diff options
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2023-22809.patch | 113 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo_1.8.32.bb | 1 |
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2023-22809.patch b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch new file mode 100644 index 0000000000..6c47eb3e44 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2023-22809.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | Backport of: | ||
2 | |||
3 | # HG changeset patch | ||
4 | # Parent 7275148cad1f8cd3c350026460acc4d6ad349c3a | ||
5 | sudoedit: do not permit editor arguments to include "--" | ||
6 | We use "--" to separate the editor and arguments from the files to edit. | ||
7 | If the editor arguments include "--", sudo can be tricked into allowing | ||
8 | the user to edit a file not permitted by the security policy. | ||
9 | Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv | ||
10 | (https://synacktiv.com) for finding this bug. | ||
11 | |||
12 | CVE: CVE-2023-22809 | ||
13 | Upstream-Staus: Backport [http://archive.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.8.31-1ubuntu1.4.debian.tar.xz] | ||
14 | Signed-off-by: Omkar Patil <omkar.patil@kpit.com> | ||
15 | |||
16 | --- a/plugins/sudoers/editor.c | ||
17 | +++ b/plugins/sudoers/editor.c | ||
18 | @@ -56,7 +56,7 @@ resolve_editor(const char *ed, size_t ed | ||
19 | const char *cp, *ep, *tmp; | ||
20 | const char *edend = ed + edlen; | ||
21 | struct stat user_editor_sb; | ||
22 | - int nargc; | ||
23 | + int nargc = 0; | ||
24 | debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL) | ||
25 | |||
26 | /* | ||
27 | @@ -102,6 +102,21 @@ resolve_editor(const char *ed, size_t ed | ||
28 | free(editor_path); | ||
29 | while (nargc--) | ||
30 | free(nargv[nargc]); | ||
31 | + free(nargv); | ||
32 | + debug_return_str(NULL); | ||
33 | + } | ||
34 | + | ||
35 | + /* | ||
36 | + * We use "--" to separate the editor and arguments from the files | ||
37 | + * to edit. The editor arguments themselves may not contain "--". | ||
38 | + */ | ||
39 | + if (strcmp(nargv[nargc], "--") == 0) { | ||
40 | + sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); | ||
41 | + sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); | ||
42 | + errno = EINVAL; | ||
43 | + free(editor_path); | ||
44 | + while (nargc--) | ||
45 | + free(nargv[nargc]); | ||
46 | free(nargv); | ||
47 | debug_return_str(NULL); | ||
48 | } | ||
49 | --- a/plugins/sudoers/sudoers.c | ||
50 | +++ b/plugins/sudoers/sudoers.c | ||
51 | @@ -616,20 +616,31 @@ sudoers_policy_main(int argc, char * con | ||
52 | |||
53 | /* Note: must call audit before uid change. */ | ||
54 | if (ISSET(sudo_mode, MODE_EDIT)) { | ||
55 | + const char *env_editor = NULL; | ||
56 | int edit_argc; | ||
57 | - const char *env_editor; | ||
58 | |||
59 | free(safe_cmnd); | ||
60 | safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, | ||
61 | &edit_argv, NULL, &env_editor, false); | ||
62 | if (safe_cmnd == NULL) { | ||
63 | - if (errno != ENOENT) | ||
64 | + switch (errno) { | ||
65 | + case ENOENT: | ||
66 | + audit_failure(NewArgc, NewArgv, N_("%s: command not found"), | ||
67 | + env_editor ? env_editor : def_editor); | ||
68 | + sudo_warnx(U_("%s: command not found"), | ||
69 | + env_editor ? env_editor : def_editor); | ||
70 | + goto bad; | ||
71 | + case EINVAL: | ||
72 | + if (def_env_editor && env_editor != NULL) { | ||
73 | + /* User tried to do something funny with the editor. */ | ||
74 | + log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL, | ||
75 | + "invalid user-specified editor: %s", env_editor); | ||
76 | + goto bad; | ||
77 | + } | ||
78 | + /* FALLTHROUGH */ | ||
79 | + default: | ||
80 | goto done; | ||
81 | - audit_failure(NewArgc, NewArgv, N_("%s: command not found"), | ||
82 | - env_editor ? env_editor : def_editor); | ||
83 | - sudo_warnx(U_("%s: command not found"), | ||
84 | - env_editor ? env_editor : def_editor); | ||
85 | - goto bad; | ||
86 | + } | ||
87 | } | ||
88 | if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors) | ||
89 | goto done; | ||
90 | --- a/plugins/sudoers/visudo.c | ||
91 | +++ b/plugins/sudoers/visudo.c | ||
92 | @@ -308,7 +308,7 @@ static char * | ||
93 | get_editor(int *editor_argc, char ***editor_argv) | ||
94 | { | ||
95 | char *editor_path = NULL, **whitelist = NULL; | ||
96 | - const char *env_editor; | ||
97 | + const char *env_editor = NULL; | ||
98 | static char *files[] = { "+1", "sudoers" }; | ||
99 | unsigned int whitelist_len = 0; | ||
100 | debug_decl(get_editor, SUDOERS_DEBUG_UTIL) | ||
101 | @@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi | ||
102 | if (editor_path == NULL) { | ||
103 | if (def_env_editor && env_editor != NULL) { | ||
104 | /* We are honoring $EDITOR so this is a fatal error. */ | ||
105 | - sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); | ||
106 | + if (errno == ENOENT) { | ||
107 | + sudo_warnx(U_("specified editor (%s) doesn't exist"), | ||
108 | + env_editor); | ||
109 | + } | ||
110 | + exit(EXIT_FAILURE); | ||
111 | } | ||
112 | sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); | ||
113 | } | ||
diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb index 10785beedf..5bc48ec6fa 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.32.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb | |||
@@ -5,6 +5,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | |||
5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ | 5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ |
6 | file://0001-Fix-includes-when-building-with-musl.patch \ | 6 | file://0001-Fix-includes-when-building-with-musl.patch \ |
7 | file://CVE-2022-43995.patch \ | 7 | file://CVE-2022-43995.patch \ |
8 | file://CVE-2023-22809.patch \ | ||
8 | " | 9 | " |
9 | 10 | ||
10 | PAM_SRC_URI = "file://sudo.pam" | 11 | PAM_SRC_URI = "file://sudo.pam" |