diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-08-09 13:04:41 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 15:27:04 +0100 |
commit | 016df260e531c4e8209b3b3a79697c2055f8e0ce (patch) | |
tree | 18d558ab592df37ab83cbb31fb6c62862619a5d9 /meta | |
parent | 5d781f41ff29654520d177c7aab7a244751044a2 (diff) | |
download | poky-016df260e531c4e8209b3b3a79697c2055f8e0ce.tar.gz |
sudo: CVE-2015-8239
Fixes race condition when checking digests in sudoers.
Reference:
http://seclists.org/oss-sec/2015/q4/327
Reference to upstream fixes:
https://www.sudo.ws/repos/sudo/raw-rev/397722cdd7ec
https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195
(From OE-Core rev: 3564999bd987b08188e2e0eead59a49bebbc5e32)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch | 699 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch | 45 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo_1.8.15.bb | 2 |
3 files changed, 746 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch new file mode 100644 index 0000000000..582c0bf638 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-1.patch | |||
@@ -0,0 +1,699 @@ | |||
1 | # HG changeset patch | ||
2 | # User Todd C. Miller <Todd.Miller@courtesan.com> | ||
3 | # Date 1451928918 25200 | ||
4 | # Node ID 397722cdd7eceef0aec561909418215e275ccd44 | ||
5 | # Parent 33272418bb10ee780184dbd2d966a4e5c3bc597e | ||
6 | Add support for using fexecve() if supported on commands that are | ||
7 | checksummed. | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | https://www.sudo.ws/repos/sudo/rev/397722cdd7ec | ||
11 | |||
12 | CVE: CVE-2015-8239 | ||
13 | Upstream-Status: Backport | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | diff -ruN a/configure b/configure | ||
17 | --- a/configure 2015-11-01 00:35:24.000000000 +0100 | ||
18 | +++ b/configure 2016-08-08 12:56:03.441681854 +0200 | ||
19 | @@ -2650,6 +2650,7 @@ | ||
20 | as_fn_append ac_header_list " sys/select.h" | ||
21 | as_fn_append ac_header_list " sys/stropts.h" | ||
22 | as_fn_append ac_header_list " sys/sysmacros.h" | ||
23 | +as_fn_append ac_func_list " fexecve" | ||
24 | as_fn_append ac_func_list " killpg" | ||
25 | as_fn_append ac_func_list " nl_langinfo" | ||
26 | as_fn_append ac_func_list " strftime" | ||
27 | @@ -18078,6 +18079,8 @@ | ||
28 | |||
29 | |||
30 | |||
31 | + | ||
32 | + | ||
33 | for ac_func in getgrouplist | ||
34 | do : | ||
35 | ac_fn_c_check_func "$LINENO" "getgrouplist" "ac_cv_func_getgrouplist" | ||
36 | @@ -19903,8 +19906,8 @@ | ||
37 | fi | ||
38 | done | ||
39 | |||
40 | - # Check for fexecve, posix_spawn, and posix_spawnp | ||
41 | - for ac_func in fexecve posix_spawn posix_spawnp | ||
42 | + # Check for posix_spawn, and posix_spawnp | ||
43 | + for ac_func in posix_spawn posix_spawnp | ||
44 | do : | ||
45 | as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` | ||
46 | ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" | ||
47 | diff -ruN a/configure.ac b/configure.ac | ||
48 | --- a/configure.ac 2016-08-08 12:55:08.781888802 +0200 | ||
49 | +++ b/configure.ac 2016-08-08 12:56:03.445681547 +0200 | ||
50 | @@ -1,7 +1,7 @@ | ||
51 | dnl | ||
52 | dnl Use the top-level autogen.sh script to generate configure and config.h.in | ||
53 | dnl | ||
54 | -dnl Copyright (c) 1994-1996,1998-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
55 | +dnl Copyright (c) 1994-1996,1998-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
56 | dnl | ||
57 | AC_PREREQ([2.59]) | ||
58 | AC_INIT([sudo], [1.8.15], [http://www.sudo.ws/bugs/], [sudo]) | ||
59 | @@ -2384,7 +2384,7 @@ | ||
60 | dnl Function checks | ||
61 | dnl | ||
62 | AC_FUNC_GETGROUPS | ||
63 | -AC_CHECK_FUNCS_ONCE([killpg nl_langinfo strftime pread pwrite openat]) | ||
64 | +AC_CHECK_FUNCS_ONCE([fexecve killpg nl_langinfo strftime pread pwrite openat]) | ||
65 | AC_CHECK_FUNCS([getgrouplist], [], [ | ||
66 | case "$host_os" in | ||
67 | aix*) | ||
68 | @@ -2676,8 +2676,8 @@ | ||
69 | if test X"$with_noexec" != X"no"; then | ||
70 | # Check for non-standard exec functions | ||
71 | AC_CHECK_FUNCS([exect execvP execvpe]) | ||
72 | - # Check for fexecve, posix_spawn, and posix_spawnp | ||
73 | - AC_CHECK_FUNCS([fexecve posix_spawn posix_spawnp]) | ||
74 | + # Check for posix_spawn, and posix_spawnp | ||
75 | + AC_CHECK_FUNCS([posix_spawn posix_spawnp]) | ||
76 | fi | ||
77 | |||
78 | dnl | ||
79 | diff -ruN a/doc/sudoers.cat b/doc/sudoers.cat | ||
80 | --- a/doc/sudoers.cat 2016-08-08 12:55:08.781888802 +0200 | ||
81 | +++ b/doc/sudoers.cat 2016-08-08 12:56:03.445681547 +0200 | ||
82 | @@ -410,6 +410,13 @@ | ||
83 | $ openssl dgst -binary -sha224 /bin/ls | openssl base64 | ||
84 | EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== | ||
85 | |||
86 | + Warning, if the user has write access to the command itself (directly or | ||
87 | + via a sudo command), it may be possible for the user to replace the | ||
88 | + command after the digest check has been performed but before the command | ||
89 | + is executed. A similar race condition exists on systems that lack the | ||
90 | + fexecve(2) system call when the directory in which the command is located | ||
91 | + is writable by the user. | ||
92 | + | ||
93 | Command digests are only supported by version 1.8.7 or higher. | ||
94 | |||
95 | DDeeffaauullttss | ||
96 | diff -ruN a/doc/sudoers.man.in b/doc/sudoers.man.in | ||
97 | --- a/doc/sudoers.man.in 2016-08-08 12:55:08.781888802 +0200 | ||
98 | +++ b/doc/sudoers.man.in 2016-08-08 12:56:03.445681547 +0200 | ||
99 | @@ -1,7 +1,7 @@ | ||
100 | .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! | ||
101 | .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in | ||
102 | .\" | ||
103 | -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 | ||
104 | +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016 | ||
105 | .\" Todd C. Miller <Todd.Miller@courtesan.com> | ||
106 | .\" | ||
107 | .\" Permission to use, copy, modify, and distribute this software for any | ||
108 | @@ -877,6 +877,15 @@ | ||
109 | .RE | ||
110 | .fi | ||
111 | .PP | ||
112 | +Warning, if the user has write access to the command itself (directly or via a | ||
113 | + \fBsudo\fR | ||
114 | +command), it may be possible for the user to replace the command after the | ||
115 | +digest check has been performed but before the command is executed. | ||
116 | +A similar race condition exists on systems that lack the | ||
117 | +fexecve(2) | ||
118 | +system call when the directory in which the command is located | ||
119 | +is writable by the user. | ||
120 | + .PP | ||
121 | Command digests are only supported by version 1.8.7 or higher. | ||
122 | .SS "Defaults" | ||
123 | Certain configuration options may be changed from their default | ||
124 | diff -ruN a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in | ||
125 | --- a/doc/sudoers.mdoc.in 2016-08-08 12:55:08.781888802 +0200 | ||
126 | +++ b/doc/sudoers.mdoc.in 2016-08-08 12:56:03.449681239 +0200 | ||
127 | @@ -1,5 +1,5 @@ | ||
128 | .\" | ||
129 | -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2015 | ||
130 | +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2016 | ||
131 | .\" Todd C. Miller <Todd.Miller@courtesan.com> | ||
132 | .\" | ||
133 | .\" Permission to use, copy, modify, and distribute this software for any | ||
134 | @@ -834,6 +834,15 @@ | ||
135 | EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== | ||
136 | .Ed | ||
137 | .Pp | ||
138 | +Warning, if the user has write access to the command itself (directly or via a | ||
139 | + .Nm sudo | ||
140 | +command), it may be possible for the user to replace the command after the | ||
141 | +digest check has been performed but before the command is executed. | ||
142 | +A similar race condition exists on systems that lack the | ||
143 | +.Xr fexecve 2 | ||
144 | +system call when the directory in which the command is located | ||
145 | +is writable by the user. | ||
146 | + .Pp | ||
147 | Command digests are only supported by version 1.8.7 or higher. | ||
148 | .Ss Defaults | ||
149 | Certain configuration options may be changed from their default | ||
150 | diff -ruN a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat | ||
151 | --- a/doc/sudo_plugin.cat 2016-08-08 12:55:08.781888802 +0200 | ||
152 | +++ b/doc/sudo_plugin.cat 2016-08-08 12:56:03.449681239 +0200 | ||
153 | @@ -499,6 +499,11 @@ | ||
154 | This setting has no effect unless I/O logging is | ||
155 | enabled or _u_s_e___p_t_y is enabled. | ||
156 | |||
157 | + execfd=number | ||
158 | + If specified, ssuuddoo will use the fexecve(2) system call | ||
159 | + to execute the command instead of execve(2). The | ||
160 | + specified _n_u_m_b_e_r must refer to an open file descriptor. | ||
161 | + | ||
162 | iolog_compress=bool | ||
163 | Set to true if the I/O logging plugins, if any, should | ||
164 | compress the log data. This is a hint to the I/O | ||
165 | @@ -1505,6 +1510,9 @@ | ||
166 | it supports plugin API version 1.8 or higher to receive a | ||
167 | conversation function pointer that supports this argument. | ||
168 | |||
169 | + Version 1.9 (sudo 1.8.16) | ||
170 | + The _e_x_e_c_f_d entry was added to the command_info list. | ||
171 | + | ||
172 | SSEEEE AALLSSOO | ||
173 | sudo.conf(4), sudoers(4), sudo(1m) | ||
174 | |||
175 | diff -ruN a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in | ||
176 | --- a/doc/sudo_plugin.man.in 2016-08-08 12:55:08.781888802 +0200 | ||
177 | +++ b/doc/sudo_plugin.man.in 2016-08-08 12:56:03.449681239 +0200 | ||
178 | @@ -1,7 +1,7 @@ | ||
179 | .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER! | ||
180 | .\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in | ||
181 | .\" | ||
182 | -.\" Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
183 | +.\" Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
184 | .\" | ||
185 | .\" Permission to use, copy, modify, and distribute this software for any | ||
186 | .\" purpose with or without fee is hereby granted, provided that the above | ||
187 | @@ -881,6 +881,17 @@ | ||
188 | \fIuse_pty\fR | ||
189 | is enabled. | ||
190 | .TP 6n | ||
191 | +execfd=number | ||
192 | +If specified, | ||
193 | +\fBsudo\fR | ||
194 | +will use the | ||
195 | +fexecve(2) | ||
196 | +system call to execute the command instead of | ||
197 | +execve(2). | ||
198 | +The specified | ||
199 | +\fInumber\fR | ||
200 | +must refer to an open file descriptor. | ||
201 | +.TP 6n | ||
202 | iolog_compress=bool | ||
203 | Set to true if the I/O logging plugins, if any, should compress the | ||
204 | log data. | ||
205 | @@ -2703,6 +2714,13 @@ | ||
206 | definition has been updated to match. | ||
207 | The plugin must specify that it supports plugin API version 1.8 or higher | ||
208 | to receive a conversation function pointer that supports this argument. | ||
209 | +.TP 6n | ||
210 | +Version 1.9 (sudo 1.8.16) | ||
211 | +The | ||
212 | +\fIexecfd\fR | ||
213 | +entry was added to the | ||
214 | +\fRcommand_info\fR | ||
215 | +list. | ||
216 | .SH "SEE ALSO" | ||
217 | sudo.conf(@mansectform@), | ||
218 | sudoers(@mansectform@), | ||
219 | diff -ruN a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in | ||
220 | --- a/doc/sudo_plugin.mdoc.in 2016-08-08 12:55:08.781888802 +0200 | ||
221 | +++ b/doc/sudo_plugin.mdoc.in 2016-08-08 12:56:03.453680931 +0200 | ||
222 | @@ -1,5 +1,5 @@ | ||
223 | .\" | ||
224 | -.\" Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
225 | +.\" Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
226 | .\" | ||
227 | .\" Permission to use, copy, modify, and distribute this software for any | ||
228 | .\" purpose with or without fee is hereby granted, provided that the above | ||
229 | @@ -784,6 +784,16 @@ | ||
230 | This setting has no effect unless I/O logging is enabled or | ||
231 | .Em use_pty | ||
232 | is enabled. | ||
233 | +.It execfd=number | ||
234 | +If specified, | ||
235 | +.Nm sudo | ||
236 | +will use the | ||
237 | +.Xr fexecve 2 | ||
238 | +system call to execute the command instead of | ||
239 | +.Xr execve 2 . | ||
240 | +The specified | ||
241 | +.Em number | ||
242 | +must refer to an open file descriptor. | ||
243 | .It iolog_compress=bool | ||
244 | Set to true if the I/O logging plugins, if any, should compress the | ||
245 | log data. | ||
246 | @@ -2367,6 +2377,12 @@ | ||
247 | definition has been updated to match. | ||
248 | The plugin must specify that it supports plugin API version 1.8 or higher | ||
249 | to receive a conversation function pointer that supports this argument. | ||
250 | +.It Version 1.9 (sudo 1.8.16) | ||
251 | +The | ||
252 | +.Em execfd | ||
253 | +entry was added to the | ||
254 | +.Li command_info | ||
255 | +list. | ||
256 | .El | ||
257 | .Sh SEE ALSO | ||
258 | .Xr sudo.conf @mansectform@ , | ||
259 | diff -ruN a/include/sudo_plugin.h b/include/sudo_plugin.h | ||
260 | --- a/include/sudo_plugin.h 2016-08-08 12:55:08.781888802 +0200 | ||
261 | +++ b/include/sudo_plugin.h 2016-08-08 12:56:03.453680931 +0200 | ||
262 | @@ -1,5 +1,5 @@ | ||
263 | /* | ||
264 | - * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
265 | + * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
266 | * | ||
267 | * Permission to use, copy, modify, and distribute this software for any | ||
268 | * purpose with or without fee is hereby granted, provided that the above | ||
269 | @@ -19,7 +19,7 @@ | ||
270 | |||
271 | /* API version major/minor */ | ||
272 | #define SUDO_API_VERSION_MAJOR 1 | ||
273 | -#define SUDO_API_VERSION_MINOR 8 | ||
274 | +#define SUDO_API_VERSION_MINOR 9 | ||
275 | #define SUDO_API_MKVERSION(x, y) (((x) << 16) | (y)) | ||
276 | #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR, SUDO_API_VERSION_MINOR) | ||
277 | |||
278 | diff -ruN a/plugins/sudoers/match.c b/plugins/sudoers/match.c | ||
279 | --- a/plugins/sudoers/match.c 2016-08-08 12:55:08.781888802 +0200 | ||
280 | +++ b/plugins/sudoers/match.c 2016-08-08 12:56:03.453680931 +0200 | ||
281 | @@ -1,5 +1,5 @@ | ||
282 | /* | ||
283 | - * Copyright (c) 1996, 1998-2005, 2007-2015 | ||
284 | + * Copyright (c) 1996, 1998-2005, 2007-2016 | ||
285 | * Todd C. Miller <Todd.Miller@courtesan.com> | ||
286 | * | ||
287 | * Permission to use, copy, modify, and distribute this software for any | ||
288 | @@ -55,6 +55,7 @@ | ||
289 | # include <netdb.h> | ||
290 | #endif /* HAVE_NETGROUP_H */ | ||
291 | #include <dirent.h> | ||
292 | +#include <fcntl.h> | ||
293 | #include <pwd.h> | ||
294 | #include <grp.h> | ||
295 | #include <errno.h> | ||
296 | @@ -583,17 +584,18 @@ | ||
297 | }; | ||
298 | |||
299 | static bool | ||
300 | -digest_matches(const char *file, const struct sudo_digest *sd) | ||
301 | +digest_matches(const char *file, const struct sudo_digest *sd, int *fd) | ||
302 | { | ||
303 | unsigned char file_digest[SHA512_DIGEST_LENGTH]; | ||
304 | unsigned char sudoers_digest[SHA512_DIGEST_LENGTH]; | ||
305 | unsigned char buf[32 * 1024]; | ||
306 | struct digest_function *func = NULL; | ||
307 | + bool first = true; | ||
308 | + bool is_script = false; | ||
309 | size_t nread; | ||
310 | SHA2_CTX ctx; | ||
311 | FILE *fp; | ||
312 | unsigned int i; | ||
313 | - int h; | ||
314 | debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) | ||
315 | |||
316 | for (i = 0; digest_functions[i].digest_name != NULL; i++) { | ||
317 | @@ -609,7 +611,7 @@ | ||
318 | if (strlen(sd->digest_str) == func->digest_len * 2) { | ||
319 | /* Convert the command digest from ascii hex to binary. */ | ||
320 | for (i = 0; i < func->digest_len; i++) { | ||
321 | - h = hexchar(&sd->digest_str[i + i]); | ||
322 | + const int h = hexchar(&sd->digest_str[i + i]); | ||
323 | if (h == -1) | ||
324 | goto bad_format; | ||
325 | sudoers_digest[i] = (unsigned char)h; | ||
326 | @@ -633,6 +635,12 @@ | ||
327 | |||
328 | func->init(&ctx); | ||
329 | while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) { | ||
330 | + /* Check for #! cookie and set is_script. */ | ||
331 | + if (first) { | ||
332 | + first = false; | ||
333 | + if (nread >= 2 && buf[0] == '#' && buf[1] == '!') | ||
334 | + is_script = true; | ||
335 | + } | ||
336 | func->update(&ctx, buf, nread); | ||
337 | } | ||
338 | if (ferror(fp)) { | ||
339 | @@ -640,15 +648,36 @@ | ||
340 | fclose(fp); | ||
341 | debug_return_bool(false); | ||
342 | } | ||
343 | - fclose(fp); | ||
344 | func->final(file_digest, &ctx); | ||
345 | |||
346 | - if (memcmp(file_digest, sudoers_digest, func->digest_len) == 0) | ||
347 | - debug_return_bool(true); | ||
348 | - sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, | ||
349 | - "%s digest mismatch for %s, expecting %s", | ||
350 | - func->digest_name, file, sd->digest_str); | ||
351 | - debug_return_bool(false); | ||
352 | + if (memcmp(file_digest, sudoers_digest, func->digest_len) != 0) { | ||
353 | + fclose(fp); | ||
354 | + sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, | ||
355 | + "%s digest mismatch for %s, expecting %s", | ||
356 | + func->digest_name, file, sd->digest_str); | ||
357 | + debug_return_bool(false); | ||
358 | + } | ||
359 | + | ||
360 | +#ifdef HAVE_FEXECVE | ||
361 | + /* | ||
362 | + * On systems with fexecve(2) we can use that to execute the | ||
363 | + * matching command even when the directory is writable. | ||
364 | + */ | ||
365 | + if ((*fd = dup(fileno(fp))) == -1) { | ||
366 | + sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s", | ||
367 | + file, strerror(errno)); | ||
368 | + fclose(fp); | ||
369 | + debug_return_bool(false); | ||
370 | + } | ||
371 | + /* | ||
372 | + * Shell scripts go through namei twice and so we can't set the close | ||
373 | + * on exec flag on the fd for fexecve(2). | ||
374 | + */ | ||
375 | + if (!is_script) | ||
376 | + fcntl(*fd, F_SETFD, FD_CLOEXEC); | ||
377 | +#endif /* HAVE_FEXECVE */ | ||
378 | + fclose(fp); | ||
379 | + debug_return_bool(true); | ||
380 | bad_format: | ||
381 | sudo_warnx(U_("digest for %s (%s) is not in %s form"), file, | ||
382 | sd->digest_str, func->digest_name); | ||
383 | @@ -690,7 +719,11 @@ | ||
384 | debug_return_bool(false); | ||
385 | if (!command_args_match(sudoers_cmnd, sudoers_args)) | ||
386 | debug_return_bool(false); | ||
387 | - if (digest != NULL && !digest_matches(sudoers_cmnd, digest)) { | ||
388 | + if (cmnd_fd != -1) { | ||
389 | + close(cmnd_fd); | ||
390 | + cmnd_fd = -1; | ||
391 | + } | ||
392 | + if (digest != NULL && !digest_matches(sudoers_cmnd, digest, &cmnd_fd)) { | ||
393 | /* XXX - log functions not available but we should log very loudly */ | ||
394 | debug_return_bool(false); | ||
395 | } | ||
396 | diff -ruN a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c | ||
397 | --- a/plugins/sudoers/policy.c 2016-08-08 12:55:08.781888802 +0200 | ||
398 | +++ b/plugins/sudoers/policy.c 2016-08-08 12:56:03.457680623 +0200 | ||
399 | @@ -1,5 +1,5 @@ | ||
400 | /* | ||
401 | - * Copyright (c) 2010-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
402 | + * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
403 | * | ||
404 | * Permission to use, copy, modify, and distribute this software for any | ||
405 | * purpose with or without fee is hereby granted, provided that the above | ||
406 | @@ -371,6 +371,9 @@ | ||
407 | user_umask = umask(SUDO_UMASK); | ||
408 | umask(user_umask); | ||
409 | |||
410 | + /* Some systems support fexecve() which we use for digest matches. */ | ||
411 | + cmnd_fd = -1; | ||
412 | + | ||
413 | /* Dump settings and user info (XXX - plugin args) */ | ||
414 | for (cur = info->settings; *cur != NULL; cur++) | ||
415 | sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur); | ||
416 | @@ -545,6 +548,16 @@ | ||
417 | if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1) | ||
418 | goto oom; | ||
419 | } | ||
420 | + if (cmnd_fd != -1) { | ||
421 | + if (sudo_version < SUDO_API_MKVERSION(1, 9)) { | ||
422 | + /* execfd only supported by plugin API 1.9 and higher */ | ||
423 | + close(cmnd_fd); | ||
424 | + cmnd_fd = -1; | ||
425 | + } else { | ||
426 | + if (asprintf(&command_info[info_len++], "execfd=%d", cmnd_fd) == -1) | ||
427 | + goto oom; | ||
428 | + } | ||
429 | + } | ||
430 | #ifdef HAVE_LOGIN_CAP_H | ||
431 | if (def_use_loginclass) { | ||
432 | if ((command_info[info_len++] = sudo_new_key_val("login_class", login_class)) == NULL) | ||
433 | diff -ruN a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h | ||
434 | --- a/plugins/sudoers/sudoers.h 2016-08-08 12:55:08.781888802 +0200 | ||
435 | +++ b/plugins/sudoers/sudoers.h 2016-08-08 12:56:03.457680623 +0200 | ||
436 | @@ -1,5 +1,5 @@ | ||
437 | /* | ||
438 | - * Copyright (c) 1993-1996, 1998-2005, 2007-2015 | ||
439 | + * Copyright (c) 1993-1996, 1998-2005, 2007-2016 | ||
440 | * Todd C. Miller <Todd.Miller@courtesan.com> | ||
441 | * | ||
442 | * Permission to use, copy, modify, and distribute this software for any | ||
443 | @@ -90,6 +90,7 @@ | ||
444 | const char *cwd; | ||
445 | char *iolog_file; | ||
446 | GETGROUPS_T *gids; | ||
447 | + int execfd; | ||
448 | int ngids; | ||
449 | int closefrom; | ||
450 | int lines; | ||
451 | @@ -197,6 +198,7 @@ | ||
452 | #define user_srunhost (sudo_user.srunhost) | ||
453 | #define user_ccname (sudo_user.krb5_ccname) | ||
454 | #define safe_cmnd (sudo_user.cmnd_safe) | ||
455 | +#define cmnd_fd (sudo_user.execfd) | ||
456 | #define login_class (sudo_user.class_name) | ||
457 | #define runas_pw (sudo_user._runas_pw) | ||
458 | #define runas_gr (sudo_user._runas_gr) | ||
459 | diff -ruN a/src/exec.c b/src/exec.c | ||
460 | --- a/src/exec.c 2016-08-08 12:55:08.781888802 +0200 | ||
461 | +++ b/src/exec.c 2016-08-08 12:56:03.457680623 +0200 | ||
462 | @@ -1,5 +1,5 @@ | ||
463 | /* | ||
464 | - * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
465 | + * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
466 | * | ||
467 | * Permission to use, copy, modify, and distribute this software for any | ||
468 | * purpose with or without fee is hereby granted, provided that the above | ||
469 | @@ -176,13 +176,13 @@ | ||
470 | } | ||
471 | #ifdef HAVE_SELINUX | ||
472 | if (ISSET(details->flags, CD_RBAC_ENABLED)) { | ||
473 | - selinux_execve(details->command, details->argv, details->envp, | ||
474 | - ISSET(details->flags, CD_NOEXEC)); | ||
475 | + selinux_execve(details->execfd, details->command, details->argv, | ||
476 | + details->envp, ISSET(details->flags, CD_NOEXEC)); | ||
477 | } else | ||
478 | #endif | ||
479 | { | ||
480 | - sudo_execve(details->command, details->argv, details->envp, | ||
481 | - ISSET(details->flags, CD_NOEXEC)); | ||
482 | + sudo_execve(details->execfd, details->command, details->argv, | ||
483 | + details->envp, ISSET(details->flags, CD_NOEXEC)); | ||
484 | } | ||
485 | } | ||
486 | cstat->type = CMD_ERRNO; | ||
487 | diff -ruN a/src/exec_common.c b/src/exec_common.c | ||
488 | --- a/src/exec_common.c 2016-08-08 12:55:08.781888802 +0200 | ||
489 | +++ b/src/exec_common.c 2016-08-08 12:56:03.457680623 +0200 | ||
490 | @@ -1,5 +1,5 @@ | ||
491 | /* | ||
492 | - * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
493 | + * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
494 | * | ||
495 | * Permission to use, copy, modify, and distribute this software for any | ||
496 | * purpose with or without fee is hereby granted, provided that the above | ||
497 | @@ -134,14 +134,19 @@ | ||
498 | * ala execvp(3) if we get ENOEXEC. | ||
499 | */ | ||
500 | int | ||
501 | -sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec) | ||
502 | +sudo_execve(int fd, const char *path, char *const argv[], char *const envp[], bool noexec) | ||
503 | { | ||
504 | /* Modify the environment as needed to disable further execve(). */ | ||
505 | if (noexec) | ||
506 | envp = disable_execute(envp); | ||
507 | |||
508 | - execve(path, argv, envp); | ||
509 | - if (errno == ENOEXEC) { | ||
510 | +#ifdef HAVE_FEXECVE | ||
511 | + if (fd != -1) | ||
512 | + fexecve(fd, argv, envp); | ||
513 | + else | ||
514 | +#endif | ||
515 | + execve(path, argv, envp); | ||
516 | + if (fd == -1 && errno == ENOEXEC) { | ||
517 | int argc; | ||
518 | char **nargv; | ||
519 | |||
520 | diff -ruN a/src/selinux.c b/src/selinux.c | ||
521 | --- a/src/selinux.c 2016-08-08 12:55:08.781888802 +0200 | ||
522 | +++ b/src/selinux.c 2016-08-08 12:56:03.461680315 +0200 | ||
523 | @@ -1,5 +1,5 @@ | ||
524 | /* | ||
525 | - * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
526 | + * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
527 | * Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com> | ||
528 | * | ||
529 | * Borrowed heavily from newrole source code | ||
530 | @@ -373,7 +373,7 @@ | ||
531 | } | ||
532 | |||
533 | void | ||
534 | -selinux_execve(const char *path, char *const argv[], char *const envp[], | ||
535 | +selinux_execve(int fd, const char *path, char *const argv[], char *const envp[], | ||
536 | int noexec) | ||
537 | { | ||
538 | char **nargv; | ||
539 | @@ -409,6 +409,8 @@ | ||
540 | */ | ||
541 | for (argc = 0; argv[argc] != NULL; argc++) | ||
542 | continue; | ||
543 | + if (fd != -1) | ||
544 | + argc++; | ||
545 | nargv = reallocarray(NULL, argc + 2, sizeof(char *)); | ||
546 | if (nargv == NULL) { | ||
547 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
548 | @@ -418,11 +420,16 @@ | ||
549 | nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec"; | ||
550 | else | ||
551 | nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh"; | ||
552 | - nargv[1] = (char *)path; | ||
553 | - memcpy(&nargv[2], &argv[1], argc * sizeof(char *)); /* copies NULL */ | ||
554 | + argc = 1; | ||
555 | + if (fd != -1 && asprintf(&nargv[argc++], "--execfd=%d", fd) == -1) { | ||
556 | + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
557 | + debug_return; | ||
558 | + } | ||
559 | + nargv[argc] = (char *)path; | ||
560 | + memcpy(&nargv[argc + 1], &argv[argc], argc * sizeof(char *)); /* copies NULL */ | ||
561 | |||
562 | /* sesh will handle noexec for us. */ | ||
563 | - sudo_execve(sesh, nargv, envp, false); | ||
564 | + sudo_execve(-1, sesh, nargv, envp, false); | ||
565 | serrno = errno; | ||
566 | free(nargv); | ||
567 | errno = serrno; | ||
568 | diff -ruN a/src/sesh.c b/src/sesh.c | ||
569 | --- a/src/sesh.c 2016-08-08 12:55:08.781888802 +0200 | ||
570 | +++ b/src/sesh.c 2016-08-08 12:56:03.461680315 +0200 | ||
571 | @@ -1,5 +1,5 @@ | ||
572 | /* | ||
573 | - * Copyright (c) 2008, 2010-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
574 | + * Copyright (c) 2008, 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
575 | * | ||
576 | * Permission to use, copy, modify, and distribute this software for any | ||
577 | * purpose with or without fee is hereby granted, provided that the above | ||
578 | @@ -87,6 +87,7 @@ | ||
579 | } else { | ||
580 | bool login_shell, noexec = false; | ||
581 | char *cp, *cmnd; | ||
582 | + int fd = -1; | ||
583 | |||
584 | /* If the first char of argv[0] is '-', we are running a login shell. */ | ||
585 | login_shell = argv[0][0] == '-'; | ||
586 | @@ -95,6 +96,18 @@ | ||
587 | if ((cp = strrchr(argv[0], '-')) != NULL && cp != argv[0]) | ||
588 | noexec = strcmp(cp, "-noexec") == 0; | ||
589 | |||
590 | + /* If argv[1] is --execfd=%d, extract the fd to exec with. */ | ||
591 | + if (strncmp(argv[1], "--execfd=", 9) == 0) { | ||
592 | + const char *errstr; | ||
593 | + | ||
594 | + cp = argv[1] + 9; | ||
595 | + fd = strtonum(cp, 0, INT_MAX, &errstr); | ||
596 | + if (errstr != NULL) | ||
597 | + sudo_fatalx(U_("invalid file descriptor number: %s"), cp); | ||
598 | + argv++; | ||
599 | + argc--; | ||
600 | + } | ||
601 | + | ||
602 | /* Shift argv and make a copy of the command to execute. */ | ||
603 | argv++; | ||
604 | argc--; | ||
605 | @@ -108,7 +121,7 @@ | ||
606 | *cp = '-'; | ||
607 | argv[0] = cp; | ||
608 | } | ||
609 | - sudo_execve(cmnd, argv, envp, noexec); | ||
610 | + sudo_execve(fd, cmnd, argv, envp, noexec); | ||
611 | sudo_warn(U_("unable to execute %s"), cmnd); | ||
612 | ret = SESH_ERR_FAILURE; | ||
613 | } | ||
614 | diff -ruN a/src/sudo.c b/src/sudo.c | ||
615 | --- a/src/sudo.c 2016-08-08 12:55:08.781888802 +0200 | ||
616 | +++ b/src/sudo.c 2016-08-08 12:56:03.461680315 +0200 | ||
617 | @@ -1,5 +1,5 @@ | ||
618 | /* | ||
619 | - * Copyright (c) 2009-2015 Todd C. Miller <Todd.Miller@courtesan.com> | ||
620 | + * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
621 | * | ||
622 | * Permission to use, copy, modify, and distribute this software for any | ||
623 | * purpose with or without fee is hereby granted, provided that the above | ||
624 | @@ -585,6 +585,7 @@ | ||
625 | |||
626 | memset(details, 0, sizeof(*details)); | ||
627 | details->closefrom = -1; | ||
628 | + details->execfd = -1; | ||
629 | TAILQ_INIT(&details->preserved_fds); | ||
630 | |||
631 | #define SET_STRING(s, n) \ | ||
632 | @@ -615,6 +616,21 @@ | ||
633 | SET(details->flags, CD_EXEC_BG); | ||
634 | break; | ||
635 | } | ||
636 | + if (strncmp("execfd=", info[i], sizeof("execfd=") - 1) == 0) { | ||
637 | + cp = info[i] + sizeof("execfd=") - 1; | ||
638 | + details->execfd = strtonum(cp, 0, INT_MAX, &errstr); | ||
639 | + if (errstr != NULL) | ||
640 | + sudo_fatalx(U_("%s: %s"), info[i], U_(errstr)); | ||
641 | +#ifdef HAVE_FEXECVE | ||
642 | + /* Must keep fd open during exec. */ | ||
643 | + add_preserved_fd(&details->preserved_fds, details->execfd); | ||
644 | +#else | ||
645 | + /* Plugin thinks we support fexecve() but we don't. */ | ||
646 | + fcntl(details->execfd, F_SETFD, FD_CLOEXEC); | ||
647 | + details->execfd = -1; | ||
648 | +#endif | ||
649 | + break; | ||
650 | + } | ||
651 | break; | ||
652 | case 'l': | ||
653 | SET_STRING("login_class=", login_class) | ||
654 | diff -ruN a/src/sudo_exec.h b/src/sudo_exec.h | ||
655 | --- a/src/sudo_exec.h 2016-08-08 12:55:08.781888802 +0200 | ||
656 | +++ b/src/sudo_exec.h 2016-08-08 13:04:19.127533565 +0200 | ||
657 | @@ -1,5 +1,5 @@ | ||
658 | /* | ||
659 | - * Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com> | ||
660 | + * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com> | ||
661 | * | ||
662 | * Permission to use, copy, modify, and distribute this software for any | ||
663 | * purpose with or without fee is hereby granted, provided that the above | ||
664 | @@ -74,7 +74,7 @@ | ||
665 | |||
666 | /* exec.c */ | ||
667 | struct sudo_event_base; | ||
668 | -int sudo_execve(const char *path, char *const argv[], char *const envp[], bool noexec); | ||
669 | +int sudo_execve(int fd, const char *path, char *const argv[], char *const envp[], bool noexec); | ||
670 | extern volatile pid_t cmnd_pid; | ||
671 | |||
672 | /* exec_pty.c */ | ||
673 | diff -ruN a/src/sudo.h b/src/sudo.h | ||
674 | --- a/src/sudo.h 2016-08-08 12:55:08.781888802 +0200 | ||
675 | +++ b/src/sudo.h 2016-08-08 12:56:03.465680007 +0200 | ||
676 | @@ -1,5 +1,5 @@ | ||
677 | /* | ||
678 | - * Copyright (c) 1993-1996, 1998-2005, 2007-2014 | ||
679 | + * Copyright (c) 1993-1996, 1998-2005, 2007-2016 | ||
680 | * Todd C. Miller <Todd.Miller@courtesan.com> | ||
681 | * | ||
682 | * Permission to use, copy, modify, and distribute this software for any | ||
683 | @@ -149,6 +149,7 @@ | ||
684 | int ngroups; | ||
685 | int closefrom; | ||
686 | int flags; | ||
687 | + int execfd; | ||
688 | struct preserved_fd_list preserved_fds; | ||
689 | struct passwd *pw; | ||
690 | GETGROUPS_T *groups; | ||
691 | @@ -221,7 +222,7 @@ | ||
692 | int selinux_restore_tty(void); | ||
693 | int selinux_setup(const char *role, const char *type, const char *ttyn, | ||
694 | int ttyfd); | ||
695 | -void selinux_execve(const char *path, char *const argv[], char *const envp[], | ||
696 | +void selinux_execve(int fd, const char *path, char *const argv[], char *envp[], | ||
697 | int noexec); | ||
698 | |||
699 | /* solaris.c */ | ||
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch new file mode 100644 index 0000000000..6c48e4cf14 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2015-8239-2.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | |||
2 | # HG changeset patch | ||
3 | # User Todd C. Miller <Todd.Miller@courtesan.com> | ||
4 | # Date 1452556552 25200 | ||
5 | # Node ID 0cd3cc8fa19565d3f7eb7d960f6ba5da0dec4889 | ||
6 | # Parent 4d2c1761c75245fb88ce397d68bea10afea9c037 | ||
7 | Silence warning in digest_matches() on systems with no fexecve(2). | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | https://www.sudo.ws/repos/sudo/raw-rev/0cd3cc8fa195 | ||
11 | |||
12 | CVE: CVE-2015-8239 | ||
13 | Upstream-Status: Backport | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | diff -r 4d2c1761c752 -r 0cd3cc8fa195 plugins/sudoers/match.c | ||
17 | --- a/plugins/sudoers/match.c Mon Jan 11 16:52:52 2016 -0700 | ||
18 | +++ b/plugins/sudoers/match.c Mon Jan 11 16:55:52 2016 -0700 | ||
19 | @@ -590,8 +590,10 @@ | ||
20 | unsigned char sudoers_digest[SHA512_DIGEST_LENGTH]; | ||
21 | unsigned char buf[32 * 1024]; | ||
22 | struct digest_function *func = NULL; | ||
23 | +#ifdef HAVE_FEXECVE | ||
24 | bool first = true; | ||
25 | bool is_script = false; | ||
26 | +#endif /* HAVE_FEXECVE */ | ||
27 | size_t nread; | ||
28 | SHA2_CTX ctx; | ||
29 | FILE *fp; | ||
30 | @@ -635,12 +637,14 @@ | ||
31 | |||
32 | func->init(&ctx); | ||
33 | while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) { | ||
34 | +#ifdef HAVE_FEXECVE | ||
35 | /* Check for #! cookie and set is_script. */ | ||
36 | if (first) { | ||
37 | first = false; | ||
38 | if (nread >= 2 && buf[0] == '#' && buf[1] == '!') | ||
39 | is_script = true; | ||
40 | } | ||
41 | +#endif /* HAVE_FEXECVE */ | ||
42 | func->update(&ctx, buf, nread); | ||
43 | } | ||
44 | if (ferror(fp)) { | ||
45 | |||
diff --git a/meta/recipes-extended/sudo/sudo_1.8.15.bb b/meta/recipes-extended/sudo/sudo_1.8.15.bb index 042043ecef..a03e2cd213 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.15.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.15.bb | |||
@@ -3,6 +3,8 @@ require sudo.inc | |||
3 | SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ | 3 | SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ |
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ | 5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ |
6 | file://CVE-2015-8239-1.patch \ | ||
7 | file://CVE-2015-8239-2.patch \ | ||
6 | " | 8 | " |
7 | 9 | ||
8 | PAM_SRC_URI = "file://sudo.pam" | 10 | PAM_SRC_URI = "file://sudo.pam" |