sudo: fix CVE-2019-14287

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. (From OE-Core rev: b7b6d39565f8fad61f2347a3fe31c9ee77a4da15) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4e11cd561f2bdaa6807cf02ee7c9870881826308) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2019-10-22 10:47:11 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-10-29 09:08:18 +0000
commit: 645d114f7213a6dfac5bcf30d98c9e80a47199c0 (patch)
tree: a9a375fff385b83a4f3fffa102cf37dae748e069 /meta/recipes-extended
parent: db4b5fd6865defe648a8f190f6e03049d35e1b5a (diff)
download: poky-645d114f7213a6dfac5bcf30d98c9e80a47199c0.tar.gz
3 files changed, 292 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch
new file mode 100644
index 0000000000..2a11e3f7ec
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch
@@ -0,0 +1,178 @@
+From f752ae5cee163253730ff7cdf293e34a91aa5520 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 10 Oct 2019 10:04:13 -0600
+Subject: [PATCH] Treat an ID of -1 as invalid since that means "no change".
+ Fixes CVE-2019-14287. Found by Joe Vennix from Apple Information Security.
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/f752ae5cee163253730ff7cdf293e34a91aa5520]
+CVE: CVE-2019-14287
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/util/strtoid.c | 100 ++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 53 insertions(+), 46 deletions(-)
+diff --git a/lib/util/strtoid.c b/lib/util/strtoid.c
+index 2dfce75..6b3916b 100644
+--- a/lib/util/strtoid.c
+++ b/lib/util/strtoid.c
+@@ -49,6 +49,27 @@
+ #include "sudo_util.h"
+ 
+ /*
+ * Make sure that the ID ends with a valid separator char.
+ */
+static bool
+valid_separator(const char *p, const char *ep, const char *sep)
+{
+    bool valid = false;
+    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
+
+    if (ep != p) {
+       /* check for valid separator (including '\0') */
+       if (sep == NULL)
+           sep = "";
+       do {
+           if (*ep == *sep)
+               valid = true;
+       } while (*sep++ != '\0');
+    }
+    debug_return_bool(valid);
+}
+
+/*
+  * Parse a uid/gid in string form.
+  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+  * If endp is non-NULL it is set to the next char after the ID.
+@@ -62,36 +83,33 @@ sudo_strtoid_v1(const char *p, const char *sep, char **endp, const char **errstr
+     char *ep;
+     id_t ret = 0;
+     long long llval;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+        p++;
+-    if (sep == NULL)
+-       sep = "";
+
+    /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+     errno = 0;
+     llval = strtoll(p, &ep, 10);
+-    if (ep != p) {
+-       /* check for valid separator (including '\0') */
+-       do {
+-           if (*ep == *sep)
+-               valid = true;
+-       } while (*sep++ != '\0');
+    if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
+       errno = ERANGE;
+       if (errstr != NULL)
+           *errstr = N_("value too large");
+       goto done;
+     }
+-    if (!valid) {
+    if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
+       errno = ERANGE;
+        if (errstr != NULL)
+-           *errstr = N_("invalid value");
+-       errno = EINVAL;
+           *errstr = N_("value too small");
+        goto done;
+     }
+-    if (errno == ERANGE) {
+-       if (errstr != NULL) {
+-           if (llval == LLONG_MAX)
+-               *errstr = N_("value too large");
+-           else
+-               *errstr = N_("value too small");
+-       }
+
+    /* Disallow id -1, which means "no change". */
+    if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
+       if (errstr != NULL)
+           *errstr = N_("invalid value");
+       errno = EINVAL;
+        goto done;
+     }
+     ret = (id_t)llval;
+@@ -108,30 +126,15 @@ sudo_strtoid_v1(const char *p, const char *sep, char **endp, const char **errstr
+ {
+     char *ep;
+     id_t ret = 0;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+        p++;
+-    if (sep == NULL)
+-       sep = "";
+
+     errno = 0;
+     if (*p == '-') {
+        long lval = strtol(p, &ep, 10);
+-       if (ep != p) {
+-           /* check for valid separator (including '\0') */
+-           do {
+-               if (*ep == *sep)
+-                   valid = true;
+-           } while (*sep++ != '\0');
+-       }
+-       if (!valid) {
+-           if (errstr != NULL)
+-               *errstr = N_("invalid value");
+-           errno = EINVAL;
+-           goto done;
+-       }
+        if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+            errno = ERANGE;
+            if (errstr != NULL)
+@@ -144,28 +147,31 @@ sudo_strtoid_v1(const char *p, const char *sep, char **endp, const char **errstr
+                *errstr = N_("value too small");
+            goto done;
+        }
+-       ret = (id_t)lval;
+-    } else {
+-       unsigned long ulval = strtoul(p, &ep, 10);
+-       if (ep != p) {
+-           /* check for valid separator (including '\0') */
+-           do {
+-               if (*ep == *sep)
+-                   valid = true;
+-           } while (*sep++ != '\0');
+-       }
+-       if (!valid) {
+
+       /* Disallow id -1, which means "no change". */
+       if (!valid_separator(p, ep, sep) || lval == -1) {
+            if (errstr != NULL)
+                *errstr = N_("invalid value");
+            errno = EINVAL;
+            goto done;
+        }
+       ret = (id_t)lval;
+    } else {
+       unsigned long ulval = strtoul(p, &ep, 10);
+        if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+            errno = ERANGE;
+            if (errstr != NULL)
+                *errstr = N_("value too large");
+            goto done;
+        }
+
+       /* Disallow id -1, which means "no change". */
+       if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
+           if (errstr != NULL)
+               *errstr = N_("invalid value");
+           errno = EINVAL;
+           goto done;
+       }
+        ret = (id_t)ulval;
+     }
+     if (errstr != NULL)
+-- 
+2.7.4
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch
new file mode 100644
index 0000000000..453a8b09a4
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch
@@ -0,0 +1,112 @@
+From 396bc57feff3e360007634f62448b64e0626390c Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 10 Oct 2019 10:04:13 -0600
+Subject: [PATCH] Add sudo_strtoid() tests for -1 and range errors. Also adjust
+ testsudoers/test5 which relied upon gid -1 parsing.
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/396bc57]
+CVE: CVE-2019-14287
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/util/regress/atofoo/atofoo_test.c            | 36 ++++++++++++++++------
+ plugins/sudoers/regress/testsudoers/test5.out.ok |  2 +-
+ plugins/sudoers/regress/testsudoers/test5.sh     |  2 +-
+ 3 files changed, 29 insertions(+), 11 deletions(-)
+diff --git a/lib/util/regress/atofoo/atofoo_test.c b/lib/util/regress/atofoo/atofoo_test.c
+index 031a7ed..fb41c1a 100644
+--- a/lib/util/regress/atofoo/atofoo_test.c
+++ b/lib/util/regress/atofoo/atofoo_test.c
+@@ -26,6 +26,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
+#include <errno.h>
+ 
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -80,15 +81,20 @@ static struct strtoid_data {
+     id_t id;
+     const char *sep;
+     const char *ep;
+    int errnum;
+ } strtoid_data[] = {
+-    { "0,1", 0, ",", "," },
+-    { "10", 10, NULL, NULL },
+-    { "-2", -2, NULL, NULL },
+    { "0,1", 0, ",", ",", 0 },
+    { "10", 10, NULL, NULL, 0 },
+    { "-1", 0, NULL, NULL, EINVAL },
+    { "4294967295", 0, NULL, NULL, EINVAL },
+    { "4294967296", 0, NULL, NULL, ERANGE },
+    { "-2147483649", 0, NULL, NULL, ERANGE },
+    { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+-    { "-2", (id_t)4294967294U, NULL, NULL },
+    { "-2", (id_t)4294967294U, NULL, NULL, 0 },
+ #endif
+-    { "4294967294", (id_t)4294967294U, NULL, NULL },
+-    { NULL, 0, NULL, NULL }
+    { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
+    { NULL, 0, NULL, NULL, 0 }
+ };
+ 
+ static int
+@@ -104,11 +110,23 @@ test_strtoid(int *ntests)
+        (*ntests)++;
+        errstr = "some error";
+        value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+-       if (errstr != NULL) {
+-           if (d->id != (id_t)-1) {
+-               sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
+       if (d->errnum != 0) {
+           if (errstr == NULL) {
+               sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
+                   d->idstr, d->errnum);
+               errors++;
+           } else if (value != 0) {
+               sudo_warnx_nodebug("FAIL: %s should return 0 on error",
+                   d->idstr);
+               errors++;
+           } else if (errno != d->errnum) {
+               sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
+                   d->idstr, errno, d->errnum);
+                errors++;
+            }
+       } else if (errstr != NULL) {
+           sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
+           errors++;
+        } else if (value != d->id) {
+            sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+            errors++;
+diff --git a/plugins/sudoers/regress/testsudoers/test5.out.ok b/plugins/sudoers/regress/testsudoers/test5.out.ok
+index 5e319c9..cecf700 100644
+--- a/plugins/sudoers/regress/testsudoers/test5.out.ok
+++ b/plugins/sudoers/regress/testsudoers/test5.out.ok
+@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
+ Entries for user root:
+ 
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
+testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+ 
+ Entries for user root:
+diff --git a/plugins/sudoers/regress/testsudoers/test5.sh b/plugins/sudoers/regress/testsudoers/test5.sh
+index 9e690a6..94d585c 100755
+--- a/plugins/sudoers/regress/testsudoers/test5.sh
+++ b/plugins/sudoers/regress/testsudoers/test5.sh
+@@ -24,7 +24,7 @@ EOF
+ 
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
+./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+ 
+-- 
+2.7.4
diff --git a/meta/recipes-extended/sudo/sudo_1.8.27.bb b/meta/recipes-extended/sudo/sudo_1.8.27.bb
index 9d2d6bd429..8b3be55c20 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.27.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.27.bb
@@ -3,6 +3,8 @@ require sudo.inc
 SRC_URI = "http://www.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://0001-Include-sys-types.h-for-id_t-definition.patch \
+           file://CVE-2019-14287-1.patch \
+           file://CVE-2019-14287-2.patch \
           "
 PAM_SRC_URI = "file://sudo.pam"
author	Changqing Li <changqing.li@windriver.com>	2019-10-22 10:47:11 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-10-29 09:08:18 +0000
commit	645d114f7213a6dfac5bcf30d98c9e80a47199c0 (patch)
tree	a9a375fff385b83a4f3fffa102cf37dae748e069 /meta/recipes-extended
parent	db4b5fd6865defe648a8f190f6e03049d35e1b5a (diff)
download	poky-645d114f7213a6dfac5bcf30d98c9e80a47199c0.tar.gz

diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch new file mode 100644 index 0000000000..2a11e3f7ec --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch
@@ -0,0 +1,178 @@
		1	From f752ae5cee163253730ff7cdf293e34a91aa5520 Mon Sep 17 00:00:00 2001
		2	From: "Todd C. Miller" <Todd.Miller@sudo.ws>
		3	Date: Thu, 10 Oct 2019 10:04:13 -0600
		4	Subject: [PATCH] Treat an ID of -1 as invalid since that means "no change".
		5	Fixes CVE-2019-14287. Found by Joe Vennix from Apple Information Security.
		6
		7	Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/f752ae5cee163253730ff7cdf293e34a91aa5520]
		8	CVE: CVE-2019-14287
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11
		12	---
		13	lib/util/strtoid.c \| 100 ++++++++++++++++++++++++++++-------------------------
		14	1 files changed, 53 insertions(+), 46 deletions(-)
		15
		16	diff --git a/lib/util/strtoid.c b/lib/util/strtoid.c
		17	index 2dfce75..6b3916b 100644
		18	--- a/lib/util/strtoid.c
		19	+++ b/lib/util/strtoid.c
		20	@@ -49,6 +49,27 @@
		21	#include "sudo_util.h"
		22
		23	/*
		24	+ * Make sure that the ID ends with a valid separator char.
		25	+ */
		26	+static bool
		27	+valid_separator(const char p, const char ep, const char *sep)
		28	+{
		29	+ bool valid = false;
		30	+ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
		31	+
		32	+ if (ep != p) {
		33	+ /* check for valid separator (including '\0') */
		34	+ if (sep == NULL)
		35	+ sep = "";
		36	+ do {
		37	+ if (ep == sep)
		38	+ valid = true;
		39	+ } while (*sep++ != '\0');
		40	+ }
		41	+ debug_return_bool(valid);
		42	+}
		43	+
		44	+/*
		45	* Parse a uid/gid in string form.
		46	* If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
		47	* If endp is non-NULL it is set to the next char after the ID.
		48	@@ -62,36 +83,33 @@ sudo_strtoid_v1(const char p, const char sep, char endp, const char errstr
		49	char *ep;
		50	id_t ret = 0;
		51	long long llval;
		52	- bool valid = false;
		53	debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
		54
		55	/* skip leading space so we can pick up the sign, if any */
		56	while (isspace((unsigned char)*p))
		57	p++;
		58	- if (sep == NULL)
		59	- sep = "";
		60	+
		61	+ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
		62	errno = 0;
		63	llval = strtoll(p, &ep, 10);
		64	- if (ep != p) {
		65	- /* check for valid separator (including '\0') */
		66	- do {
		67	- if (ep == sep)
		68	- valid = true;
		69	- } while (*sep++ != '\0');
		70	+ if ((errno == ERANGE && llval == LLONG_MAX) \|\| llval > (id_t)UINT_MAX) {
		71	+ errno = ERANGE;
		72	+ if (errstr != NULL)
		73	+ *errstr = N_("value too large");
		74	+ goto done;
		75	}
		76	- if (!valid) {
		77	+ if ((errno == ERANGE && llval == LLONG_MIN) \|\| llval < INT_MIN) {
		78	+ errno = ERANGE;
		79	if (errstr != NULL)
		80	- *errstr = N_("invalid value");
		81	- errno = EINVAL;
		82	+ *errstr = N_("value too small");
		83	goto done;
		84	}
		85	- if (errno == ERANGE) {
		86	- if (errstr != NULL) {
		87	- if (llval == LLONG_MAX)
		88	- *errstr = N_("value too large");
		89	- else
		90	- *errstr = N_("value too small");
		91	- }
		92	+
		93	+ /* Disallow id -1, which means "no change". */
		94	+ if (!valid_separator(p, ep, sep) \|\| llval == -1 \|\| llval == (id_t)UINT_MAX) {
		95	+ if (errstr != NULL)
		96	+ *errstr = N_("invalid value");
		97	+ errno = EINVAL;
		98	goto done;
		99	}
		100	ret = (id_t)llval;
		101	@@ -108,30 +126,15 @@ sudo_strtoid_v1(const char p, const char sep, char endp, const char errstr
		102	{
		103	char *ep;
		104	id_t ret = 0;
		105	- bool valid = false;
		106	debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
		107
		108	/* skip leading space so we can pick up the sign, if any */
		109	while (isspace((unsigned char)*p))
		110	p++;
		111	- if (sep == NULL)
		112	- sep = "";
		113	+
		114	errno = 0;
		115	if (*p == '-') {
		116	long lval = strtol(p, &ep, 10);
		117	- if (ep != p) {
		118	- /* check for valid separator (including '\0') */
		119	- do {
		120	- if (ep == sep)
		121	- valid = true;
		122	- } while (*sep++ != '\0');
		123	- }
		124	- if (!valid) {
		125	- if (errstr != NULL)
		126	- *errstr = N_("invalid value");
		127	- errno = EINVAL;
		128	- goto done;
		129	- }
		130	if ((errno == ERANGE && lval == LONG_MAX) \|\| lval > INT_MAX) {
		131	errno = ERANGE;
		132	if (errstr != NULL)
		133	@@ -144,28 +147,31 @@ sudo_strtoid_v1(const char p, const char sep, char endp, const char errstr
		134	*errstr = N_("value too small");
		135	goto done;
		136	}
		137	- ret = (id_t)lval;
		138	- } else {
		139	- unsigned long ulval = strtoul(p, &ep, 10);
		140	- if (ep != p) {
		141	- /* check for valid separator (including '\0') */
		142	- do {
		143	- if (ep == sep)
		144	- valid = true;
		145	- } while (*sep++ != '\0');
		146	- }
		147	- if (!valid) {
		148	+
		149	+ /* Disallow id -1, which means "no change". */
		150	+ if (!valid_separator(p, ep, sep) \|\| lval == -1) {
		151	if (errstr != NULL)
		152	*errstr = N_("invalid value");
		153	errno = EINVAL;
		154	goto done;
		155	}
		156	+ ret = (id_t)lval;
		157	+ } else {
		158	+ unsigned long ulval = strtoul(p, &ep, 10);
		159	if ((errno == ERANGE && ulval == ULONG_MAX) \|\| ulval > UINT_MAX) {
		160	errno = ERANGE;
		161	if (errstr != NULL)
		162	*errstr = N_("value too large");
		163	goto done;
		164	}
		165	+
		166	+ /* Disallow id -1, which means "no change". */
		167	+ if (!valid_separator(p, ep, sep) \|\| ulval == UINT_MAX) {
		168	+ if (errstr != NULL)
		169	+ *errstr = N_("invalid value");
		170	+ errno = EINVAL;
		171	+ goto done;
		172	+ }
		173	ret = (id_t)ulval;
		174	}
		175	if (errstr != NULL)
		176	--
		177	2.7.4
		178


diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch new file mode 100644 index 0000000000..453a8b09a4 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch
@@ -0,0 +1,112 @@
		1	From 396bc57feff3e360007634f62448b64e0626390c Mon Sep 17 00:00:00 2001
		2	From: "Todd C. Miller" <Todd.Miller@sudo.ws>
		3	Date: Thu, 10 Oct 2019 10:04:13 -0600
		4	Subject: [PATCH] Add sudo_strtoid() tests for -1 and range errors. Also adjust
		5	testsudoers/test5 which relied upon gid -1 parsing.
		6
		7	Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/396bc57]
		8	CVE: CVE-2019-14287
		9
		10	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		11
		12	---
		13	lib/util/regress/atofoo/atofoo_test.c \| 36 ++++++++++++++++------
		14	plugins/sudoers/regress/testsudoers/test5.out.ok \| 2 +-
		15	plugins/sudoers/regress/testsudoers/test5.sh \| 2 +-
		16	3 files changed, 29 insertions(+), 11 deletions(-)
		17
		18	diff --git a/lib/util/regress/atofoo/atofoo_test.c b/lib/util/regress/atofoo/atofoo_test.c
		19	index 031a7ed..fb41c1a 100644
		20	--- a/lib/util/regress/atofoo/atofoo_test.c
		21	+++ b/lib/util/regress/atofoo/atofoo_test.c
		22	@@ -26,6 +26,7 @@
		23	#else
		24	# include "compat/stdbool.h"
		25	#endif
		26	+#include <errno.h>
		27
		28	#include "sudo_compat.h"
		29	#include "sudo_util.h"
		30	@@ -80,15 +81,20 @@ static struct strtoid_data {
		31	id_t id;
		32	const char *sep;
		33	const char *ep;
		34	+ int errnum;
		35	} strtoid_data[] = {
		36	- { "0,1", 0, ",", "," },
		37	- { "10", 10, NULL, NULL },
		38	- { "-2", -2, NULL, NULL },
		39	+ { "0,1", 0, ",", ",", 0 },
		40	+ { "10", 10, NULL, NULL, 0 },
		41	+ { "-1", 0, NULL, NULL, EINVAL },
		42	+ { "4294967295", 0, NULL, NULL, EINVAL },
		43	+ { "4294967296", 0, NULL, NULL, ERANGE },
		44	+ { "-2147483649", 0, NULL, NULL, ERANGE },
		45	+ { "-2", -2, NULL, NULL, 0 },
		46	#if SIZEOF_ID_T != SIZEOF_LONG_LONG
		47	- { "-2", (id_t)4294967294U, NULL, NULL },
		48	+ { "-2", (id_t)4294967294U, NULL, NULL, 0 },
		49	#endif
		50	- { "4294967294", (id_t)4294967294U, NULL, NULL },
		51	- { NULL, 0, NULL, NULL }
		52	+ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
		53	+ { NULL, 0, NULL, NULL, 0 }
		54	};
		55
		56	static int
		57	@@ -104,11 +110,23 @@ test_strtoid(int *ntests)
		58	(*ntests)++;
		59	errstr = "some error";
		60	value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
		61	- if (errstr != NULL) {
		62	- if (d->id != (id_t)-1) {
		63	- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
		64	+ if (d->errnum != 0) {
		65	+ if (errstr == NULL) {
		66	+ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
		67	+ d->idstr, d->errnum);
		68	+ errors++;
		69	+ } else if (value != 0) {
		70	+ sudo_warnx_nodebug("FAIL: %s should return 0 on error",
		71	+ d->idstr);
		72	+ errors++;
		73	+ } else if (errno != d->errnum) {
		74	+ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
		75	+ d->idstr, errno, d->errnum);
		76	errors++;
		77	}
		78	+ } else if (errstr != NULL) {
		79	+ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
		80	+ errors++;
		81	} else if (value != d->id) {
		82	sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
		83	errors++;
		84	diff --git a/plugins/sudoers/regress/testsudoers/test5.out.ok b/plugins/sudoers/regress/testsudoers/test5.out.ok
		85	index 5e319c9..cecf700 100644
		86	--- a/plugins/sudoers/regress/testsudoers/test5.out.ok
		87	+++ b/plugins/sudoers/regress/testsudoers/test5.out.ok
		88	@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
		89	Entries for user root:
		90
		91	Command unmatched
		92	-testsudoers: test5.inc should be owned by gid 4294967295
		93	+testsudoers: test5.inc should be owned by gid 4294967294
		94	Parse error in sudoers near line 1.
		95
		96	Entries for user root:
		97	diff --git a/plugins/sudoers/regress/testsudoers/test5.sh b/plugins/sudoers/regress/testsudoers/test5.sh
		98	index 9e690a6..94d585c 100755
		99	--- a/plugins/sudoers/regress/testsudoers/test5.sh
		100	+++ b/plugins/sudoers/regress/testsudoers/test5.sh
		101	@@ -24,7 +24,7 @@ EOF
		102
		103	# Test group writable
		104	chmod 664 $TESTFILE
		105	-./testsudoers -U $MYUID -G -1 root id <<EOF
		106	+./testsudoers -U $MYUID -G -2 root id <<EOF
		107	#include $TESTFILE
		108	EOF
		109
		110	--
		111	2.7.4
		112


diff --git a/meta/recipes-extended/sudo/sudo_1.8.27.bb b/meta/recipes-extended/sudo/sudo_1.8.27.bb index 9d2d6bd429..8b3be55c20 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.27.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.27.bb
@@ -3,6 +3,8 @@ require sudo.inc
3	SRC_URI = "http://www.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \	3	SRC_URI = "http://www.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
4	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	4	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
5	file://0001-Include-sys-types.h-for-id_t-definition.patch \	5	file://0001-Include-sys-types.h-for-id_t-definition.patch \
		6	file://CVE-2019-14287-1.patch \
		7	file://CVE-2019-14287-2.patch \
6	"	8	"
7		9
8	PAM_SRC_URI = "file://sudo.pam"	10	PAM_SRC_URI = "file://sudo.pam"