summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-08-09 13:04:41 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 15:27:04 +0100
commit016df260e531c4e8209b3b3a79697c2055f8e0ce (patch)
tree18d558ab592df37ab83cbb31fb6c62862619a5d9 /meta/recipes-extended
parent5d781f41ff29654520d177c7aab7a244751044a2 (diff)
downloadpoky-016df260e531c4e8209b3b3a79697c2055f8e0ce.tar.gz
sudo: CVE-2015-8239
Fixes race condition when checking digests in sudoers. Reference: http://seclists.org/oss-sec/2015/q4/327 Reference to upstream fixes: https://www.sudo.ws/repos/sudo/raw-rev/397722cdd7ec https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195 (From OE-Core rev: 3564999bd987b08188e2e0eead59a49bebbc5e32) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch699
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch45
-rw-r--r--meta/recipes-extended/sudo/sudo_1.8.15.bb2
3 files changed, 746 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch
new file mode 100644
index 0000000000..582c0bf638
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch
@@ -0,0 +1,699 @@
1# HG changeset patch
2# User Todd C. Miller <Todd.Miller@courtesan.com>
3# Date 1451928918 25200
4# Node ID 397722cdd7eceef0aec561909418215e275ccd44
5# Parent 33272418bb10ee780184dbd2d966a4e5c3bc597e
6Add support for using fexecve() if supported on commands that are
7checksummed.
8
9Reference to upstream patch:
10https://www.sudo.ws/repos/sudo/rev/397722cdd7ec
11
12CVE: CVE-2015-8239
13Upstream-Status: Backport
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16diff -ruN a/configure b/configure
17--- a/configure 2015-11-01 00:35:24.000000000 +0100
18+++ b/configure 2016-08-08 12:56:03.441681854 +0200
19@@ -2650,6 +2650,7 @@
20 as_fn_append ac_header_list " sys/select.h"
21 as_fn_append ac_header_list " sys/stropts.h"
22 as_fn_append ac_header_list " sys/sysmacros.h"
23+as_fn_append ac_func_list " fexecve"
24 as_fn_append ac_func_list " killpg"
25 as_fn_append ac_func_list " nl_langinfo"
26 as_fn_append ac_func_list " strftime"
27@@ -18078,6 +18079,8 @@
28
29
30
31+
32+
33 for ac_func in getgrouplist
34 do :
35 ac_fn_c_check_func "$LINENO" "getgrouplist" "ac_cv_func_getgrouplist"
36@@ -19903,8 +19906,8 @@
37 fi
38 done
39
40- # Check for fexecve, posix_spawn, and posix_spawnp
41- for ac_func in fexecve posix_spawn posix_spawnp
42+ # Check for posix_spawn, and posix_spawnp
43+ for ac_func in posix_spawn posix_spawnp
44 do :
45 as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
46 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
47diff -ruN a/configure.ac b/configure.ac
48--- a/configure.ac 2016-08-08 12:55:08.781888802 +0200
49+++ b/configure.ac 2016-08-08 12:56:03.445681547 +0200
50@@ -1,7 +1,7 @@
51 dnl
52 dnl Use the top-level autogen.sh script to generate configure and config.h.in
53 dnl
54-dnl Copyright (c) 1994-1996,1998-2015 Todd C. Miller <Todd.Miller@courtesan.com>
55+dnl Copyright (c) 1994-1996,1998-2016 Todd C. Miller <Todd.Miller@courtesan.com>
56 dnl
57 AC_PREREQ([2.59])
58 AC_INIT([sudo], [1.8.15], [http://www.sudo.ws/bugs/], [sudo])
59@@ -2384,7 +2384,7 @@
60 dnl Function checks
61 dnl
62 AC_FUNC_GETGROUPS
63-AC_CHECK_FUNCS_ONCE([killpg nl_langinfo strftime pread pwrite openat])
64+AC_CHECK_FUNCS_ONCE([fexecve killpg nl_langinfo strftime pread pwrite openat])
65 AC_CHECK_FUNCS([getgrouplist], [], [
66 case "$host_os" in
67 aix*)
68@@ -2676,8 +2676,8 @@
69 if test X"$with_noexec" != X"no"; then
70 # Check for non-standard exec functions
71 AC_CHECK_FUNCS([exect execvP execvpe])
72- # Check for fexecve, posix_spawn, and posix_spawnp
73- AC_CHECK_FUNCS([fexecve posix_spawn posix_spawnp])
74+ # Check for posix_spawn, and posix_spawnp
75+ AC_CHECK_FUNCS([posix_spawn posix_spawnp])
76 fi
77
78 dnl
79diff -ruN a/doc/sudoers.cat b/doc/sudoers.cat
80--- a/doc/sudoers.cat 2016-08-08 12:55:08.781888802 +0200
81+++ b/doc/sudoers.cat 2016-08-08 12:56:03.445681547 +0200
82@@ -410,6 +410,13 @@
83 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
84 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
85
86+ Warning, if the user has write access to the command itself (directly or
87+ via a sudo command), it may be possible for the user to replace the
88+ command after the digest check has been performed but before the command
89+ is executed. A similar race condition exists on systems that lack the
90+ fexecve(2) system call when the directory in which the command is located
91+ is writable by the user.
92+
93 Command digests are only supported by version 1.8.7 or higher.
94
95 DDeeffaauullttss
96diff -ruN a/doc/sudoers.man.in b/doc/sudoers.man.in
97--- a/doc/sudoers.man.in 2016-08-08 12:55:08.781888802 +0200
98+++ b/doc/sudoers.man.in 2016-08-08 12:56:03.445681547 +0200
99@@ -1,7 +1,7 @@
100 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
101 .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
102 .\"
103-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015
104+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
105 .\" Todd C. Miller <Todd.Miller@courtesan.com>
106 .\"
107 .\" Permission to use, copy, modify, and distribute this software for any
108@@ -877,6 +877,15 @@
109 .RE
110 .fi
111 .PP
112+Warning, if the user has write access to the command itself (directly or via a
113+ \fBsudo\fR
114+command), it may be possible for the user to replace the command after the
115+digest check has been performed but before the command is executed.
116+A similar race condition exists on systems that lack the
117+fexecve(2)
118+system call when the directory in which the command is located
119+is writable by the user.
120+ .PP
121 Command digests are only supported by version 1.8.7 or higher.
122 .SS "Defaults"
123 Certain configuration options may be changed from their default
124diff -ruN a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
125--- a/doc/sudoers.mdoc.in 2016-08-08 12:55:08.781888802 +0200
126+++ b/doc/sudoers.mdoc.in 2016-08-08 12:56:03.449681239 +0200
127@@ -1,5 +1,5 @@
128 .\"
129-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015
130+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016
131 .\" Todd C. Miller <Todd.Miller@courtesan.com>
132 .\"
133 .\" Permission to use, copy, modify, and distribute this software for any
134@@ -834,6 +834,15 @@
135 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
136 .Ed
137 .Pp
138+Warning, if the user has write access to the command itself (directly or via a
139+ .Nm sudo
140+command), it may be possible for the user to replace the command after the
141+digest check has been performed but before the command is executed.
142+A similar race condition exists on systems that lack the
143+.Xr fexecve 2
144+system call when the directory in which the command is located
145+is writable by the user.
146+ .Pp
147 Command digests are only supported by version 1.8.7 or higher.
148 .Ss Defaults
149 Certain configuration options may be changed from their default
150diff -ruN a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat
151--- a/doc/sudo_plugin.cat 2016-08-08 12:55:08.781888802 +0200
152+++ b/doc/sudo_plugin.cat 2016-08-08 12:56:03.449681239 +0200
153@@ -499,6 +499,11 @@
154 This setting has no effect unless I/O logging is
155 enabled or _u_s_e___p_t_y is enabled.
156
157+ execfd=number
158+ If specified, ssuuddoo will use the fexecve(2) system call
159+ to execute the command instead of execve(2). The
160+ specified _n_u_m_b_e_r must refer to an open file descriptor.
161+
162 iolog_compress=bool
163 Set to true if the I/O logging plugins, if any, should
164 compress the log data. This is a hint to the I/O
165@@ -1505,6 +1510,9 @@
166 it supports plugin API version 1.8 or higher to receive a
167 conversation function pointer that supports this argument.
168
169+ Version 1.9 (sudo 1.8.16)
170+ The _e_x_e_c_f_d entry was added to the command_info list.
171+
172 SSEEEE AALLSSOO
173 sudo.conf(4), sudoers(4), sudo(1m)
174
175diff -ruN a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in
176--- a/doc/sudo_plugin.man.in 2016-08-08 12:55:08.781888802 +0200
177+++ b/doc/sudo_plugin.man.in 2016-08-08 12:56:03.449681239 +0200
178@@ -1,7 +1,7 @@
179 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
180 .\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in
181 .\"
182-.\" Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
183+.\" Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
184 .\"
185 .\" Permission to use, copy, modify, and distribute this software for any
186 .\" purpose with or without fee is hereby granted, provided that the above
187@@ -881,6 +881,17 @@
188 \fIuse_pty\fR
189 is enabled.
190 .TP 6n
191+execfd=number
192+If specified,
193+\fBsudo\fR
194+will use the
195+fexecve(2)
196+system call to execute the command instead of
197+execve(2).
198+The specified
199+\fInumber\fR
200+must refer to an open file descriptor.
201+.TP 6n
202 iolog_compress=bool
203 Set to true if the I/O logging plugins, if any, should compress the
204 log data.
205@@ -2703,6 +2714,13 @@
206 definition has been updated to match.
207 The plugin must specify that it supports plugin API version 1.8 or higher
208 to receive a conversation function pointer that supports this argument.
209+.TP 6n
210+Version 1.9 (sudo 1.8.16)
211+The
212+\fIexecfd\fR
213+entry was added to the
214+\fRcommand_info\fR
215+list.
216 .SH "SEE ALSO"
217 sudo.conf(@mansectform@),
218 sudoers(@mansectform@),
219diff -ruN a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in
220--- a/doc/sudo_plugin.mdoc.in 2016-08-08 12:55:08.781888802 +0200
221+++ b/doc/sudo_plugin.mdoc.in 2016-08-08 12:56:03.453680931 +0200
222@@ -1,5 +1,5 @@
223 .\"
224-.\" Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
225+.\" Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
226 .\"
227 .\" Permission to use, copy, modify, and distribute this software for any
228 .\" purpose with or without fee is hereby granted, provided that the above
229@@ -784,6 +784,16 @@
230 This setting has no effect unless I/O logging is enabled or
231 .Em use_pty
232 is enabled.
233+.It execfd=number
234+If specified,
235+.Nm sudo
236+will use the
237+.Xr fexecve 2
238+system call to execute the command instead of
239+.Xr execve 2 .
240+The specified
241+.Em number
242+must refer to an open file descriptor.
243 .It iolog_compress=bool
244 Set to true if the I/O logging plugins, if any, should compress the
245 log data.
246@@ -2367,6 +2377,12 @@
247 definition has been updated to match.
248 The plugin must specify that it supports plugin API version 1.8 or higher
249 to receive a conversation function pointer that supports this argument.
250+.It Version 1.9 (sudo 1.8.16)
251+The
252+.Em execfd
253+entry was added to the
254+.Li command_info
255+list.
256 .El
257 .Sh SEE ALSO
258 .Xr sudo.conf @mansectform@ ,
259diff -ruN a/include/sudo_plugin.h b/include/sudo_plugin.h
260--- a/include/sudo_plugin.h 2016-08-08 12:55:08.781888802 +0200
261+++ b/include/sudo_plugin.h 2016-08-08 12:56:03.453680931 +0200
262@@ -1,5 +1,5 @@
263 /*
264- * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
265+ * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
266 *
267 * Permission to use, copy, modify, and distribute this software for any
268 * purpose with or without fee is hereby granted, provided that the above
269@@ -19,7 +19,7 @@
270
271 /* API version major/minor */
272 #define SUDO_API_VERSION_MAJOR 1
273-#define SUDO_API_VERSION_MINOR 8
274+#define SUDO_API_VERSION_MINOR 9
275 #define SUDO_API_MKVERSION(x, y) (((x) << 16) | (y))
276 #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR, SUDO_API_VERSION_MINOR)
277
278diff -ruN a/plugins/sudoers/match.c b/plugins/sudoers/match.c
279--- a/plugins/sudoers/match.c 2016-08-08 12:55:08.781888802 +0200
280+++ b/plugins/sudoers/match.c 2016-08-08 12:56:03.453680931 +0200
281@@ -1,5 +1,5 @@
282 /*
283- * Copyright (c) 1996, 1998-2005, 2007-2015
284+ * Copyright (c) 1996, 1998-2005, 2007-2016
285 * Todd C. Miller <Todd.Miller@courtesan.com>
286 *
287 * Permission to use, copy, modify, and distribute this software for any
288@@ -55,6 +55,7 @@
289 # include <netdb.h>
290 #endif /* HAVE_NETGROUP_H */
291 #include <dirent.h>
292+#include <fcntl.h>
293 #include <pwd.h>
294 #include <grp.h>
295 #include <errno.h>
296@@ -583,17 +584,18 @@
297 };
298
299 static bool
300-digest_matches(const char *file, const struct sudo_digest *sd)
301+digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
302 {
303 unsigned char file_digest[SHA512_DIGEST_LENGTH];
304 unsigned char sudoers_digest[SHA512_DIGEST_LENGTH];
305 unsigned char buf[32 * 1024];
306 struct digest_function *func = NULL;
307+ bool first = true;
308+ bool is_script = false;
309 size_t nread;
310 SHA2_CTX ctx;
311 FILE *fp;
312 unsigned int i;
313- int h;
314 debug_decl(digest_matches, SUDOERS_DEBUG_MATCH)
315
316 for (i = 0; digest_functions[i].digest_name != NULL; i++) {
317@@ -609,7 +611,7 @@
318 if (strlen(sd->digest_str) == func->digest_len * 2) {
319 /* Convert the command digest from ascii hex to binary. */
320 for (i = 0; i < func->digest_len; i++) {
321- h = hexchar(&sd->digest_str[i + i]);
322+ const int h = hexchar(&sd->digest_str[i + i]);
323 if (h == -1)
324 goto bad_format;
325 sudoers_digest[i] = (unsigned char)h;
326@@ -633,6 +635,12 @@
327
328 func->init(&ctx);
329 while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
330+ /* Check for #! cookie and set is_script. */
331+ if (first) {
332+ first = false;
333+ if (nread >= 2 && buf[0] == '#' && buf[1] == '!')
334+ is_script = true;
335+ }
336 func->update(&ctx, buf, nread);
337 }
338 if (ferror(fp)) {
339@@ -640,15 +648,36 @@
340 fclose(fp);
341 debug_return_bool(false);
342 }
343- fclose(fp);
344 func->final(file_digest, &ctx);
345
346- if (memcmp(file_digest, sudoers_digest, func->digest_len) == 0)
347- debug_return_bool(true);
348- sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
349- "%s digest mismatch for %s, expecting %s",
350- func->digest_name, file, sd->digest_str);
351- debug_return_bool(false);
352+ if (memcmp(file_digest, sudoers_digest, func->digest_len) != 0) {
353+ fclose(fp);
354+ sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
355+ "%s digest mismatch for %s, expecting %s",
356+ func->digest_name, file, sd->digest_str);
357+ debug_return_bool(false);
358+ }
359+
360+#ifdef HAVE_FEXECVE
361+ /*
362+ * On systems with fexecve(2) we can use that to execute the
363+ * matching command even when the directory is writable.
364+ */
365+ if ((*fd = dup(fileno(fp))) == -1) {
366+ sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s",
367+ file, strerror(errno));
368+ fclose(fp);
369+ debug_return_bool(false);
370+ }
371+ /*
372+ * Shell scripts go through namei twice and so we can't set the close
373+ * on exec flag on the fd for fexecve(2).
374+ */
375+ if (!is_script)
376+ fcntl(*fd, F_SETFD, FD_CLOEXEC);
377+#endif /* HAVE_FEXECVE */
378+ fclose(fp);
379+ debug_return_bool(true);
380 bad_format:
381 sudo_warnx(U_("digest for %s (%s) is not in %s form"), file,
382 sd->digest_str, func->digest_name);
383@@ -690,7 +719,11 @@
384 debug_return_bool(false);
385 if (!command_args_match(sudoers_cmnd, sudoers_args))
386 debug_return_bool(false);
387- if (digest != NULL && !digest_matches(sudoers_cmnd, digest)) {
388+ if (cmnd_fd != -1) {
389+ close(cmnd_fd);
390+ cmnd_fd = -1;
391+ }
392+ if (digest != NULL && !digest_matches(sudoers_cmnd, digest, &cmnd_fd)) {
393 /* XXX - log functions not available but we should log very loudly */
394 debug_return_bool(false);
395 }
396diff -ruN a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
397--- a/plugins/sudoers/policy.c 2016-08-08 12:55:08.781888802 +0200
398+++ b/plugins/sudoers/policy.c 2016-08-08 12:56:03.457680623 +0200
399@@ -1,5 +1,5 @@
400 /*
401- * Copyright (c) 2010-2015 Todd C. Miller <Todd.Miller@courtesan.com>
402+ * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
403 *
404 * Permission to use, copy, modify, and distribute this software for any
405 * purpose with or without fee is hereby granted, provided that the above
406@@ -371,6 +371,9 @@
407 user_umask = umask(SUDO_UMASK);
408 umask(user_umask);
409
410+ /* Some systems support fexecve() which we use for digest matches. */
411+ cmnd_fd = -1;
412+
413 /* Dump settings and user info (XXX - plugin args) */
414 for (cur = info->settings; *cur != NULL; cur++)
415 sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
416@@ -545,6 +548,16 @@
417 if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1)
418 goto oom;
419 }
420+ if (cmnd_fd != -1) {
421+ if (sudo_version < SUDO_API_MKVERSION(1, 9)) {
422+ /* execfd only supported by plugin API 1.9 and higher */
423+ close(cmnd_fd);
424+ cmnd_fd = -1;
425+ } else {
426+ if (asprintf(&command_info[info_len++], "execfd=%d", cmnd_fd) == -1)
427+ goto oom;
428+ }
429+ }
430 #ifdef HAVE_LOGIN_CAP_H
431 if (def_use_loginclass) {
432 if ((command_info[info_len++] = sudo_new_key_val("login_class", login_class)) == NULL)
433diff -ruN a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
434--- a/plugins/sudoers/sudoers.h 2016-08-08 12:55:08.781888802 +0200
435+++ b/plugins/sudoers/sudoers.h 2016-08-08 12:56:03.457680623 +0200
436@@ -1,5 +1,5 @@
437 /*
438- * Copyright (c) 1993-1996, 1998-2005, 2007-2015
439+ * Copyright (c) 1993-1996, 1998-2005, 2007-2016
440 * Todd C. Miller <Todd.Miller@courtesan.com>
441 *
442 * Permission to use, copy, modify, and distribute this software for any
443@@ -90,6 +90,7 @@
444 const char *cwd;
445 char *iolog_file;
446 GETGROUPS_T *gids;
447+ int execfd;
448 int ngids;
449 int closefrom;
450 int lines;
451@@ -197,6 +198,7 @@
452 #define user_srunhost (sudo_user.srunhost)
453 #define user_ccname (sudo_user.krb5_ccname)
454 #define safe_cmnd (sudo_user.cmnd_safe)
455+#define cmnd_fd (sudo_user.execfd)
456 #define login_class (sudo_user.class_name)
457 #define runas_pw (sudo_user._runas_pw)
458 #define runas_gr (sudo_user._runas_gr)
459diff -ruN a/src/exec.c b/src/exec.c
460--- a/src/exec.c 2016-08-08 12:55:08.781888802 +0200
461+++ b/src/exec.c 2016-08-08 12:56:03.457680623 +0200
462@@ -1,5 +1,5 @@
463 /*
464- * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
465+ * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
466 *
467 * Permission to use, copy, modify, and distribute this software for any
468 * purpose with or without fee is hereby granted, provided that the above
469@@ -176,13 +176,13 @@
470 }
471 #ifdef HAVE_SELINUX
472 if (ISSET(details->flags, CD_RBAC_ENABLED)) {
473- selinux_execve(details->command, details->argv, details->envp,
474- ISSET(details->flags, CD_NOEXEC));
475+ selinux_execve(details->execfd, details->command, details->argv,
476+ details->envp, ISSET(details->flags, CD_NOEXEC));
477 } else
478 #endif
479 {
480- sudo_execve(details->command, details->argv, details->envp,
481- ISSET(details->flags, CD_NOEXEC));
482+ sudo_execve(details->execfd, details->command, details->argv,
483+ details->envp, ISSET(details->flags, CD_NOEXEC));
484 }
485 }
486 cstat->type = CMD_ERRNO;
487diff -ruN a/src/exec_common.c b/src/exec_common.c
488--- a/src/exec_common.c 2016-08-08 12:55:08.781888802 +0200
489+++ b/src/exec_common.c 2016-08-08 12:56:03.457680623 +0200
490@@ -1,5 +1,5 @@
491 /*
492- * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
493+ * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
494 *
495 * Permission to use, copy, modify, and distribute this software for any
496 * purpose with or without fee is hereby granted, provided that the above
497@@ -134,14 +134,19 @@
498 * ala execvp(3) if we get ENOEXEC.
499 */
500 int
501-sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec)
502+sudo_execve(int fd, const char *path, char *const argv[], char *const envp[], bool noexec)
503 {
504 /* Modify the environment as needed to disable further execve(). */
505 if (noexec)
506 envp = disable_execute(envp);
507
508- execve(path, argv, envp);
509- if (errno == ENOEXEC) {
510+#ifdef HAVE_FEXECVE
511+ if (fd != -1)
512+ fexecve(fd, argv, envp);
513+ else
514+#endif
515+ execve(path, argv, envp);
516+ if (fd == -1 && errno == ENOEXEC) {
517 int argc;
518 char **nargv;
519
520diff -ruN a/src/selinux.c b/src/selinux.c
521--- a/src/selinux.c 2016-08-08 12:55:08.781888802 +0200
522+++ b/src/selinux.c 2016-08-08 12:56:03.461680315 +0200
523@@ -1,5 +1,5 @@
524 /*
525- * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
526+ * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
527 * Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
528 *
529 * Borrowed heavily from newrole source code
530@@ -373,7 +373,7 @@
531 }
532
533 void
534-selinux_execve(const char *path, char *const argv[], char *const envp[],
535+selinux_execve(int fd, const char *path, char *const argv[], char *const envp[],
536 int noexec)
537 {
538 char **nargv;
539@@ -409,6 +409,8 @@
540 */
541 for (argc = 0; argv[argc] != NULL; argc++)
542 continue;
543+ if (fd != -1)
544+ argc++;
545 nargv = reallocarray(NULL, argc + 2, sizeof(char *));
546 if (nargv == NULL) {
547 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
548@@ -418,11 +420,16 @@
549 nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec";
550 else
551 nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh";
552- nargv[1] = (char *)path;
553- memcpy(&nargv[2], &argv[1], argc * sizeof(char *)); /* copies NULL */
554+ argc = 1;
555+ if (fd != -1 && asprintf(&nargv[argc++], "--execfd=%d", fd) == -1) {
556+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
557+ debug_return;
558+ }
559+ nargv[argc] = (char *)path;
560+ memcpy(&nargv[argc + 1], &argv[argc], argc * sizeof(char *)); /* copies NULL */
561
562 /* sesh will handle noexec for us. */
563- sudo_execve(sesh, nargv, envp, false);
564+ sudo_execve(-1, sesh, nargv, envp, false);
565 serrno = errno;
566 free(nargv);
567 errno = serrno;
568diff -ruN a/src/sesh.c b/src/sesh.c
569--- a/src/sesh.c 2016-08-08 12:55:08.781888802 +0200
570+++ b/src/sesh.c 2016-08-08 12:56:03.461680315 +0200
571@@ -1,5 +1,5 @@
572 /*
573- * Copyright (c) 2008, 2010-2015 Todd C. Miller <Todd.Miller@courtesan.com>
574+ * Copyright (c) 2008, 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
575 *
576 * Permission to use, copy, modify, and distribute this software for any
577 * purpose with or without fee is hereby granted, provided that the above
578@@ -87,6 +87,7 @@
579 } else {
580 bool login_shell, noexec = false;
581 char *cp, *cmnd;
582+ int fd = -1;
583
584 /* If the first char of argv[0] is '-', we are running a login shell. */
585 login_shell = argv[0][0] == '-';
586@@ -95,6 +96,18 @@
587 if ((cp = strrchr(argv[0], '-')) != NULL && cp != argv[0])
588 noexec = strcmp(cp, "-noexec") == 0;
589
590+ /* If argv[1] is --execfd=%d, extract the fd to exec with. */
591+ if (strncmp(argv[1], "--execfd=", 9) == 0) {
592+ const char *errstr;
593+
594+ cp = argv[1] + 9;
595+ fd = strtonum(cp, 0, INT_MAX, &errstr);
596+ if (errstr != NULL)
597+ sudo_fatalx(U_("invalid file descriptor number: %s"), cp);
598+ argv++;
599+ argc--;
600+ }
601+
602 /* Shift argv and make a copy of the command to execute. */
603 argv++;
604 argc--;
605@@ -108,7 +121,7 @@
606 *cp = '-';
607 argv[0] = cp;
608 }
609- sudo_execve(cmnd, argv, envp, noexec);
610+ sudo_execve(fd, cmnd, argv, envp, noexec);
611 sudo_warn(U_("unable to execute %s"), cmnd);
612 ret = SESH_ERR_FAILURE;
613 }
614diff -ruN a/src/sudo.c b/src/sudo.c
615--- a/src/sudo.c 2016-08-08 12:55:08.781888802 +0200
616+++ b/src/sudo.c 2016-08-08 12:56:03.461680315 +0200
617@@ -1,5 +1,5 @@
618 /*
619- * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com>
620+ * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com>
621 *
622 * Permission to use, copy, modify, and distribute this software for any
623 * purpose with or without fee is hereby granted, provided that the above
624@@ -585,6 +585,7 @@
625
626 memset(details, 0, sizeof(*details));
627 details->closefrom = -1;
628+ details->execfd = -1;
629 TAILQ_INIT(&details->preserved_fds);
630
631 #define SET_STRING(s, n) \
632@@ -615,6 +616,21 @@
633 SET(details->flags, CD_EXEC_BG);
634 break;
635 }
636+ if (strncmp("execfd=", info[i], sizeof("execfd=") - 1) == 0) {
637+ cp = info[i] + sizeof("execfd=") - 1;
638+ details->execfd = strtonum(cp, 0, INT_MAX, &errstr);
639+ if (errstr != NULL)
640+ sudo_fatalx(U_("%s: %s"), info[i], U_(errstr));
641+#ifdef HAVE_FEXECVE
642+ /* Must keep fd open during exec. */
643+ add_preserved_fd(&details->preserved_fds, details->execfd);
644+#else
645+ /* Plugin thinks we support fexecve() but we don't. */
646+ fcntl(details->execfd, F_SETFD, FD_CLOEXEC);
647+ details->execfd = -1;
648+#endif
649+ break;
650+ }
651 break;
652 case 'l':
653 SET_STRING("login_class=", login_class)
654diff -ruN a/src/sudo_exec.h b/src/sudo_exec.h
655--- a/src/sudo_exec.h 2016-08-08 12:55:08.781888802 +0200
656+++ b/src/sudo_exec.h 2016-08-08 13:04:19.127533565 +0200
657@@ -1,5 +1,5 @@
658 /*
659- * Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
660+ * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
661 *
662 * Permission to use, copy, modify, and distribute this software for any
663 * purpose with or without fee is hereby granted, provided that the above
664@@ -74,7 +74,7 @@
665
666 /* exec.c */
667 struct sudo_event_base;
668-int sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec);
669+int sudo_execve(int fd, const char *path, char *const argv[], char *const envp[], bool noexec);
670 extern volatile pid_t cmnd_pid;
671
672 /* exec_pty.c */
673diff -ruN a/src/sudo.h b/src/sudo.h
674--- a/src/sudo.h 2016-08-08 12:55:08.781888802 +0200
675+++ b/src/sudo.h 2016-08-08 12:56:03.465680007 +0200
676@@ -1,5 +1,5 @@
677 /*
678- * Copyright (c) 1993-1996, 1998-2005, 2007-2014
679+ * Copyright (c) 1993-1996, 1998-2005, 2007-2016
680 * Todd C. Miller <Todd.Miller@courtesan.com>
681 *
682 * Permission to use, copy, modify, and distribute this software for any
683@@ -149,6 +149,7 @@
684 int ngroups;
685 int closefrom;
686 int flags;
687+ int execfd;
688 struct preserved_fd_list preserved_fds;
689 struct passwd *pw;
690 GETGROUPS_T *groups;
691@@ -221,7 +222,7 @@
692 int selinux_restore_tty(void);
693 int selinux_setup(const char *role, const char *type, const char *ttyn,
694 int ttyfd);
695-void selinux_execve(const char *path, char *const argv[], char *const envp[],
696+void selinux_execve(int fd, const char *path, char *const argv[], char *envp[],
697 int noexec);
698
699 /* solaris.c */
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch
new file mode 100644
index 0000000000..6c48e4cf14
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch
@@ -0,0 +1,45 @@
1
2# HG changeset patch
3# User Todd C. Miller <Todd.Miller@courtesan.com>
4# Date 1452556552 25200
5# Node ID 0cd3cc8fa19565d3f7eb7d960f6ba5da0dec4889
6# Parent 4d2c1761c75245fb88ce397d68bea10afea9c037
7Silence warning in digest_matches() on systems with no fexecve(2).
8
9Reference to upstream patch:
10https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195
11
12CVE: CVE-2015-8239
13Upstream-Status: Backport
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16diff -r 4d2c1761c752 -r 0cd3cc8fa195 plugins/sudoers/match.c
17--- a/plugins/sudoers/match.c Mon Jan 11 16:52:52 2016 -0700
18+++ b/plugins/sudoers/match.c Mon Jan 11 16:55:52 2016 -0700
19@@ -590,8 +590,10 @@
20 unsigned char sudoers_digest[SHA512_DIGEST_LENGTH];
21 unsigned char buf[32 * 1024];
22 struct digest_function *func = NULL;
23+#ifdef HAVE_FEXECVE
24 bool first = true;
25 bool is_script = false;
26+#endif /* HAVE_FEXECVE */
27 size_t nread;
28 SHA2_CTX ctx;
29 FILE *fp;
30@@ -635,12 +637,14 @@
31
32 func->init(&ctx);
33 while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
34+#ifdef HAVE_FEXECVE
35 /* Check for #! cookie and set is_script. */
36 if (first) {
37 first = false;
38 if (nread >= 2 && buf[0] == '#' && buf[1] == '!')
39 is_script = true;
40 }
41+#endif /* HAVE_FEXECVE */
42 func->update(&ctx, buf, nread);
43 }
44 if (ferror(fp)) {
45
diff --git a/meta/recipes-extended/sudo/sudo_1.8.15.bb b/meta/recipes-extended/sudo/sudo_1.8.15.bb
index 042043ecef..a03e2cd213 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.15.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.15.bb
@@ -3,6 +3,8 @@ require sudo.inc
3SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ 3SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
4 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ 4 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
5 file://0001-Include-sys-types.h-for-id_t-definition.patch \ 5 file://0001-Include-sys-types.h-for-id_t-definition.patch \
6 file://CVE-2015-8239-1.patch \
7 file://CVE-2015-8239-2.patch \
6 " 8 "
7 9
8PAM_SRC_URI = "file://sudo.pam" 10PAM_SRC_URI = "file://sudo.pam"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-02 00:41:47 +0000