sudo: fix CVE-2021-23239

(From OE-Core rev: ed8e858fc3ca0c5a401f08408a793f8c864ff645) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2021-02-01 11:21:38 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-05 23:35:18 +0000
commit: cb502e4d643503b6a7f61638e1c6fce5cc11d023 (patch)
tree: eb9089a9793c99b67ae998cecdbddea0a50ee3be
parent: 482b1fc4d96fce1b2e3f0bd5cf763c28f30d8b95 (diff)
download: poky-cb502e4d643503b6a7f61638e1c6fce5cc11d023.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
new file mode 100644
index 0000000000..e16baecd5a
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
@@ -0,0 +1,62 @@
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1609953360 25200
+# Node ID ea19d0073c02951bbbf35342dd63304da83edce8
+# Parent  f1ca39a0d87089d005b78a2556e2b1a2dc17f672
+Fix potential directory existing info leak in sudoedit.
+When creating a new file, sudoedit checks to make sure the parent
+directory exists so it can provide the user with a sensible error
+message.  However, this could be used to test for the existence of
+directories not normally accessible to the user by pointing to them
+with a symbolic link when the parent directory is controlled by the
+user.  Problem reported by Matthias Gerstner of SUSE.
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02]
+CVE: CVE-2021-23239
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c
+--- a/src/sudo_edit.c   Wed Jan 06 10:16:00 2021 -0700
+++ b/src/sudo_edit.c   Wed Jan 06 10:16:00 2021 -0700
+@@ -541,14 +541,33 @@
+            S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
+        if (ofd != -1 || errno == ENOENT) {
+            if (ofd == -1) {
+-               /* New file, verify parent dir exists unless in cwd. */
+               /*
+                * New file, verify parent dir exists unless in cwd.
+                * This fails early so the user knows ahead of time if the
+                * edit won't succeed.  Additional checks are performed
+                * when copying the temporary file back to the origin.
+                */
+                char *slash = strrchr(files[i], '/');
+                if (slash != NULL && slash != files[i]) {
+-                   int serrno = errno;
+                   const int sflags = command_details->flags;
+                   const int serrno = errno;
+                   int dfd;
+
+                   /*
+                    * The parent directory is allowed to be a symbolic
+                    * link as long as *its* parent is not writable.
+                    */
+                    *slash = '\0';
+-                   if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) {
+-                       memset(&sb, 0, sizeof(sb));
+-                       rc = 0;
+                   SET(command_details->flags, CD_SUDOEDIT_FOLLOW);
+                   dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS,
+                       S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
+                   command_details->flags = sflags;
+                   if (dfd != -1) {
+                       if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) {
+                           memset(&sb, 0, sizeof(sb));
+                           rc = 0;
+                       }
+                       close(dfd);
+                    }
+                    *slash = '/';
+                    errno = serrno;
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb
index 0d0be9ab8b..132d9a8cb9 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.3.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -3,6 +3,7 @@ require sudo.inc
 SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
+           file://CVE-2021-23239.patch \
           "
 PAM_SRC_URI = "file://sudo.pam"
author	Anuj Mittal <anuj.mittal@intel.com>	2021-02-01 11:21:38 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-05 23:35:18 +0000
commit	cb502e4d643503b6a7f61638e1c6fce5cc11d023 (patch)
tree	eb9089a9793c99b67ae998cecdbddea0a50ee3be
parent	482b1fc4d96fce1b2e3f0bd5cf763c28f30d8b95 (diff)
download	poky-cb502e4d643503b6a7f61638e1c6fce5cc11d023.tar.gz

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch new file mode 100644 index 0000000000..e16baecd5a --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch
@@ -0,0 +1,62 @@
		1
		2	# HG changeset patch
		3	# User Todd C. Miller <Todd.Miller@sudo.ws>
		4	# Date 1609953360 25200
		5	# Node ID ea19d0073c02951bbbf35342dd63304da83edce8
		6	# Parent f1ca39a0d87089d005b78a2556e2b1a2dc17f672
		7	Fix potential directory existing info leak in sudoedit.
		8	When creating a new file, sudoedit checks to make sure the parent
		9	directory exists so it can provide the user with a sensible error
		10	message. However, this could be used to test for the existence of
		11	directories not normally accessible to the user by pointing to them
		12	with a symbolic link when the parent directory is controlled by the
		13	user. Problem reported by Matthias Gerstner of SUSE.
		14
		15	Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02]
		16	CVE: CVE-2021-23239
		17	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		18
		19	diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c
		20	--- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700
		21	+++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700
		22	@@ -541,14 +541,33 @@
		23	S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH, command_details);
		24	if (ofd != -1 \|\| errno == ENOENT) {
		25	if (ofd == -1) {
		26	- /* New file, verify parent dir exists unless in cwd. */
		27	+ /*
		28	+ * New file, verify parent dir exists unless in cwd.
		29	+ * This fails early so the user knows ahead of time if the
		30	+ * edit won't succeed. Additional checks are performed
		31	+ * when copying the temporary file back to the origin.
		32	+ */
		33	char *slash = strrchr(files[i], '/');
		34	if (slash != NULL && slash != files[i]) {
		35	- int serrno = errno;
		36	+ const int sflags = command_details->flags;
		37	+ const int serrno = errno;
		38	+ int dfd;
		39	+
		40	+ /*
		41	+ * The parent directory is allowed to be a symbolic
		42	+ * link as long as its parent is not writable.
		43	+ */
		44	*slash = '\0';
		45	- if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) {
		46	- memset(&sb, 0, sizeof(sb));
		47	- rc = 0;
		48	+ SET(command_details->flags, CD_SUDOEDIT_FOLLOW);
		49	+ dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS,
		50	+ S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IROTH, command_details);
		51	+ command_details->flags = sflags;
		52	+ if (dfd != -1) {
		53	+ if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) {
		54	+ memset(&sb, 0, sizeof(sb));
		55	+ rc = 0;
		56	+ }
		57	+ close(dfd);
		58	}
		59	*slash = '/';
		60	errno = serrno;
		61
		62


diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb index 0d0be9ab8b..132d9a8cb9 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb
@@ -3,6 +3,7 @@ require sudo.inc
3	SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \	3	SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
4	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	4	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
5	file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \	5	file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
		6	file://CVE-2021-23239.patch \
6	"	7	"
7		8
8	PAM_SRC_URI = "file://sudo.pam"	9	PAM_SRC_URI = "file://sudo.pam"