diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch new file mode 100644 index 0000000000..83c277575e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416639 25200 | ||
8 | # Node ID 9b97f1787804aedccaec63c379053b1a91a0e409 | ||
9 | # Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d | ||
10 | Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. | ||
11 | This is consistent with how the -e option is handled. | ||
12 | Also reject -H and -P flags for sudoedit as was done in sudo 1.7. | ||
13 | Found by Qualys, this is part of the fix for CVE-2021-3156. | ||
14 | |||
15 | diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c | ||
16 | --- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100 | ||
17 | +++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700 | ||
18 | @@ -117,7 +117,10 @@ | ||
19 | /* | ||
20 | * Default flags allowed when running a command. | ||
21 | */ | ||
22 | -#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) | ||
23 | +#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL) | ||
24 | +#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE | ||
25 | +#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST) | ||
26 | +#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE | ||
27 | |||
28 | /* Option number for the --host long option due to ambiguity of the -h flag. */ | ||
29 | #define OPT_HOSTNAME 256 | ||
30 | @@ -262,6 +265,7 @@ | ||
31 | progname = "sudoedit"; | ||
32 | mode = MODE_EDIT; | ||
33 | sudo_settings[ARG_SUDOEDIT].value = "true"; | ||
34 | + valid_flags = EDIT_VALID_FLAGS; | ||
35 | } | ||
36 | |||
37 | /* Load local IP addresses and masks. */ | ||
38 | @@ -365,7 +369,7 @@ | ||
39 | usage_excl(); | ||
40 | mode = MODE_EDIT; | ||
41 | sudo_settings[ARG_SUDOEDIT].value = "true"; | ||
42 | - valid_flags = MODE_NONINTERACTIVE; | ||
43 | + valid_flags = EDIT_VALID_FLAGS; | ||
44 | break; | ||
45 | case 'g': | ||
46 | assert(optarg != NULL); | ||
47 | @@ -377,6 +381,7 @@ | ||
48 | break; | ||
49 | case 'H': | ||
50 | sudo_settings[ARG_SET_HOME].value = "true"; | ||
51 | + SET(flags, MODE_RESET_HOME); | ||
52 | break; | ||
53 | case 'h': | ||
54 | if (optarg == NULL) { | ||
55 | @@ -431,7 +436,7 @@ | ||
56 | usage_excl(); | ||
57 | } | ||
58 | mode = MODE_LIST; | ||
59 | - valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST; | ||
60 | + valid_flags = LIST_VALID_FLAGS; | ||
61 | break; | ||
62 | case 'n': | ||
63 | SET(flags, MODE_NONINTERACTIVE); | ||
64 | @@ -439,6 +444,7 @@ | ||
65 | break; | ||
66 | case 'P': | ||
67 | sudo_settings[ARG_PRESERVE_GROUPS].value = "true"; | ||
68 | + SET(flags, MODE_PRESERVE_GROUPS); | ||
69 | break; | ||
70 | case 'p': | ||
71 | /* An empty prompt is allowed. */ | ||
72 | @@ -505,7 +511,7 @@ | ||
73 | if (mode && mode != MODE_VALIDATE) | ||
74 | usage_excl(); | ||
75 | mode = MODE_VALIDATE; | ||
76 | - valid_flags = MODE_NONINTERACTIVE; | ||
77 | + valid_flags = VALIDATE_VALID_FLAGS; | ||
78 | break; | ||
79 | case 'V': | ||
80 | if (mode && mode != MODE_VERSION) | ||
81 | @@ -533,7 +539,7 @@ | ||
82 | if (!mode) { | ||
83 | /* Defer -k mode setting until we know whether it is a flag or not */ | ||
84 | if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) { | ||
85 | - if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) { | ||
86 | + if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) { | ||
87 | mode = MODE_INVALIDATE; /* -k by itself */ | ||
88 | sudo_settings[ARG_IGNORE_TICKET].value = NULL; | ||
89 | valid_flags = 0; | ||
90 | @@ -601,7 +607,7 @@ | ||
91 | /* | ||
92 | * For shell mode we need to rewrite argv | ||
93 | */ | ||
94 | - if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { | ||
95 | + if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) { | ||
96 | char **av, *cmnd = NULL; | ||
97 | int ac = 1; | ||
98 | |||
99 | |||
100 | |||