RHEL 8.10.0.Z ERRATUM
- CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls Resolves: RHEL-166060 Fixes an incomplete patch.
This commit is contained in:
Alejandro López
parent
8a9e65f3e5
commit
252e7306a4
58
sudo-1.9.17-CVE-2026-35535-1.patch
Normal file
58
sudo-1.9.17-CVE-2026-35535-1.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From fc252b5dd06cb0159fd31309bcffef410c724688 Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Fri, 29 Jan 2021 05:42:34 -0700
|
||||
Subject: [PATCH] Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo
|
||||
1.9.4. init_eventlog_config() is called immediately after initializing the
|
||||
Defaults settings, which is before struct sudo_user is setup. This adds a
|
||||
call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the
|
||||
invoking user is determined. Reported by Roman Fiedler.
|
||||
|
||||
(cherry picked from commit e5ad88488d57dd30a7f08f46b395bccfd3957293)
|
||||
---
|
||||
plugins/sudoers/logging.c | 7 +------
|
||||
plugins/sudoers/policy.c | 4 ++++
|
||||
2 files changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
|
||||
index 776f881e5..06efbf576 100644
|
||||
--- a/plugins/sudoers/logging.c
|
||||
+++ b/plugins/sudoers/logging.c
|
||||
@@ -786,11 +786,6 @@ void
|
||||
init_eventlog_config(void)
|
||||
{
|
||||
int logtype = 0;
|
||||
-#ifdef NO_ROOT_MAILER
|
||||
- uid_t mailuid = user_uid;
|
||||
-#else
|
||||
- uid_t mailuid = ROOT_UID;
|
||||
-#endif
|
||||
debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
|
||||
|
||||
if (def_syslog)
|
||||
@@ -805,7 +800,7 @@ init_eventlog_config(void)
|
||||
eventlog_set_syslog_alertpri(def_syslog_badpri);
|
||||
eventlog_set_syslog_maxlen(def_syslog_maxlen);
|
||||
eventlog_set_file_maxlen(def_loglinelen);
|
||||
- eventlog_set_mailuid(mailuid);
|
||||
+ eventlog_set_mailuid(ROOT_UID);
|
||||
eventlog_set_omit_hostname(!def_log_host);
|
||||
eventlog_set_logpath(def_logfile);
|
||||
eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
|
||||
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
|
||||
index d675d2fd4..074c3f0e8 100644
|
||||
--- a/plugins/sudoers/policy.c
|
||||
+++ b/plugins/sudoers/policy.c
|
||||
@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v)
|
||||
/* Some systems support fexecve() which we use for digest matches. */
|
||||
cmnd_fd = -1;
|
||||
|
||||
+#ifdef NO_ROOT_MAILER
|
||||
+ eventlog_set_mailuid(user_uid);
|
||||
+#endif
|
||||
+
|
||||
/* Dump settings and user info (XXX - plugin args) */
|
||||
for (cur = info->settings; *cur != NULL; cur++)
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001
|
||||
From 67448bdde671f298ad472e6af6ad4a380f9e3395 Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Sat, 8 Nov 2025 15:34:02 -0700
|
||||
Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer
|
||||
@ -7,12 +7,17 @@ Also make a setuid(), setgid() or setgroups() failure fatal.
|
||||
|
||||
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
|
||||
|
||||
Backported to RHEL 8.10 by Alejandro López <allopez@redhat.com> with some
|
||||
help of Claude Code.
|
||||
(cherry picked from commit 3e474c2f201484be83d994ae10a4e20e8c81bb69)
|
||||
---
|
||||
include/sudo_eventlog.h | 3 ++-
|
||||
lib/eventlog/eventlog.c | 21 +++++++++++++++++----
|
||||
lib/eventlog/eventlog_conf.c | 4 +++-
|
||||
plugins/sudoers/logging.c | 2 +-
|
||||
plugins/sudoers/policy.c | 2 +-
|
||||
5 files changed, 24 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
|
||||
index 07ef9dc..cdf27f0 100644
|
||||
index 07ef9dcbe..cdf27f0e8 100644
|
||||
--- a/include/sudo_eventlog.h
|
||||
+++ b/include/sudo_eventlog.h
|
||||
@@ -78,6 +78,7 @@ struct eventlog_config {
|
||||
@ -33,7 +38,7 @@ index 07ef9dc..cdf27f0 100644
|
||||
void eventlog_set_logpath(const char *path);
|
||||
void eventlog_set_time_fmt(const char *fmt);
|
||||
diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
|
||||
index ca8ca96..1ae1176 100644
|
||||
index 0febe66c1..7d042a0ab 100644
|
||||
--- a/lib/eventlog/eventlog.c
|
||||
+++ b/lib/eventlog/eventlog.c
|
||||
@@ -280,15 +280,13 @@ exec_mailer(int pipein)
|
||||
@ -44,7 +49,7 @@ index ca8ca96..1ae1176 100644
|
||||
- _exit(127);
|
||||
+ goto bad;
|
||||
}
|
||||
|
||||
|
||||
/* Build up an argv based on the mailer path and flags */
|
||||
if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
|
||||
syslog(LOG_ERR, _("unable to allocate memory")); // -V618
|
||||
@ -54,7 +59,7 @@ index ca8ca96..1ae1176 100644
|
||||
}
|
||||
if ((argv[0] = strrchr(mpath, '/')))
|
||||
argv[0]++;
|
||||
@@ -310,11 +308,23 @@ exec_mailer(int pipein)
|
||||
@@ -310,11 +309,23 @@ exec_mailer(int pipein)
|
||||
if (setuid(ROOT_UID) != 0) {
|
||||
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
|
||||
ROOT_UID);
|
||||
@ -78,7 +83,7 @@ index ca8ca96..1ae1176 100644
|
||||
}
|
||||
}
|
||||
sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
|
||||
@@ -326,6 +336,9 @@ exec_mailer(int pipein)
|
||||
@@ -326,6 +335,9 @@ exec_mailer(int pipein)
|
||||
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
|
||||
mpath, strerror(errno));
|
||||
_exit(127);
|
||||
@ -86,10 +91,10 @@ index ca8ca96..1ae1176 100644
|
||||
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
|
||||
+ _exit(127);
|
||||
}
|
||||
|
||||
|
||||
/* Send a message to the mailto user */
|
||||
diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c
|
||||
index 8ad0385..1c1d0a6 100644
|
||||
index 8ad03851f..1c1d0a690 100644
|
||||
--- a/lib/eventlog/eventlog_conf.c
|
||||
+++ b/lib/eventlog/eventlog_conf.c
|
||||
@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = {
|
||||
@ -102,7 +107,7 @@ index 8ad0385..1c1d0a6 100644
|
||||
"%h %e %T", /* time_fmt */
|
||||
@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len)
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
-eventlog_set_mailuid(uid_t uid)
|
||||
+eventlog_set_mailuser(uid_t uid, gid_t gid)
|
||||
@ -110,32 +115,34 @@ index 8ad0385..1c1d0a6 100644
|
||||
evl_conf.mailuid = uid;
|
||||
+ evl_conf.mailgid = gid;
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
|
||||
index 776f881..6046783 100644
|
||||
index 06efbf576..da03f3d96 100644
|
||||
--- a/plugins/sudoers/logging.c
|
||||
+++ b/plugins/sudoers/logging.c
|
||||
@@ -788,8 +788,10 @@ init_eventlog_config(void)
|
||||
int logtype = 0;
|
||||
#ifdef NO_ROOT_MAILER
|
||||
uid_t mailuid = user_uid;
|
||||
+ gid_t mailgid = user_gid;
|
||||
#else
|
||||
uid_t mailuid = ROOT_UID;
|
||||
+ gid_t mailgid = ROOT_GID;
|
||||
#endif
|
||||
debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
|
||||
|
||||
@@ -805,7 +807,7 @@ init_eventlog_config(void)
|
||||
@@ -800,7 +800,7 @@ init_eventlog_config(void)
|
||||
eventlog_set_syslog_alertpri(def_syslog_badpri);
|
||||
eventlog_set_syslog_maxlen(def_syslog_maxlen);
|
||||
eventlog_set_file_maxlen(def_loglinelen);
|
||||
- eventlog_set_mailuid(mailuid);
|
||||
+ eventlog_set_mailuser(mailuid, mailgid);
|
||||
- eventlog_set_mailuid(ROOT_UID);
|
||||
+ eventlog_set_mailuser(ROOT_UID, ROOT_GID);
|
||||
eventlog_set_omit_hostname(!def_log_host);
|
||||
eventlog_set_logpath(def_logfile);
|
||||
eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
|
||||
--
|
||||
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
|
||||
index 074c3f0e8..cb4c9bbdf 100644
|
||||
--- a/plugins/sudoers/policy.c
|
||||
+++ b/plugins/sudoers/policy.c
|
||||
@@ -519,7 +519,7 @@ sudoers_policy_deserialize_info(void *v)
|
||||
cmnd_fd = -1;
|
||||
|
||||
#ifdef NO_ROOT_MAILER
|
||||
- eventlog_set_mailuid(user_uid);
|
||||
+ eventlog_set_mailuser(user_uid, user_gid);
|
||||
#endif
|
||||
|
||||
/* Dump settings and user info (XXX - plugin args) */
|
||||
--
|
||||
2.53.0
|
||||
|
||||
11
sudo.spec
11
sudo.spec
@ -1,7 +1,7 @@
|
||||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.9.5p2
|
||||
Release: 1%{?dist}.4
|
||||
Release: 1%{?dist}.5
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: https://www.sudo.ws/
|
||||
@ -59,7 +59,8 @@ Patch22: sudo-separator.patch
|
||||
|
||||
Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch
|
||||
|
||||
Patch24: sudo-1.9.17-CVE-2026-35535.patch
|
||||
Patch24: sudo-1.9.17-CVE-2026-35535-1.patch
|
||||
Patch25: sudo-1.9.17-CVE-2026-35535-2.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
@ -108,7 +109,9 @@ plugins that use %{name}.
|
||||
%patch -P 21 -p1 -b .cmnd_no_wait
|
||||
%patch -P 22 -p1 -b .separator
|
||||
%patch -P 23 -p1 -b .double-shell
|
||||
%patch -P 24 -p1 -b .cve-2026-35535
|
||||
%patch -P 24 -p1 -b .cve-2026-35535-1
|
||||
%patch -P 25 -p1 -b .cve-2026-35535-2
|
||||
|
||||
|
||||
%build
|
||||
# Remove bundled copy of zlib
|
||||
@ -284,7 +287,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%changelog
|
||||
* Thu Apr 16 2026 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.4
|
||||
* Thu Apr 24 2026 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.5
|
||||
RHEL 8.10.0.Z ERRATUM
|
||||
- CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls
|
||||
Resolves: RHEL-166060
|
||||
|
||||
Loading…
Reference in New Issue
Block a user