diff options
-rw-r--r-- | meta/recipes-extended/sudo/sudo.inc | 22 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch | 178 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch | 112 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo_1.8.29.bb (renamed from meta/recipes-extended/sudo/sudo_1.8.27.bb) | 6 |
4 files changed, 13 insertions, 305 deletions
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc index 15075bcefd..67815fa858 100644 --- a/meta/recipes-extended/sudo/sudo.inc +++ b/meta/recipes-extended/sudo/sudo.inc | |||
@@ -5,17 +5,17 @@ BUGTRACKER = "http://www.sudo.ws/bugs/" | |||
5 | SECTION = "admin" | 5 | SECTION = "admin" |
6 | LICENSE = "ISC & BSD & Zlib" | 6 | LICENSE = "ISC & BSD & Zlib" |
7 | LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=6c76b73603ac7763ab0516ebfbe67b42 \ | 7 | LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=6c76b73603ac7763ab0516ebfbe67b42 \ |
8 | file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=4a162fc04b86b03f5632180fe6076cda \ | 8 | file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \ |
9 | file://lib/util/reallocarray.c;beginline=3;endline=15;md5=b47f1f85a12f05a0744cd8b1b6f41a0d \ | 9 | file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \ |
10 | file://lib/util/fnmatch.c;beginline=3;endline=27;md5=67f83ee9bd456557397082f8f1be0efd \ | 10 | file://lib/util/fnmatch.c;beginline=3;endline=27;md5=004d7d2866ba1f5b41174906849d2e0f \ |
11 | file://lib/util/getcwd.c;beginline=2;endline=27;md5=09068a19b4f6b6f0a0958655bfe98b63 \ | 11 | file://lib/util/getcwd.c;beginline=2;endline=27;md5=50f8d9667750e18dea4e84a935c12009 \ |
12 | file://lib/util/glob.c;beginline=2;endline=31;md5=1f2f771c35fb0658d567a7824007e56d \ | 12 | file://lib/util/glob.c;beginline=2;endline=31;md5=2852f68687544e3eb8a0a61665506f0e \ |
13 | file://lib/util/snprintf.c;beginline=3;endline=33;md5=63e48e1b992bce749a19dd9b2256e9a0 \ | 13 | file://lib/util/snprintf.c;beginline=3;endline=33;md5=b70df6179969e38fcf68da91b53b8029 \ |
14 | file://include/sudo_queue.h;beginline=2;endline=27;md5=082b138b72ba3e568a13a25c3bf254dc \ | 14 | file://include/sudo_queue.h;beginline=2;endline=27;md5=ad578e9664d17a010b63e4bc0576ee8d \ |
15 | file://lib/util/inet_pton.c;beginline=3;endline=17;md5=3970ab0518ab79cbd0bafb697f10b33a \ | 15 | file://lib/util/inet_pton.c;beginline=3;endline=17;md5=27785c9f5835093eda42aa0816a2d0b4 \ |
16 | file://lib/util/arc4random.c;beginline=3;endline=20;md5=15bdc89c1b003fa4d7353e6296ebfd68 \ | 16 | file://lib/util/arc4random.c;beginline=3;endline=20;md5=ced8636ecefa2ba907cfe390bc3bd964 \ |
17 | file://lib/util/arc4random_uniform.c;beginline=3;endline=17;md5=31e630ac814d692fd0ab7a942659b46f \ | 17 | file://lib/util/arc4random_uniform.c;beginline=3;endline=17;md5=e30c2b777cdc00cfcaf7c445a10b262f \ |
18 | file://lib/util/getentropy.c;beginline=1;endline=19;md5=9f1a275ecd44cc264a2a4d5e06a75292 \ | 18 | file://lib/util/getentropy.c;beginline=1;endline=19;md5=a0f58be3d60b6dcd898ec5fe0866d36f \ |
19 | " | 19 | " |
20 | 20 | ||
21 | inherit autotools | 21 | inherit autotools |
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch deleted file mode 100644 index 2a11e3f7ec..0000000000 --- a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-1.patch +++ /dev/null | |||
@@ -1,178 +0,0 @@ | |||
1 | From f752ae5cee163253730ff7cdf293e34a91aa5520 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Todd C. Miller" <Todd.Miller@sudo.ws> | ||
3 | Date: Thu, 10 Oct 2019 10:04:13 -0600 | ||
4 | Subject: [PATCH] Treat an ID of -1 as invalid since that means "no change". | ||
5 | Fixes CVE-2019-14287. Found by Joe Vennix from Apple Information Security. | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/f752ae5cee163253730ff7cdf293e34a91aa5520] | ||
8 | CVE: CVE-2019-14287 | ||
9 | |||
10 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
11 | |||
12 | --- | ||
13 | lib/util/strtoid.c | 100 ++++++++++++++++++++++++++++------------------------- | ||
14 | 1 files changed, 53 insertions(+), 46 deletions(-) | ||
15 | |||
16 | diff --git a/lib/util/strtoid.c b/lib/util/strtoid.c | ||
17 | index 2dfce75..6b3916b 100644 | ||
18 | --- a/lib/util/strtoid.c | ||
19 | +++ b/lib/util/strtoid.c | ||
20 | @@ -49,6 +49,27 @@ | ||
21 | #include "sudo_util.h" | ||
22 | |||
23 | /* | ||
24 | + * Make sure that the ID ends with a valid separator char. | ||
25 | + */ | ||
26 | +static bool | ||
27 | +valid_separator(const char *p, const char *ep, const char *sep) | ||
28 | +{ | ||
29 | + bool valid = false; | ||
30 | + debug_decl(valid_separator, SUDO_DEBUG_UTIL) | ||
31 | + | ||
32 | + if (ep != p) { | ||
33 | + /* check for valid separator (including '\0') */ | ||
34 | + if (sep == NULL) | ||
35 | + sep = ""; | ||
36 | + do { | ||
37 | + if (*ep == *sep) | ||
38 | + valid = true; | ||
39 | + } while (*sep++ != '\0'); | ||
40 | + } | ||
41 | + debug_return_bool(valid); | ||
42 | +} | ||
43 | + | ||
44 | +/* | ||
45 | * Parse a uid/gid in string form. | ||
46 | * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) | ||
47 | * If endp is non-NULL it is set to the next char after the ID. | ||
48 | @@ -62,36 +83,33 @@ sudo_strtoid_v1(const char *p, const char *sep, char **endp, const char **errstr | ||
49 | char *ep; | ||
50 | id_t ret = 0; | ||
51 | long long llval; | ||
52 | - bool valid = false; | ||
53 | debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) | ||
54 | |||
55 | /* skip leading space so we can pick up the sign, if any */ | ||
56 | while (isspace((unsigned char)*p)) | ||
57 | p++; | ||
58 | - if (sep == NULL) | ||
59 | - sep = ""; | ||
60 | + | ||
61 | + /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ | ||
62 | errno = 0; | ||
63 | llval = strtoll(p, &ep, 10); | ||
64 | - if (ep != p) { | ||
65 | - /* check for valid separator (including '\0') */ | ||
66 | - do { | ||
67 | - if (*ep == *sep) | ||
68 | - valid = true; | ||
69 | - } while (*sep++ != '\0'); | ||
70 | + if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { | ||
71 | + errno = ERANGE; | ||
72 | + if (errstr != NULL) | ||
73 | + *errstr = N_("value too large"); | ||
74 | + goto done; | ||
75 | } | ||
76 | - if (!valid) { | ||
77 | + if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { | ||
78 | + errno = ERANGE; | ||
79 | if (errstr != NULL) | ||
80 | - *errstr = N_("invalid value"); | ||
81 | - errno = EINVAL; | ||
82 | + *errstr = N_("value too small"); | ||
83 | goto done; | ||
84 | } | ||
85 | - if (errno == ERANGE) { | ||
86 | - if (errstr != NULL) { | ||
87 | - if (llval == LLONG_MAX) | ||
88 | - *errstr = N_("value too large"); | ||
89 | - else | ||
90 | - *errstr = N_("value too small"); | ||
91 | - } | ||
92 | + | ||
93 | + /* Disallow id -1, which means "no change". */ | ||
94 | + if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { | ||
95 | + if (errstr != NULL) | ||
96 | + *errstr = N_("invalid value"); | ||
97 | + errno = EINVAL; | ||
98 | goto done; | ||
99 | } | ||
100 | ret = (id_t)llval; | ||
101 | @@ -108,30 +126,15 @@ sudo_strtoid_v1(const char *p, const char *sep, char **endp, const char **errstr | ||
102 | { | ||
103 | char *ep; | ||
104 | id_t ret = 0; | ||
105 | - bool valid = false; | ||
106 | debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) | ||
107 | |||
108 | /* skip leading space so we can pick up the sign, if any */ | ||
109 | while (isspace((unsigned char)*p)) | ||
110 | p++; | ||
111 | - if (sep == NULL) | ||
112 | - sep = ""; | ||
113 | + | ||
114 | errno = 0; | ||
115 | if (*p == '-') { | ||
116 | long lval = strtol(p, &ep, 10); | ||
117 | - if (ep != p) { | ||
118 | - /* check for valid separator (including '\0') */ | ||
119 | - do { | ||
120 | - if (*ep == *sep) | ||
121 | - valid = true; | ||
122 | - } while (*sep++ != '\0'); | ||
123 | - } | ||
124 | - if (!valid) { | ||
125 | - if (errstr != NULL) | ||
126 | - *errstr = N_("invalid value"); | ||
127 | - errno = EINVAL; | ||
128 | - goto done; | ||
129 | - } | ||
130 | if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { | ||
131 | errno = ERANGE; | ||
132 | if (errstr != NULL) | ||
133 | @@ -144,28 +147,31 @@ sudo_strtoid_v1(const char *p, const char *sep, char **endp, const char **errstr | ||
134 | *errstr = N_("value too small"); | ||
135 | goto done; | ||
136 | } | ||
137 | - ret = (id_t)lval; | ||
138 | - } else { | ||
139 | - unsigned long ulval = strtoul(p, &ep, 10); | ||
140 | - if (ep != p) { | ||
141 | - /* check for valid separator (including '\0') */ | ||
142 | - do { | ||
143 | - if (*ep == *sep) | ||
144 | - valid = true; | ||
145 | - } while (*sep++ != '\0'); | ||
146 | - } | ||
147 | - if (!valid) { | ||
148 | + | ||
149 | + /* Disallow id -1, which means "no change". */ | ||
150 | + if (!valid_separator(p, ep, sep) || lval == -1) { | ||
151 | if (errstr != NULL) | ||
152 | *errstr = N_("invalid value"); | ||
153 | errno = EINVAL; | ||
154 | goto done; | ||
155 | } | ||
156 | + ret = (id_t)lval; | ||
157 | + } else { | ||
158 | + unsigned long ulval = strtoul(p, &ep, 10); | ||
159 | if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { | ||
160 | errno = ERANGE; | ||
161 | if (errstr != NULL) | ||
162 | *errstr = N_("value too large"); | ||
163 | goto done; | ||
164 | } | ||
165 | + | ||
166 | + /* Disallow id -1, which means "no change". */ | ||
167 | + if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { | ||
168 | + if (errstr != NULL) | ||
169 | + *errstr = N_("invalid value"); | ||
170 | + errno = EINVAL; | ||
171 | + goto done; | ||
172 | + } | ||
173 | ret = (id_t)ulval; | ||
174 | } | ||
175 | if (errstr != NULL) | ||
176 | -- | ||
177 | 2.7.4 | ||
178 | |||
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch deleted file mode 100644 index 453a8b09a4..0000000000 --- a/meta/recipes-extended/sudo/sudo/CVE-2019-14287-2.patch +++ /dev/null | |||
@@ -1,112 +0,0 @@ | |||
1 | From 396bc57feff3e360007634f62448b64e0626390c Mon Sep 17 00:00:00 2001 | ||
2 | From: "Todd C. Miller" <Todd.Miller@sudo.ws> | ||
3 | Date: Thu, 10 Oct 2019 10:04:13 -0600 | ||
4 | Subject: [PATCH] Add sudo_strtoid() tests for -1 and range errors. Also adjust | ||
5 | testsudoers/test5 which relied upon gid -1 parsing. | ||
6 | |||
7 | Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/396bc57] | ||
8 | CVE: CVE-2019-14287 | ||
9 | |||
10 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
11 | |||
12 | --- | ||
13 | lib/util/regress/atofoo/atofoo_test.c | 36 ++++++++++++++++------ | ||
14 | plugins/sudoers/regress/testsudoers/test5.out.ok | 2 +- | ||
15 | plugins/sudoers/regress/testsudoers/test5.sh | 2 +- | ||
16 | 3 files changed, 29 insertions(+), 11 deletions(-) | ||
17 | |||
18 | diff --git a/lib/util/regress/atofoo/atofoo_test.c b/lib/util/regress/atofoo/atofoo_test.c | ||
19 | index 031a7ed..fb41c1a 100644 | ||
20 | --- a/lib/util/regress/atofoo/atofoo_test.c | ||
21 | +++ b/lib/util/regress/atofoo/atofoo_test.c | ||
22 | @@ -26,6 +26,7 @@ | ||
23 | #else | ||
24 | # include "compat/stdbool.h" | ||
25 | #endif | ||
26 | +#include <errno.h> | ||
27 | |||
28 | #include "sudo_compat.h" | ||
29 | #include "sudo_util.h" | ||
30 | @@ -80,15 +81,20 @@ static struct strtoid_data { | ||
31 | id_t id; | ||
32 | const char *sep; | ||
33 | const char *ep; | ||
34 | + int errnum; | ||
35 | } strtoid_data[] = { | ||
36 | - { "0,1", 0, ",", "," }, | ||
37 | - { "10", 10, NULL, NULL }, | ||
38 | - { "-2", -2, NULL, NULL }, | ||
39 | + { "0,1", 0, ",", ",", 0 }, | ||
40 | + { "10", 10, NULL, NULL, 0 }, | ||
41 | + { "-1", 0, NULL, NULL, EINVAL }, | ||
42 | + { "4294967295", 0, NULL, NULL, EINVAL }, | ||
43 | + { "4294967296", 0, NULL, NULL, ERANGE }, | ||
44 | + { "-2147483649", 0, NULL, NULL, ERANGE }, | ||
45 | + { "-2", -2, NULL, NULL, 0 }, | ||
46 | #if SIZEOF_ID_T != SIZEOF_LONG_LONG | ||
47 | - { "-2", (id_t)4294967294U, NULL, NULL }, | ||
48 | + { "-2", (id_t)4294967294U, NULL, NULL, 0 }, | ||
49 | #endif | ||
50 | - { "4294967294", (id_t)4294967294U, NULL, NULL }, | ||
51 | - { NULL, 0, NULL, NULL } | ||
52 | + { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, | ||
53 | + { NULL, 0, NULL, NULL, 0 } | ||
54 | }; | ||
55 | |||
56 | static int | ||
57 | @@ -104,11 +110,23 @@ test_strtoid(int *ntests) | ||
58 | (*ntests)++; | ||
59 | errstr = "some error"; | ||
60 | value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); | ||
61 | - if (errstr != NULL) { | ||
62 | - if (d->id != (id_t)-1) { | ||
63 | - sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); | ||
64 | + if (d->errnum != 0) { | ||
65 | + if (errstr == NULL) { | ||
66 | + sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", | ||
67 | + d->idstr, d->errnum); | ||
68 | + errors++; | ||
69 | + } else if (value != 0) { | ||
70 | + sudo_warnx_nodebug("FAIL: %s should return 0 on error", | ||
71 | + d->idstr); | ||
72 | + errors++; | ||
73 | + } else if (errno != d->errnum) { | ||
74 | + sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", | ||
75 | + d->idstr, errno, d->errnum); | ||
76 | errors++; | ||
77 | } | ||
78 | + } else if (errstr != NULL) { | ||
79 | + sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); | ||
80 | + errors++; | ||
81 | } else if (value != d->id) { | ||
82 | sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); | ||
83 | errors++; | ||
84 | diff --git a/plugins/sudoers/regress/testsudoers/test5.out.ok b/plugins/sudoers/regress/testsudoers/test5.out.ok | ||
85 | index 5e319c9..cecf700 100644 | ||
86 | --- a/plugins/sudoers/regress/testsudoers/test5.out.ok | ||
87 | +++ b/plugins/sudoers/regress/testsudoers/test5.out.ok | ||
88 | @@ -4,7 +4,7 @@ Parse error in sudoers near line 1. | ||
89 | Entries for user root: | ||
90 | |||
91 | Command unmatched | ||
92 | -testsudoers: test5.inc should be owned by gid 4294967295 | ||
93 | +testsudoers: test5.inc should be owned by gid 4294967294 | ||
94 | Parse error in sudoers near line 1. | ||
95 | |||
96 | Entries for user root: | ||
97 | diff --git a/plugins/sudoers/regress/testsudoers/test5.sh b/plugins/sudoers/regress/testsudoers/test5.sh | ||
98 | index 9e690a6..94d585c 100755 | ||
99 | --- a/plugins/sudoers/regress/testsudoers/test5.sh | ||
100 | +++ b/plugins/sudoers/regress/testsudoers/test5.sh | ||
101 | @@ -24,7 +24,7 @@ EOF | ||
102 | |||
103 | # Test group writable | ||
104 | chmod 664 $TESTFILE | ||
105 | -./testsudoers -U $MYUID -G -1 root id <<EOF | ||
106 | +./testsudoers -U $MYUID -G -2 root id <<EOF | ||
107 | #include $TESTFILE | ||
108 | EOF | ||
109 | |||
110 | -- | ||
111 | 2.7.4 | ||
112 | |||
diff --git a/meta/recipes-extended/sudo/sudo_1.8.27.bb b/meta/recipes-extended/sudo/sudo_1.8.29.bb index 0a11a1b28f..8da2d64631 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.27.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.29.bb | |||
@@ -3,14 +3,12 @@ require sudo.inc | |||
3 | SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | 3 | SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ |
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ | 5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ |
6 | file://CVE-2019-14287-1.patch \ | ||
7 | file://CVE-2019-14287-2.patch \ | ||
8 | " | 6 | " |
9 | 7 | ||
10 | PAM_SRC_URI = "file://sudo.pam" | 8 | PAM_SRC_URI = "file://sudo.pam" |
11 | 9 | ||
12 | SRC_URI[md5sum] = "b5c184b13b6b5de32af630af2fd013fd" | 10 | SRC_URI[md5sum] = "b28dabff9c460f115fe74de4d6a6f79d" |
13 | SRC_URI[sha256sum] = "7beb68b94471ef56d8a1036dbcdc09a7b58a949a68ffce48b83f837dd33e2ec0" | 11 | SRC_URI[sha256sum] = "ce53ffac9604e23321334d8ba8ac59ded2bcf624fdb9dbde097ab2049bf29c7c" |
14 | 12 | ||
15 | DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" | 13 | DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" |
16 | RDEPENDS_${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" | 14 | RDEPENDS_${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" |