sudo: Fix CVE-2023-22809

Add CVE-2023-22809.patch to fix CVE-2023-22809. (From OE-Core rev: 186a5ab41927e6be0920e03e743f32ae4477c58e) Signed-off-by: Omkar Patil <omkar.patil@kpit.com> Signed-off-by: pawan <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Omkar Patil <omkar.patil@kpit.com> 2023-02-08 17:18:46 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-02-24 16:41:42 +0000
commit: 50108e218050a2ff0eafd1d9f031f1a980c1b09c (patch)
tree: fd16e81b09acbb62c44b10b514b41f9a54679c08 /meta/recipes-extended
parent: 3c3039aac44a2783a6a5f8906b72e75771b5c879 (diff)
download: poky-50108e218050a2ff0eafd1d9f031f1a980c1b09c.tar.gz
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
new file mode 100644
index 0000000000..6c47eb3e44
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
@@ -0,0 +1,113 @@
+Backport of:
+# HG changeset patch
+# Parent  7275148cad1f8cd3c350026460acc4d6ad349c3a
+sudoedit: do not permit editor arguments to include "--"
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+CVE: CVE-2023-22809
+Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz]
+Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
+--- a/plugins/sudoers/editor.c
+++ b/plugins/sudoers/editor.c
+@@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed
+     const char *cp, *ep, *tmp;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
+    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
+ 
+     /*
+@@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed
+            free(editor_path);
+            while (nargc--)
+                free(nargv[nargc]);
+           free(nargv);
+           debug_return_str(NULL);
+       }
+
+       /*
+        * We use "--" to separate the editor and arguments from the files
+        * to edit.  The editor arguments themselves may not contain "--".
+        */
+       if (strcmp(nargv[nargc], "--") == 0) {
+           sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
+           sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
+           errno = EINVAL;
+           free(editor_path);
+           while (nargc--)
+               free(nargv[nargc]);
+            free(nargv);
+            debug_return_str(NULL);
+        }
+--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
+@@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
+       const char *env_editor = NULL;
+        int edit_argc;
+-       const char *env_editor;
+ 
+        free(safe_cmnd);
+        safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+            &edit_argv, NULL, &env_editor, false);
+        if (safe_cmnd == NULL) {
+-           if (errno != ENOENT)
+           switch (errno) {
+           case ENOENT:
+               audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
+                   env_editor ? env_editor : def_editor);
+               sudo_warnx(U_("%s: command not found"),
+                   env_editor ? env_editor : def_editor);
+               goto bad;
+           case EINVAL:
+               if (def_env_editor && env_editor != NULL) {
+                   /* User tried to do something funny with the editor. */
+                   log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL,
+                       "invalid user-specified editor: %s", env_editor);
+                   goto bad;
+               }
+               /* FALLTHROUGH */
+           default:
+                goto done;
+-           audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
+-               env_editor ? env_editor : def_editor);
+-           sudo_warnx(U_("%s: command not found"),
+-               env_editor ? env_editor : def_editor);
+-           goto bad;
+           }
+        }
+        if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
+            goto done;
+--- a/plugins/sudoers/visudo.c
+++ b/plugins/sudoers/visudo.c
+@@ -308,7 +308,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **whitelist = NULL;
+-    const char *env_editor;
+    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int whitelist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
+@@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi
+     if (editor_path == NULL) {
+        if (def_env_editor && env_editor != NULL) {
+            /* We are honoring $EDITOR so this is a fatal error. */
+-           sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
+           if (errno == ENOENT) {
+               sudo_warnx(U_("specified editor (%s) doesn't exist"),
+                   env_editor);
+           }
+           exit(EXIT_FAILURE);
+        }
+        sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb
index 10785beedf..5bc48ec6fa 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.32.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb
@@ -5,6 +5,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
           file://0001-Include-sys-types.h-for-id_t-definition.patch \
           file://0001-Fix-includes-when-building-with-musl.patch \
           file://CVE-2022-43995.patch \
+           file://CVE-2023-22809.patch \
           "
 PAM_SRC_URI = "file://sudo.pam"
author	Omkar Patil <omkar.patil@kpit.com>	2023-02-08 17:18:46 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-02-24 16:41:42 +0000
commit	50108e218050a2ff0eafd1d9f031f1a980c1b09c (patch)
tree	fd16e81b09acbb62c44b10b514b41f9a54679c08 /meta/recipes-extended
parent	3c3039aac44a2783a6a5f8906b72e75771b5c879 (diff)
download	poky-50108e218050a2ff0eafd1d9f031f1a980c1b09c.tar.gz

diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch new file mode 100644 index 0000000000..6c47eb3e44 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch
@@ -0,0 +1,113 @@
		1	Backport of:
		2
		3	# HG changeset patch
		4	# Parent 7275148cad1f8cd3c350026460acc4d6ad349c3a
		5	sudoedit: do not permit editor arguments to include "--"
		6	We use "--" to separate the editor and arguments from the files to edit.
		7	If the editor arguments include "--", sudo can be tricked into allowing
		8	the user to edit a file not permitted by the security policy.
		9	Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
		10	(https://synacktiv.com) for finding this bug.
		11
		12	CVE: CVE-2023-22809
		13	Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz]
		14	Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
		15
		16	--- a/plugins/sudoers/editor.c
		17	+++ b/plugins/sudoers/editor.c
		18	@@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed
		19	const char cp, ep, *tmp;
		20	const char *edend = ed + edlen;
		21	struct stat user_editor_sb;
		22	- int nargc;
		23	+ int nargc = 0;
		24	debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
		25
		26	/*
		27	@@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed
		28	free(editor_path);
		29	while (nargc--)
		30	free(nargv[nargc]);
		31	+ free(nargv);
		32	+ debug_return_str(NULL);
		33	+ }
		34	+
		35	+ /*
		36	+ * We use "--" to separate the editor and arguments from the files
		37	+ * to edit. The editor arguments themselves may not contain "--".
		38	+ */
		39	+ if (strcmp(nargv[nargc], "--") == 0) {
		40	+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
		41	+ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
		42	+ errno = EINVAL;
		43	+ free(editor_path);
		44	+ while (nargc--)
		45	+ free(nargv[nargc]);
		46	free(nargv);
		47	debug_return_str(NULL);
		48	}
		49	--- a/plugins/sudoers/sudoers.c
		50	+++ b/plugins/sudoers/sudoers.c
		51	@@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con
		52
		53	/* Note: must call audit before uid change. */
		54	if (ISSET(sudo_mode, MODE_EDIT)) {
		55	+ const char *env_editor = NULL;
		56	int edit_argc;
		57	- const char *env_editor;
		58
		59	free(safe_cmnd);
		60	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
		61	&edit_argv, NULL, &env_editor, false);
		62	if (safe_cmnd == NULL) {
		63	- if (errno != ENOENT)
		64	+ switch (errno) {
		65	+ case ENOENT:
		66	+ audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
		67	+ env_editor ? env_editor : def_editor);
		68	+ sudo_warnx(U_("%s: command not found"),
		69	+ env_editor ? env_editor : def_editor);
		70	+ goto bad;
		71	+ case EINVAL:
		72	+ if (def_env_editor && env_editor != NULL) {
		73	+ /* User tried to do something funny with the editor. */
		74	+ log_warningx(SLOG_NO_STDERR\|SLOG_SEND_MAIL,
		75	+ "invalid user-specified editor: %s", env_editor);
		76	+ goto bad;
		77	+ }
		78	+ /* FALLTHROUGH */
		79	+ default:
		80	goto done;
		81	- audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
		82	- env_editor ? env_editor : def_editor);
		83	- sudo_warnx(U_("%s: command not found"),
		84	- env_editor ? env_editor : def_editor);
		85	- goto bad;
		86	+ }
		87	}
		88	if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
		89	goto done;
		90	--- a/plugins/sudoers/visudo.c
		91	+++ b/plugins/sudoers/visudo.c
		92	@@ -308,7 +308,7 @@ static char *
		93	get_editor(int editor_argc, char **editor_argv)
		94	{
		95	char editor_path = NULL, *whitelist = NULL;
		96	- const char *env_editor;
		97	+ const char *env_editor = NULL;
		98	static char *files[] = { "+1", "sudoers" };
		99	unsigned int whitelist_len = 0;
		100	debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
		101	@@ -342,7 +342,11 @@ get_editor(int editor_argc, char **edi
		102	if (editor_path == NULL) {
		103	if (def_env_editor && env_editor != NULL) {
		104	/* We are honoring $EDITOR so this is a fatal error. */
		105	- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
		106	+ if (errno == ENOENT) {
		107	+ sudo_warnx(U_("specified editor (%s) doesn't exist"),
		108	+ env_editor);
		109	+ }
		110	+ exit(EXIT_FAILURE);
		111	}
		112	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
		113	}


diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb index 10785beedf..5bc48ec6fa 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.32.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb
@@ -5,6 +5,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
5	file://0001-Include-sys-types.h-for-id_t-definition.patch \	5	file://0001-Include-sys-types.h-for-id_t-definition.patch \
6	file://0001-Fix-includes-when-building-with-musl.patch \	6	file://0001-Fix-includes-when-building-with-musl.patch \
7	file://CVE-2022-43995.patch \	7	file://CVE-2022-43995.patch \
		8	file://CVE-2023-22809.patch \
8	"	9	"
9		10
10	PAM_SRC_URI = "file://sudo.pam"	11	PAM_SRC_URI = "file://sudo.pam"