1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
new file mode 100644
index 0000000000..83c277575e
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
+# Parent  90aba6ba6e03f3bc33b4eabf16358396ed83642d
+Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
+This is consistent with how the -e option is handled.
+Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
+Found by Qualys, this is part of the fix for CVE-2021-3156.
+diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
+--- a/src/parse_args.c  Mon Jan 18 12:30:52 2021 +0100
+++ b/src/parse_args.c  Sat Jan 23 08:43:59 2021 -0700
+@@ -117,7 +117,10 @@
+ /*
+  * Default flags allowed when running a command.
+  */
+-#define DEFAULT_VALID_FLAGS    (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
+#define DEFAULT_VALID_FLAGS    (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
+#define EDIT_VALID_FLAGS       MODE_NONINTERACTIVE
+#define LIST_VALID_FLAGS       (MODE_NONINTERACTIVE|MODE_LONG_LIST)
+#define VALIDATE_VALID_FLAGS   MODE_NONINTERACTIVE
+ 
+ /* Option number for the --host long option due to ambiguity of the -h flag. */
+ #define OPT_HOSTNAME   256
+@@ -262,6 +265,7 @@
+        progname = "sudoedit";
+        mode = MODE_EDIT;
+        sudo_settings[ARG_SUDOEDIT].value = "true";
+       valid_flags = EDIT_VALID_FLAGS;
+     }
+ 
+     /* Load local IP addresses and masks. */
+@@ -365,7 +369,7 @@
+                        usage_excl();
+                    mode = MODE_EDIT;
+                    sudo_settings[ARG_SUDOEDIT].value = "true";
+-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = EDIT_VALID_FLAGS;
+                    break;
+                case 'g':
+                    assert(optarg != NULL);
+@@ -377,6 +381,7 @@
+                    break;
+                case 'H':
+                    sudo_settings[ARG_SET_HOME].value = "true";
+                   SET(flags, MODE_RESET_HOME);
+                    break;
+                case 'h':
+                    if (optarg == NULL) {
+@@ -431,7 +436,7 @@
+                            usage_excl();
+                    }
+                    mode = MODE_LIST;
+-                   valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
+                   valid_flags = LIST_VALID_FLAGS;
+                    break;
+                case 'n':
+                    SET(flags, MODE_NONINTERACTIVE);
+@@ -439,6 +444,7 @@
+                    break;
+                case 'P':
+                    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
+                   SET(flags, MODE_PRESERVE_GROUPS);
+                    break;
+                case 'p':
+                    /* An empty prompt is allowed. */
+@@ -505,7 +511,7 @@
+                    if (mode && mode != MODE_VALIDATE)
+                        usage_excl();
+                    mode = MODE_VALIDATE;
+-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = VALIDATE_VALID_FLAGS;
+                    break;
+                case 'V':
+                    if (mode && mode != MODE_VERSION)
+@@ -533,7 +539,7 @@
+     if (!mode) {
+        /* Defer -k mode setting until we know whether it is a flag or not */
+        if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
+-           if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
+           if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
+                mode = MODE_INVALIDATE; /* -k by itself */
+                sudo_settings[ARG_IGNORE_TICKET].value = NULL;
+                valid_flags = 0;
+@@ -601,7 +607,7 @@
+     /*
+      * For shell mode we need to rewrite argv
+      */
+-    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
+    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
+        char **av, *cmnd = NULL;
+        int ac = 1;
+

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch new file mode 100644 index 0000000000..83c277575e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch
@@ -0,0 +1,100 @@
	1	Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804]
	2	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	3	CVE: CVE-2021-3156
	4
	5	# HG changeset patch
	6	# User Todd C. Miller <Todd.Miller@sudo.ws>
	7	# Date 1611416639 25200
	8	# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409
	9	# Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d
	10	Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
	11	This is consistent with how the -e option is handled.
	12	Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
	13	Found by Qualys, this is part of the fix for CVE-2021-3156.
	14
	15	diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c
	16	--- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100
	17	+++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700
	18	@@ -117,7 +117,10 @@
	19	/*
	20	* Default flags allowed when running a command.
	21	*/
	22	-#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND\|MODE_PRESERVE_ENV\|MODE_RESET_HOME\|MODE_LOGIN_SHELL\|MODE_NONINTERACTIVE\|MODE_SHELL)
	23	+#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND\|MODE_PRESERVE_ENV\|MODE_RESET_HOME\|MODE_LOGIN_SHELL\|MODE_NONINTERACTIVE\|MODE_PRESERVE_GROUPS\|MODE_SHELL)
	24	+#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
	25	+#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE\|MODE_LONG_LIST)
	26	+#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
	27
	28	/* Option number for the --host long option due to ambiguity of the -h flag. */
	29	#define OPT_HOSTNAME 256
	30	@@ -262,6 +265,7 @@
	31	progname = "sudoedit";
	32	mode = MODE_EDIT;
	33	sudo_settings[ARG_SUDOEDIT].value = "true";
	34	+ valid_flags = EDIT_VALID_FLAGS;
	35	}
	36
	37	/* Load local IP addresses and masks. */
	38	@@ -365,7 +369,7 @@
	39	usage_excl();
	40	mode = MODE_EDIT;
	41	sudo_settings[ARG_SUDOEDIT].value = "true";
	42	- valid_flags = MODE_NONINTERACTIVE;
	43	+ valid_flags = EDIT_VALID_FLAGS;
	44	break;
	45	case 'g':
	46	assert(optarg != NULL);
	47	@@ -377,6 +381,7 @@
	48	break;
	49	case 'H':
	50	sudo_settings[ARG_SET_HOME].value = "true";
	51	+ SET(flags, MODE_RESET_HOME);
	52	break;
	53	case 'h':
	54	if (optarg == NULL) {
	55	@@ -431,7 +436,7 @@
	56	usage_excl();
	57	}
	58	mode = MODE_LIST;
	59	- valid_flags = MODE_NONINTERACTIVE\|MODE_LONG_LIST;
	60	+ valid_flags = LIST_VALID_FLAGS;
	61	break;
	62	case 'n':
	63	SET(flags, MODE_NONINTERACTIVE);
	64	@@ -439,6 +444,7 @@
	65	break;
	66	case 'P':
	67	sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
	68	+ SET(flags, MODE_PRESERVE_GROUPS);
	69	break;
	70	case 'p':
	71	/* An empty prompt is allowed. */
	72	@@ -505,7 +511,7 @@
	73	if (mode && mode != MODE_VALIDATE)
	74	usage_excl();
	75	mode = MODE_VALIDATE;
	76	- valid_flags = MODE_NONINTERACTIVE;
	77	+ valid_flags = VALIDATE_VALID_FLAGS;
	78	break;
	79	case 'V':
	80	if (mode && mode != MODE_VERSION)
	81	@@ -533,7 +539,7 @@
	82	if (!mode) {
	83	/* Defer -k mode setting until we know whether it is a flag or not */
	84	if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
	85	- if (argc == 0 && !(flags & (MODE_SHELL\|MODE_LOGIN_SHELL))) {
	86	+ if (argc == 0 && !ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL)) {
	87	mode = MODE_INVALIDATE; /* -k by itself */
	88	sudo_settings[ARG_IGNORE_TICKET].value = NULL;
	89	valid_flags = 0;
	90	@@ -601,7 +607,7 @@
	91	/*
	92	* For shell mode we need to rewrite argv
	93	*/
	94	- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
	95	+ if (ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
	96	char *av, cmnd = NULL;
	97	int ac = 1;
	98
	99
	100