From cb502e4d643503b6a7f61638e1c6fce5cc11d023 Mon Sep 17 00:00:00 2001 From: Anuj Mittal Date: Mon, 1 Feb 2021 11:21:38 +0800 Subject: sudo: fix CVE-2021-23239 (From OE-Core rev: ed8e858fc3ca0c5a401f08408a793f8c864ff645) Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie --- .../sudo/files/CVE-2021-23239.patch | 62 ++++++++++++++++++++++ meta/recipes-extended/sudo/sudo_1.9.3.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-extended/sudo/files/CVE-2021-23239.patch diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch new file mode 100644 index 0000000000..e16baecd5a --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch @@ -0,0 +1,62 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1609953360 25200 +# Node ID ea19d0073c02951bbbf35342dd63304da83edce8 +# Parent f1ca39a0d87089d005b78a2556e2b1a2dc17f672 +Fix potential directory existing info leak in sudoedit. +When creating a new file, sudoedit checks to make sure the parent +directory exists so it can provide the user with a sensible error +message. However, this could be used to test for the existence of +directories not normally accessible to the user by pointing to them +with a symbolic link when the parent directory is controlled by the +user. Problem reported by Matthias Gerstner of SUSE. + +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02] +CVE: CVE-2021-23239 +Signed-off-by: Anuj Mittal + +diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c +--- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 ++++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 +@@ -541,14 +541,33 @@ + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); + if (ofd != -1 || errno == ENOENT) { + if (ofd == -1) { +- /* New file, verify parent dir exists unless in cwd. */ ++ /* ++ * New file, verify parent dir exists unless in cwd. ++ * This fails early so the user knows ahead of time if the ++ * edit won't succeed. Additional checks are performed ++ * when copying the temporary file back to the origin. ++ */ + char *slash = strrchr(files[i], '/'); + if (slash != NULL && slash != files[i]) { +- int serrno = errno; ++ const int sflags = command_details->flags; ++ const int serrno = errno; ++ int dfd; ++ ++ /* ++ * The parent directory is allowed to be a symbolic ++ * link as long as *its* parent is not writable. ++ */ + *slash = '\0'; +- if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) { +- memset(&sb, 0, sizeof(sb)); +- rc = 0; ++ SET(command_details->flags, CD_SUDOEDIT_FOLLOW); ++ dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS, ++ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); ++ command_details->flags = sflags; ++ if (dfd != -1) { ++ if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) { ++ memset(&sb, 0, sizeof(sb)); ++ rc = 0; ++ } ++ close(dfd); + } + *slash = '/'; + errno = serrno; + + diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb index 0d0be9ab8b..132d9a8cb9 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb @@ -3,6 +3,7 @@ require sudo.inc SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ + file://CVE-2021-23239.patch \ " PAM_SRC_URI = "file://sudo.pam" -- cgit v1.2.3-54-g00ecf