VALIDATE)
		74	usage_excl();
		75	mode = MODE_VALIDATE;
		76	- valid_flags = MODE_NONINTERACTIVE;
		77	+ valid_flags = VALIDATE_VALID_FLAGS;
		78	break;
		79	case 'V':
		80	if (mode && mode != MODE_VERSION)
		81	@@ -533,7 +539,7 @@
		82	if (!mode) {
		83	/* Defer -k mode setting until we know whether it is a flag or not */
		84	if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
		85	- if (argc == 0 && !(flags & (MODE_SHELL\|MODE_LOGIN_SHELL))) {
		86	+ if (argc == 0 && !ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL)) {
		87	mode = MODE_INVALIDATE; /* -k by itself */
		88	sudo_settings[ARG_IGNORE_TICKET].value = NULL;
		89	valid_flags = 0;
		90	@@ -601,7 +607,7 @@
		91	/*
		92	* For shell mode we need to rewrite argv
		93	*/
		94	- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
		95	+ if (ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
		96	char *av, cmnd = NULL;
		97	int ac = 1;
		98
		99
		100


diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch new file mode 100644 index 0000000000..6d051252cb --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
		1	From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
		2	From: Anuj Mittal <anuj.mittal@intel.com>
		3	Date: Sat, 6 Feb 2021 15:57:55 +0800
		4	Subject: [PATCH] sudo: fix CVE-2021-3156
		5
		6	Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
		7	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		8	CVE: CVE-2021-3156
		9
		10	# HG changeset patch
		11	# User Todd C. Miller <Todd.Miller@sudo.ws>
		12	# Date 1611416639 25200
		13	# Node ID a97dc92eae6b60ae285055441341d493c17262ff
		14	# Parent 9b97f1787804aedccaec63c379053b1a91a0e409
		15	Add sudoedit flag checks in plugin that are consistent with front-end.
		16	Don't assume the sudo front-end is sending reasonable mode flags.
		17	These checks need to be kept consistent between the sudo front-end
		18	and the sudoers plugin.
		19
		20	---
		21	plugins/sudoers/policy.c \| 9 ++++++++-
		22	1 file changed, 8 insertions(+), 1 deletion(-)
		23
		24	diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
		25	index c4749a6..2f18fe1 100644
		26	--- a/plugins/sudoers/policy.c
		27	+++ b/plugins/sudoers/policy.c
		28	@@ -88,10 +88,11 @@ parse_bool(const char line, int varlen, int flags, int fval)
		29	int
		30	sudoers_policy_deserialize_info(void v, char runas_user, char *runas_group)
		31	{
		32	+ const int edit_mask = MODE_EDIT\|MODE_IGNORE_TICKET\|MODE_NONINTERACTIVE;
		33	struct sudoers_open_info *info = v;
		34	- char * const *cur;
		35	const char p, errstr, *groups = NULL;
		36	const char *remhost = NULL;
		37	+ char * const *cur;
		38	int flags = 0;
		39	debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
		40
		41	@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void v, char runas_user, char *runas_group)
		42	#endif
		43	}
		44
		45	+ /* Sudo front-end should restrict mode flags for sudoedit. */
		46	+ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
		47	+ sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
		48	+ goto bad;
		49	+ }
		50	+
		51	user_gid = (gid_t)-1;
		52	user_sid = (pid_t)-1;
		53	user_uid = (gid_t)-1;


diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch new file mode 100644 index 0000000000..30a574d05c --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
@@ -0,0 +1,73 @@
		1	Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be]
		2	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		3	CVE: CVE-2021-3156
		4
		5	# HG changeset patch
		6	# User Todd C. Miller <Todd.Miller@sudo.ws>
		7	# Date 1611416639 25200
		8	# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
		9	# Parent a97dc92eae6b60ae285055441341d493c17262ff
		10	Fix potential buffer overflow when unescaping backslashes in user_args.
		11	Also, do not try to unescaping backslashes unless in run mode and
		12	we are running the command via a shell.
		13	Found by Qualys, this fixes CVE-2021-3156.
		14
		15	diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c
		16	--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
		17	+++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
		18	@@ -547,7 +547,7 @@
		19
		20	/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
		21	/* XXX - causes confusion when root is not listed in sudoers */
		22	- if (sudo_mode & (MODE_RUN \| MODE_EDIT) && prev_user != NULL) {
		23	+ if (ISSET(sudo_mode, MODE_RUN\|MODE_EDIT) && prev_user != NULL) {
		24	if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
		25	struct passwd *pw;
		26
		27	@@ -932,8 +932,8 @@
		28	if (user_cmnd == NULL)
		29	user_cmnd = NewArgv[0];
		30
		31	- if (sudo_mode & (MODE_RUN \| MODE_EDIT \| MODE_CHECK)) {
		32	- if (ISSET(sudo_mode, MODE_RUN \| MODE_CHECK)) {
		33	+ if (ISSET(sudo_mode, MODE_RUN\|MODE_EDIT\|MODE_CHECK)) {
		34	+ if (!ISSET(sudo_mode, MODE_EDIT)) {
		35	const char *runchroot = user_runchroot;
		36	if (runchroot == NULL && def_runchroot != NULL &&
		37	strcmp(def_runchroot, "*") != 0)
		38	@@ -961,7 +961,8 @@
		39	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
		40	debug_return_int(NOT_FOUND_ERROR);
		41	}
		42	- if (ISSET(sudo_mode, MODE_SHELL\|MODE_LOGIN_SHELL)) {
		43	+ if (ISSET(sudo_mode, MODE_SHELL\|MODE_LOGIN_SHELL) &&
		44	+ ISSET(sudo_mode, MODE_RUN)) {
		45	/*
		46	* When running a command via a shell, the sudo front-end
		47	* escapes potential meta chars. We unescape non-spaces
		48	@@ -969,10 +970,22 @@
		49	*/
		50	for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
		51	while (*from) {
		52	- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
		53	+ if (from[0] == '\\' && from[1] != '\0' &&
		54	+ !isspace((unsigned char)from[1])) {
		55	from++;
		56	+ }
		57	+ if (size - (to - user_args) < 1) {
		58	+ sudo_warnx(U_("internal error, %s overflow"),
		59	+ __func__);
		60	+ debug_return_int(NOT_FOUND_ERROR);
		61	+ }
		62	to++ = from++;
		63	}
		64	+ if (size - (to - user_args) < 1) {
		65	+ sudo_warnx(U_("internal error, %s overflow"),
		66	+ __func__);
		67	+ debug_return_int(NOT_FOUND_ERROR);
		68	+ }
		69	*to++ = ' ';
		70	}
		71	*--to = '\0';
		72
		73


diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch new file mode 100644 index 0000000000..c1b00c740e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch
@@ -0,0 +1,29 @@
		1	Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89]
		2	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		3	CVE: CVE-2021-3156
		4
		5	# HG changeset patch
		6	# User Todd C. Miller <Todd.Miller@sudo.ws>
		7	# Date 1611416640 25200
		8	# Node ID 09f98816fc8978f1d8623a857073d2d5746f0379
		9	# Parent 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
		10	Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL.
		11	We want to zero the struct starting at flags, not type (which was just set).
		12	Found by Qualys.
		13
		14	diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c
		15	--- a/plugins/sudoers/timestamp.c Sat Jan 23 08:43:59 2021 -0700
		16	+++ b/plugins/sudoers/timestamp.c Sat Jan 23 08:44:00 2021 -0700
		17	@@ -643,8 +643,8 @@
		18	if (entry.size == sizeof(struct timestamp_entry_v1)) {
		19	/* Old sudo record, convert it to TS_LOCKEXCL. */
		20	entry.type = TS_LOCKEXCL;
		21	- memset((char *)&entry + offsetof(struct timestamp_entry, type), 0,
		22	- nread - offsetof(struct timestamp_entry, type));
		23	+ memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
		24	+ nread - offsetof(struct timestamp_entry, flags));
		25	if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
		26	debug_return_bool(false);
		27	} else {
		28
		29


diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch new file mode 100644 index 0000000000..c04b8e72a6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
		1	Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
		2	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		3	CVE: CVE-2021-3156
		4
		5	# HG changeset patch
		6	# User Todd C. Miller <Todd.Miller@sudo.ws>
		7	# Date 1611416640 25200
		8	# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
		9	# Parent 09f98816fc8978f1d8623a857073d2d5746f0379
		10	Don't assume that argv is allocated as a single flat buffer.
		11	While this is how the kernel behaves it is not a portable assumption.
		12	The assumption may also be violated if getopt_long(3) permutes arguments.
		13	Found by Qualys.
		14
		15	diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
		16	--- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
		17	+++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
		18	@@ -614,16 +614,16 @@
		19	if (argc != 0) {
		20	/* shell -c "command" */
		21	char src, dst;
		22	- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
		23	- strlen(argv[argc - 1]) + 1;
		24	+ size_t size = 0;
		25
		26	- cmnd = dst = reallocarray(NULL, cmnd_size, 2);
		27	- if (cmnd == NULL)
		28	+ for (av = argv; *av != NULL; av++)
		29	+ size += strlen(*av) + 1;
		30	+ if (size == 0 \|\| (cmnd = reallocarray(NULL, size, 2)) == NULL)
		31	sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
		32	if (!gc_add(GC_PTR, cmnd))
		33	exit(EXIT_FAILURE);
		34
		35	- for (av = argv; *av != NULL; av++) {
		36	+ for (dst = cmnd, av = argv; *av != NULL; av++) {
		37	for (src = av; src != '\0'; src++) {
		38	/* quote potential meta characters */
		39	if (!isalnum((unsigned char)src) && src != '_' && src != '-' && src != '$')
		40
		41


diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb index 4edcbfc607..37fd6386dd 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -5,6 +5,11 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
5	file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \	5	file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
6	file://CVE-2021-23239.patch \	6	file://CVE-2021-23239.patch \
7	file://CVE-2021-23240.patch \	7	file://CVE-2021-23240.patch \
		8	file://CVE-2021-3156-1.patch \
		9	file://CVE-2021-3156-2.patch \
		10	file://CVE-2021-3156-3.patch \
		11	file://CVE-2021-3156-4.patch \
		12	file://CVE-2021-3156-5.patch \
8	"	13	"
9		14
10	PAM_SRC_URI = "file://sudo.pam"	15	PAM_SRC_URI = "file://sudo.pam"