diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch new file mode 100644 index 0000000000..30a574d05c --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416639 25200 | ||
8 | # Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86 | ||
9 | # Parent a97dc92eae6b60ae285055441341d493c17262ff | ||
10 | Fix potential buffer overflow when unescaping backslashes in user_args. | ||
11 | Also, do not try to unescaping backslashes unless in run mode *and* | ||
12 | we are running the command via a shell. | ||
13 | Found by Qualys, this fixes CVE-2021-3156. | ||
14 | |||
15 | diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c | ||
16 | --- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 | ||
17 | +++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 | ||
18 | @@ -547,7 +547,7 @@ | ||
19 | |||
20 | /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ | ||
21 | /* XXX - causes confusion when root is not listed in sudoers */ | ||
22 | - if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) { | ||
23 | + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) { | ||
24 | if (user_uid == 0 && strcmp(prev_user, "root") != 0) { | ||
25 | struct passwd *pw; | ||
26 | |||
27 | @@ -932,8 +932,8 @@ | ||
28 | if (user_cmnd == NULL) | ||
29 | user_cmnd = NewArgv[0]; | ||
30 | |||
31 | - if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { | ||
32 | - if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { | ||
33 | + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) { | ||
34 | + if (!ISSET(sudo_mode, MODE_EDIT)) { | ||
35 | const char *runchroot = user_runchroot; | ||
36 | if (runchroot == NULL && def_runchroot != NULL && | ||
37 | strcmp(def_runchroot, "*") != 0) | ||
38 | @@ -961,7 +961,8 @@ | ||
39 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
40 | debug_return_int(NOT_FOUND_ERROR); | ||
41 | } | ||
42 | - if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { | ||
43 | + if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) && | ||
44 | + ISSET(sudo_mode, MODE_RUN)) { | ||
45 | /* | ||
46 | * When running a command via a shell, the sudo front-end | ||
47 | * escapes potential meta chars. We unescape non-spaces | ||
48 | @@ -969,10 +970,22 @@ | ||
49 | */ | ||
50 | for (to = user_args, av = NewArgv + 1; (from = *av); av++) { | ||
51 | while (*from) { | ||
52 | - if (from[0] == '\\' && !isspace((unsigned char)from[1])) | ||
53 | + if (from[0] == '\\' && from[1] != '\0' && | ||
54 | + !isspace((unsigned char)from[1])) { | ||
55 | from++; | ||
56 | + } | ||
57 | + if (size - (to - user_args) < 1) { | ||
58 | + sudo_warnx(U_("internal error, %s overflow"), | ||
59 | + __func__); | ||
60 | + debug_return_int(NOT_FOUND_ERROR); | ||
61 | + } | ||
62 | *to++ = *from++; | ||
63 | } | ||
64 | + if (size - (to - user_args) < 1) { | ||
65 | + sudo_warnx(U_("internal error, %s overflow"), | ||
66 | + __func__); | ||
67 | + debug_return_int(NOT_FOUND_ERROR); | ||
68 | + } | ||
69 | *to++ = ' '; | ||
70 | } | ||
71 | *--to = '\0'; | ||
72 | |||
73 | |||