diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch new file mode 100644 index 0000000000..c04b8e72a6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783] | ||
2 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
3 | CVE: CVE-2021-3156 | ||
4 | |||
5 | # HG changeset patch | ||
6 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
7 | # Date 1611416640 25200 | ||
8 | # Node ID c125fbe6878395d10f01d891d3c09b1229ada404 | ||
9 | # Parent 09f98816fc8978f1d8623a857073d2d5746f0379 | ||
10 | Don't assume that argv is allocated as a single flat buffer. | ||
11 | While this is how the kernel behaves it is not a portable assumption. | ||
12 | The assumption may also be violated if getopt_long(3) permutes arguments. | ||
13 | Found by Qualys. | ||
14 | |||
15 | diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c | ||
16 | --- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 | ||
17 | +++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 | ||
18 | @@ -614,16 +614,16 @@ | ||
19 | if (argc != 0) { | ||
20 | /* shell -c "command" */ | ||
21 | char *src, *dst; | ||
22 | - size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) + | ||
23 | - strlen(argv[argc - 1]) + 1; | ||
24 | + size_t size = 0; | ||
25 | |||
26 | - cmnd = dst = reallocarray(NULL, cmnd_size, 2); | ||
27 | - if (cmnd == NULL) | ||
28 | + for (av = argv; *av != NULL; av++) | ||
29 | + size += strlen(*av) + 1; | ||
30 | + if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL) | ||
31 | sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); | ||
32 | if (!gc_add(GC_PTR, cmnd)) | ||
33 | exit(EXIT_FAILURE); | ||
34 | |||
35 | - for (av = argv; *av != NULL; av++) { | ||
36 | + for (dst = cmnd, av = argv; *av != NULL; av++) { | ||
37 | for (src = *av; *src != '\0'; src++) { | ||
38 | /* quote potential meta characters */ | ||
39 | if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') | ||
40 | |||
41 | |||