Rebase sudo to 1.9.17p2
- Resolves: RHEL-122752
This commit is contained in:
Alejandro López
parent
80b52f3ac3
commit
02e5985e44
1
.gitignore
vendored
1
.gitignore
vendored
@ -34,3 +34,4 @@
|
||||
/sudo-1.9.14p3.tar.gz
|
||||
/sudo-1.9.15p4.tar.gz
|
||||
/sudo-1.9.15p5.tar.gz
|
||||
/sudo-1.9.17p2.tar.gz
|
||||
|
||||
@ -1,7 +1,8 @@
|
||||
diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
|
||||
--- ./plugins/sudoers/auth/pam.c.fix 2024-08-19 06:34:03.914643249 +0200
|
||||
+++ ./plugins/sudoers/auth/pam.c 2024-08-19 06:48:46.136167294 +0200
|
||||
@@ -454,11 +454,6 @@ sudo_pam_begin_session(const struct sudo
|
||||
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
|
||||
index 973d67b..88d6a52 100644
|
||||
--- a/plugins/sudoers/auth/pam.c
|
||||
+++ b/plugins/sudoers/auth/pam.c
|
||||
@@ -465,11 +465,6 @@ sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
|
||||
if (pw == NULL) {
|
||||
if (pamh != NULL) {
|
||||
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
|
||||
@ -13,7 +14,7 @@ diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
|
||||
pamh = NULL;
|
||||
}
|
||||
goto done;
|
||||
@@ -517,11 +512,6 @@ sudo_pam_begin_session(const struct sudo
|
||||
@@ -528,11 +523,6 @@ sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
|
||||
errstr = sudo_pam_strerror(pamh, rc);
|
||||
log_warningx(ctx, 0, N_("%s: %s"), "pam_open_session", errstr);
|
||||
rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
|
||||
@ -25,7 +26,7 @@ diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
|
||||
pamh = NULL;
|
||||
status = AUTH_ERROR;
|
||||
goto done;
|
||||
@@ -577,9 +567,6 @@ sudo_pam_end_session(sudo_auth *auth)
|
||||
@@ -588,9 +578,6 @@ sudo_pam_end_session(sudo_auth *auth)
|
||||
}
|
||||
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
|
||||
if (rc != PAM_SUCCESS) {
|
||||
@ -1,6 +1,7 @@
|
||||
diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
|
||||
--- ./examples/sudo.conf.in.fix 2024-08-20 16:32:04.223791138 +0200
|
||||
+++ ./examples/sudo.conf.in 2024-08-20 16:33:02.470003955 +0200
|
||||
diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in
|
||||
index bdd676c..6c514b5 100644
|
||||
--- a/examples/sudo.conf.in
|
||||
+++ b/examples/sudo.conf.in
|
||||
@@ -11,9 +11,9 @@
|
||||
# The plugin_options are optional.
|
||||
#
|
||||
@ -1,109 +0,0 @@
|
||||
# Local Privilege Escalation via host option
|
||||
|
||||
Sudo's host (`-h` or `--host`) option is intended to be used in
|
||||
conjunction with the list option (`-l` or `--list`) to list a user's
|
||||
sudo privileges on a host other than the current one. However, due
|
||||
to a bug it was not restricted to listing privileges and could be
|
||||
used when running a command via `sudo` or editing a file with
|
||||
`sudoedit`. Depending on the rules present in the sudoers file
|
||||
this could allow a local privilege escalation attack.
|
||||
|
||||
## Sudo versions affected:
|
||||
|
||||
Sudo versions 1.8.8 to 1.9.17 inclusive are affected.
|
||||
|
||||
## CVE ID:
|
||||
|
||||
This vulnerability has been assigned
|
||||
[CVE-2025-32462](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462)
|
||||
in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database.
|
||||
|
||||
## Details:
|
||||
|
||||
The intent of sudo's `-h` (`--host`) option is to make it possible
|
||||
to list a user's sudo privileges for a host other than the current
|
||||
one. It was only intended be used with in conjunction with the
|
||||
`-l` (`--list`) option.
|
||||
|
||||
The bug effectively makes the hostname portion of a sudoers rule
|
||||
irrelevant since the user can set the host to be used when evaluating
|
||||
the rules themselves. A user must still be listed in the sudoers
|
||||
file, but they do not needed to have an entry for the current host.
|
||||
|
||||
For example, given the sudoers rule:
|
||||
|
||||
``` plain
|
||||
alice cerebus = ALL
|
||||
```
|
||||
|
||||
user __alice__ would be able to run `sudo -h cerebus id` on any host,
|
||||
not just _cerebus_. For example:
|
||||
|
||||
``` plain
|
||||
alice@hades$ sudo -l
|
||||
Sorry, user alice may not run sudo on hades.
|
||||
|
||||
alice@hades$ sudo -l -h cerebus
|
||||
User alice may run the following commands on cerebus:
|
||||
(root) ALL
|
||||
|
||||
alice@hades$ sudo -h cerebus id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
||||
## Impact:
|
||||
|
||||
Sudoers files that include rules where the host field is not the
|
||||
current host or _ALL_ are affected. This primarily affects sites
|
||||
that use a common sudoers file that is distributed to multiple
|
||||
machines. Sites that use LDAP-based sudoers (including SSSD) are
|
||||
similarly impacted.
|
||||
|
||||
For example, a sudoers rule such as:
|
||||
|
||||
``` plain
|
||||
bob ALL = ALL
|
||||
```
|
||||
|
||||
is not affected since the host _ALL_ already matches any hosts,
|
||||
but a rule like:
|
||||
|
||||
``` plain
|
||||
alice cerebus = ALL
|
||||
```
|
||||
|
||||
could allow user __alice__ to run any command even if the current
|
||||
host is not _cerebus_.
|
||||
|
||||
## Fix:
|
||||
|
||||
The bug is fixed in sudo 1.9.17p1.
|
||||
|
||||
## Credit:
|
||||
|
||||
Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for
|
||||
reporting and analyzing the bug.
|
||||
|
||||
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
|
||||
index 70a0c1a52..ad2fa2f61 100644
|
||||
--- a/plugins/sudoers/sudoers.c
|
||||
+++ b/plugins/sudoers/sudoers.c
|
||||
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
|
||||
time_t now;
|
||||
debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
|
||||
|
||||
+ /* The user may only specify a host for "sudo -l". */
|
||||
+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
|
||||
+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
|
||||
+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
|
||||
+ N_("user not allowed to set remote host for command"));
|
||||
+ sudo_warnx("%s",
|
||||
+ U_("a remote host may only be specified when listing privileges."));
|
||||
+ ret = false;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* If given the -P option, set the "preserve_groups" flag. */
|
||||
if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
|
||||
def_preserve_groups = true;
|
||||
3207
cve-2025-32463.patch
3207
cve-2025-32463.patch
File diff suppressed because it is too large
Load Diff
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
|
||||
SHA512 (sudo-1.9.17p2.tar.gz) = c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93
|
||||
|
||||
14
sudo.spec
14
sudo.spec
@ -1,12 +1,12 @@
|
||||
# comment out if no extra version
|
||||
%global extraver p5
|
||||
%global extraver p2
|
||||
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.9.15
|
||||
# remove -b 3 after rebase !!!
|
||||
Version: 1.9.17
|
||||
# Remove "-b 3" after a rebase !!!
|
||||
# use "-p -e % {?extraver}" when beta
|
||||
# use "-e % {?extraver}"" when patch version
|
||||
# use "-e % {?extraver}" when patch version
|
||||
# use nothing special when normal version
|
||||
Release: %autorelease -e %{?extraver}
|
||||
License: ISC
|
||||
@ -32,10 +32,8 @@ BuildRequires: gettext
|
||||
BuildRequires: zlib-devel
|
||||
|
||||
|
||||
Patch1: coverity.patch
|
||||
Patch2: sudo-conf.patch
|
||||
Patch3: cve-2025-32462.patch
|
||||
Patch4: cve-2025-32463.patch
|
||||
Patch1: 0001-coverity.patch
|
||||
Patch2: 0002-sudo-conf.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
||||
Loading…
Reference in New Issue
Block a user