diff options
Diffstat (limited to 'meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch')
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch new file mode 100644 index 0000000000..f954fac8fc --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch | |||
@@ -0,0 +1,170 @@ | |||
1 | Treat an ID of -1 as invalid since that means "no change". | ||
2 | Fixes CVE-2019-14287. | ||
3 | Found by Joe Vennix from Apple Information Security. | ||
4 | |||
5 | CVE: CVE-2019-14287 | ||
6 | Upstream-Status: Backport | ||
7 | [https://www.sudo.ws/repos/sudo/rev/83db8dba09e7] | ||
8 | |||
9 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
10 | |||
11 | Index: sudo-1.8.21p2/lib/util/strtoid.c | ||
12 | =================================================================== | ||
13 | --- sudo-1.8.21p2.orig/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 | ||
14 | +++ sudo-1.8.21p2/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400 | ||
15 | @@ -42,6 +42,27 @@ | ||
16 | #include "sudo_util.h" | ||
17 | |||
18 | /* | ||
19 | + * Make sure that the ID ends with a valid separator char. | ||
20 | + */ | ||
21 | +static bool | ||
22 | +valid_separator(const char *p, const char *ep, const char *sep) | ||
23 | +{ | ||
24 | + bool valid = false; | ||
25 | + debug_decl(valid_separator, SUDO_DEBUG_UTIL) | ||
26 | + | ||
27 | + if (ep != p) { | ||
28 | + /* check for valid separator (including '\0') */ | ||
29 | + if (sep == NULL) | ||
30 | + sep = ""; | ||
31 | + do { | ||
32 | + if (*ep == *sep) | ||
33 | + valid = true; | ||
34 | + } while (*sep++ != '\0'); | ||
35 | + } | ||
36 | + debug_return_bool(valid); | ||
37 | +} | ||
38 | + | ||
39 | +/* | ||
40 | * Parse a uid/gid in string form. | ||
41 | * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) | ||
42 | * If endp is non-NULL it is set to the next char after the ID. | ||
43 | @@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha | ||
44 | char *ep; | ||
45 | id_t ret = 0; | ||
46 | long long llval; | ||
47 | - bool valid = false; | ||
48 | debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) | ||
49 | |||
50 | /* skip leading space so we can pick up the sign, if any */ | ||
51 | while (isspace((unsigned char)*p)) | ||
52 | p++; | ||
53 | - if (sep == NULL) | ||
54 | - sep = ""; | ||
55 | + | ||
56 | + /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ | ||
57 | errno = 0; | ||
58 | llval = strtoll(p, &ep, 10); | ||
59 | - if (ep != p) { | ||
60 | - /* check for valid separator (including '\0') */ | ||
61 | - do { | ||
62 | - if (*ep == *sep) | ||
63 | - valid = true; | ||
64 | - } while (*sep++ != '\0'); | ||
65 | + if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { | ||
66 | + errno = ERANGE; | ||
67 | + if (errstr != NULL) | ||
68 | + *errstr = N_("value too large"); | ||
69 | + goto done; | ||
70 | } | ||
71 | - if (!valid) { | ||
72 | + if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { | ||
73 | + errno = ERANGE; | ||
74 | if (errstr != NULL) | ||
75 | - *errstr = N_("invalid value"); | ||
76 | - errno = EINVAL; | ||
77 | + *errstr = N_("value too small"); | ||
78 | goto done; | ||
79 | } | ||
80 | - if (errno == ERANGE) { | ||
81 | - if (errstr != NULL) { | ||
82 | - if (llval == LLONG_MAX) | ||
83 | - *errstr = N_("value too large"); | ||
84 | - else | ||
85 | - *errstr = N_("value too small"); | ||
86 | - } | ||
87 | + | ||
88 | + /* Disallow id -1, which means "no change". */ | ||
89 | + if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { | ||
90 | + if (errstr != NULL) | ||
91 | + *errstr = N_("invalid value"); | ||
92 | + errno = EINVAL; | ||
93 | goto done; | ||
94 | } | ||
95 | ret = (id_t)llval; | ||
96 | @@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha | ||
97 | { | ||
98 | char *ep; | ||
99 | id_t ret = 0; | ||
100 | - bool valid = false; | ||
101 | debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) | ||
102 | |||
103 | /* skip leading space so we can pick up the sign, if any */ | ||
104 | while (isspace((unsigned char)*p)) | ||
105 | p++; | ||
106 | - if (sep == NULL) | ||
107 | - sep = ""; | ||
108 | + | ||
109 | errno = 0; | ||
110 | if (*p == '-') { | ||
111 | long lval = strtol(p, &ep, 10); | ||
112 | - if (ep != p) { | ||
113 | - /* check for valid separator (including '\0') */ | ||
114 | - do { | ||
115 | - if (*ep == *sep) | ||
116 | - valid = true; | ||
117 | - } while (*sep++ != '\0'); | ||
118 | - } | ||
119 | - if (!valid) { | ||
120 | - if (errstr != NULL) | ||
121 | - *errstr = N_("invalid value"); | ||
122 | - errno = EINVAL; | ||
123 | - goto done; | ||
124 | - } | ||
125 | if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { | ||
126 | errno = ERANGE; | ||
127 | if (errstr != NULL) | ||
128 | @@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha | ||
129 | *errstr = N_("value too small"); | ||
130 | goto done; | ||
131 | } | ||
132 | - ret = (id_t)lval; | ||
133 | - } else { | ||
134 | - unsigned long ulval = strtoul(p, &ep, 10); | ||
135 | - if (ep != p) { | ||
136 | - /* check for valid separator (including '\0') */ | ||
137 | - do { | ||
138 | - if (*ep == *sep) | ||
139 | - valid = true; | ||
140 | - } while (*sep++ != '\0'); | ||
141 | - } | ||
142 | - if (!valid) { | ||
143 | + | ||
144 | + /* Disallow id -1, which means "no change". */ | ||
145 | + if (!valid_separator(p, ep, sep) || lval == -1) { | ||
146 | if (errstr != NULL) | ||
147 | *errstr = N_("invalid value"); | ||
148 | errno = EINVAL; | ||
149 | goto done; | ||
150 | } | ||
151 | + ret = (id_t)lval; | ||
152 | + } else { | ||
153 | + unsigned long ulval = strtoul(p, &ep, 10); | ||
154 | if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { | ||
155 | errno = ERANGE; | ||
156 | if (errstr != NULL) | ||
157 | *errstr = N_("value too large"); | ||
158 | goto done; | ||
159 | } | ||
160 | + | ||
161 | + /* Disallow id -1, which means "no change". */ | ||
162 | + if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { | ||
163 | + if (errstr != NULL) | ||
164 | + *errstr = N_("invalid value"); | ||
165 | + errno = EINVAL; | ||
166 | + goto done; | ||
167 | + } | ||
168 | ret = (id_t)ulval; | ||
169 | } | ||
170 | if (errstr != NULL) | ||