# HG changeset patch # User Todd C. Miller # Date 1609953360 25200 # Node ID ea19d0073c02951bbbf35342dd63304da83edce8 # Parent f1ca39a0d87089d005b78a2556e2b1a2dc17f672 Fix potential directory existing info leak in sudoedit. When creating a new file, sudoedit checks to make sure the parent directory exists so it can provide the user with a sensible error message. However, this could be used to test for the existence of directories not normally accessible to the user by pointing to them with a symbolic link when the parent directory is controlled by the user. Problem reported by Matthias Gerstner of SUSE. Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02] CVE: CVE-2021-23239 Signed-off-by: Anuj Mittal diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c --- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 +++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 @@ -541,14 +541,33 @@ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); if (ofd != -1 || errno == ENOENT) { if (ofd == -1) { - /* New file, verify parent dir exists unless in cwd. */ + /* + * New file, verify parent dir exists unless in cwd. + * This fails early so the user knows ahead of time if the + * edit won't succeed. Additional checks are performed + * when copying the temporary file back to the origin. + */ char *slash = strrchr(files[i], '/'); if (slash != NULL && slash != files[i]) { - int serrno = errno; + const int sflags = command_details->flags; + const int serrno = errno; + int dfd; + + /* + * The parent directory is allowed to be a symbolic + * link as long as *its* parent is not writable. + */ *slash = '\0'; - if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) { - memset(&sb, 0, sizeof(sb)); - rc = 0; + SET(command_details->flags, CD_SUDOEDIT_FOLLOW); + dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS, + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); + command_details->flags = sflags; + if (dfd != -1) { + if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) { + memset(&sb, 0, sizeof(sb)); + rc = 0; + } + close(dfd); } *slash = '/'; errno = serrno;