1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
new file mode 100644
index 0000000000..6d051252cb
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
+From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
+From: Anuj Mittal <anuj.mittal@intel.com>
+Date: Sat, 6 Feb 2021 15:57:55 +0800
+Subject: [PATCH] sudo: fix CVE-2021-3156
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID a97dc92eae6b60ae285055441341d493c17262ff
+# Parent  9b97f1787804aedccaec63c379053b1a91a0e409
+Add sudoedit flag checks in plugin that are consistent with front-end.
+Don't assume the sudo front-end is sending reasonable mode flags.
+These checks need to be kept consistent between the sudo front-end
+and the sudoers plugin.
+---
+ plugins/sudoers/policy.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index c4749a6..2f18fe1 100644
+--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
+@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
+ int
+ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ {
+    const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
+     struct sudoers_open_info *info = v;
+-    char * const *cur;
+     const char *p, *errstr, *groups = NULL;
+     const char *remhost = NULL;
+    char * const *cur;
+     int flags = 0;
+     debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
+ 
+@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
+ #endif
+     }
+ 
+    /* Sudo front-end should restrict mode flags for sudoedit. */
+    if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
+       sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
+       goto bad;
+    }
+
+     user_gid = (gid_t)-1;
+     user_sid = (pid_t)-1;
+     user_uid = (gid_t)-1;

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch new file mode 100644 index 0000000000..6d051252cb --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch
@@ -0,0 +1,53 @@
	1	From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
	2	From: Anuj Mittal <anuj.mittal@intel.com>
	3	Date: Sat, 6 Feb 2021 15:57:55 +0800
	4	Subject: [PATCH] sudo: fix CVE-2021-3156
	5
	6	Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
	7	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	8	CVE: CVE-2021-3156
	9
	10	# HG changeset patch
	11	# User Todd C. Miller <Todd.Miller@sudo.ws>
	12	# Date 1611416639 25200
	13	# Node ID a97dc92eae6b60ae285055441341d493c17262ff
	14	# Parent 9b97f1787804aedccaec63c379053b1a91a0e409
	15	Add sudoedit flag checks in plugin that are consistent with front-end.
	16	Don't assume the sudo front-end is sending reasonable mode flags.
	17	These checks need to be kept consistent between the sudo front-end
	18	and the sudoers plugin.
	19
	20	---
	21	plugins/sudoers/policy.c \| 9 ++++++++-
	22	1 file changed, 8 insertions(+), 1 deletion(-)
	23
	24	diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
	25	index c4749a6..2f18fe1 100644
	26	--- a/plugins/sudoers/policy.c
	27	+++ b/plugins/sudoers/policy.c
	28	@@ -88,10 +88,11 @@ parse_bool(const char line, int varlen, int flags, int fval)
	29	int
	30	sudoers_policy_deserialize_info(void v, char runas_user, char *runas_group)
	31	{
	32	+ const int edit_mask = MODE_EDIT\|MODE_IGNORE_TICKET\|MODE_NONINTERACTIVE;
	33	struct sudoers_open_info *info = v;
	34	- char * const *cur;
	35	const char p, errstr, *groups = NULL;
	36	const char *remhost = NULL;
	37	+ char * const *cur;
	38	int flags = 0;
	39	debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
	40
	41	@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void v, char runas_user, char *runas_group)
	42	#endif
	43	}
	44
	45	+ /* Sudo front-end should restrict mode flags for sudoedit. */
	46	+ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
	47	+ sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
	48	+ goto bad;
	49	+ }
	50	+
	51	user_gid = (gid_t)-1;
	52	user_sid = (pid_t)-1;
	53	user_uid = (gid_t)-1;