diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch new file mode 100644 index 0000000000..6d051252cb --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001 | ||
2 | From: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | Date: Sat, 6 Feb 2021 15:57:55 +0800 | ||
4 | Subject: [PATCH] sudo: fix CVE-2021-3156 | ||
5 | |||
6 | Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b] | ||
7 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
8 | CVE: CVE-2021-3156 | ||
9 | |||
10 | # HG changeset patch | ||
11 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
12 | # Date 1611416639 25200 | ||
13 | # Node ID a97dc92eae6b60ae285055441341d493c17262ff | ||
14 | # Parent 9b97f1787804aedccaec63c379053b1a91a0e409 | ||
15 | Add sudoedit flag checks in plugin that are consistent with front-end. | ||
16 | Don't assume the sudo front-end is sending reasonable mode flags. | ||
17 | These checks need to be kept consistent between the sudo front-end | ||
18 | and the sudoers plugin. | ||
19 | |||
20 | --- | ||
21 | plugins/sudoers/policy.c | 9 ++++++++- | ||
22 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c | ||
25 | index c4749a6..2f18fe1 100644 | ||
26 | --- a/plugins/sudoers/policy.c | ||
27 | +++ b/plugins/sudoers/policy.c | ||
28 | @@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval) | ||
29 | int | ||
30 | sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) | ||
31 | { | ||
32 | + const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE; | ||
33 | struct sudoers_open_info *info = v; | ||
34 | - char * const *cur; | ||
35 | const char *p, *errstr, *groups = NULL; | ||
36 | const char *remhost = NULL; | ||
37 | + char * const *cur; | ||
38 | int flags = 0; | ||
39 | debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN); | ||
40 | |||
41 | @@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) | ||
42 | #endif | ||
43 | } | ||
44 | |||
45 | + /* Sudo front-end should restrict mode flags for sudoedit. */ | ||
46 | + if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) { | ||
47 | + sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags); | ||
48 | + goto bad; | ||
49 | + } | ||
50 | + | ||
51 | user_gid = (gid_t)-1; | ||
52 | user_sid = (pid_t)-1; | ||
53 | user_uid = (gid_t)-1; | ||