diff options
Diffstat (limited to 'meta/recipes-extended/sudo')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-23239.patch | 62 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo_1.9.3.bb | 1 |
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch new file mode 100644 index 0000000000..e16baecd5a --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | |||
2 | # HG changeset patch | ||
3 | # User Todd C. Miller <Todd.Miller@sudo.ws> | ||
4 | # Date 1609953360 25200 | ||
5 | # Node ID ea19d0073c02951bbbf35342dd63304da83edce8 | ||
6 | # Parent f1ca39a0d87089d005b78a2556e2b1a2dc17f672 | ||
7 | Fix potential directory existing info leak in sudoedit. | ||
8 | When creating a new file, sudoedit checks to make sure the parent | ||
9 | directory exists so it can provide the user with a sensible error | ||
10 | message. However, this could be used to test for the existence of | ||
11 | directories not normally accessible to the user by pointing to them | ||
12 | with a symbolic link when the parent directory is controlled by the | ||
13 | user. Problem reported by Matthias Gerstner of SUSE. | ||
14 | |||
15 | Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02] | ||
16 | CVE: CVE-2021-23239 | ||
17 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
18 | |||
19 | diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c | ||
20 | --- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 | ||
21 | +++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 | ||
22 | @@ -541,14 +541,33 @@ | ||
23 | S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); | ||
24 | if (ofd != -1 || errno == ENOENT) { | ||
25 | if (ofd == -1) { | ||
26 | - /* New file, verify parent dir exists unless in cwd. */ | ||
27 | + /* | ||
28 | + * New file, verify parent dir exists unless in cwd. | ||
29 | + * This fails early so the user knows ahead of time if the | ||
30 | + * edit won't succeed. Additional checks are performed | ||
31 | + * when copying the temporary file back to the origin. | ||
32 | + */ | ||
33 | char *slash = strrchr(files[i], '/'); | ||
34 | if (slash != NULL && slash != files[i]) { | ||
35 | - int serrno = errno; | ||
36 | + const int sflags = command_details->flags; | ||
37 | + const int serrno = errno; | ||
38 | + int dfd; | ||
39 | + | ||
40 | + /* | ||
41 | + * The parent directory is allowed to be a symbolic | ||
42 | + * link as long as *its* parent is not writable. | ||
43 | + */ | ||
44 | *slash = '\0'; | ||
45 | - if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) { | ||
46 | - memset(&sb, 0, sizeof(sb)); | ||
47 | - rc = 0; | ||
48 | + SET(command_details->flags, CD_SUDOEDIT_FOLLOW); | ||
49 | + dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS, | ||
50 | + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); | ||
51 | + command_details->flags = sflags; | ||
52 | + if (dfd != -1) { | ||
53 | + if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) { | ||
54 | + memset(&sb, 0, sizeof(sb)); | ||
55 | + rc = 0; | ||
56 | + } | ||
57 | + close(dfd); | ||
58 | } | ||
59 | *slash = '/'; | ||
60 | errno = serrno; | ||
61 | |||
62 | |||
diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb index 0d0be9ab8b..132d9a8cb9 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb | |||
@@ -3,6 +3,7 @@ require sudo.inc | |||
3 | SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | 3 | SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ |
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
5 | file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ | 5 | file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ |
6 | file://CVE-2021-23239.patch \ | ||
6 | " | 7 | " |
7 | 8 | ||
8 | PAM_SRC_URI = "file://sudo.pam" | 9 | PAM_SRC_URI = "file://sudo.pam" |