1 files changed, 73 insertions, 0 deletions

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
new file mode 100644
index 0000000000..30a574d05c
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416639 25200
+# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86
+# Parent  a97dc92eae6b60ae285055441341d493c17262ff
+Fix potential buffer overflow when unescaping backslashes in user_args.
+Also, do not try to unescaping backslashes unless in run mode *and*
+we are running the command via a shell.
+Found by Qualys, this fixes CVE-2021-3156.
+
+diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c
+--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
++++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700
+@@ -547,7 +547,7 @@
+ 
+     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
+     /* XXX - causes confusion when root is not listed in sudoers */
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
++    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
+        if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
+            struct passwd *pw;
+ 
+@@ -932,8 +932,8 @@
+     if (user_cmnd == NULL)
+        user_cmnd = NewArgv[0];
+ 
+-    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
+-       if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
++    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
++       if (!ISSET(sudo_mode, MODE_EDIT)) {
+            const char *runchroot = user_runchroot;
+            if (runchroot == NULL && def_runchroot != NULL &&
+                    strcmp(def_runchroot, "*") != 0)
+@@ -961,7 +961,8 @@
+                sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+                debug_return_int(NOT_FOUND_ERROR);
+            }
+-           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
++           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
++                   ISSET(sudo_mode, MODE_RUN)) {
+                /*
+                 * When running a command via a shell, the sudo front-end
+                 * escapes potential meta chars.  We unescape non-spaces
+@@ -969,10 +970,22 @@
+                 */
+                for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
+                    while (*from) {
+-                       if (from[0] == '\\' && !isspace((unsigned char)from[1]))
++                       if (from[0] == '\\' && from[1] != '\0' &&
++                               !isspace((unsigned char)from[1])) {
+                            from++;
++                       }
++                       if (size - (to - user_args) < 1) {
++                           sudo_warnx(U_("internal error, %s overflow"),
++                               __func__);
++                           debug_return_int(NOT_FOUND_ERROR);
++                       }
+                        *to++ = *from++;
+                    }
++                   if (size - (to - user_args) < 1) {
++                       sudo_warnx(U_("internal error, %s overflow"),
++                           __func__);
++                       debug_return_int(NOT_FOUND_ERROR);
++                   }
+                    *to++ = ' ';
+                }
+                *--to = '\0';
+
+