diff --git a/sudo-1.9.17-CVE-2026-35535-1.patch b/sudo-1.9.17-CVE-2026-35535-1.patch new file mode 100644 index 0000000..cd83f2a --- /dev/null +++ b/sudo-1.9.17-CVE-2026-35535-1.patch @@ -0,0 +1,58 @@ +From fc252b5dd06cb0159fd31309bcffef410c724688 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Fri, 29 Jan 2021 05:42:34 -0700 +Subject: [PATCH] Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo + 1.9.4. init_eventlog_config() is called immediately after initializing the + Defaults settings, which is before struct sudo_user is setup. This adds a + call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the + invoking user is determined. Reported by Roman Fiedler. + + (cherry picked from commit e5ad88488d57dd30a7f08f46b395bccfd3957293) +--- + plugins/sudoers/logging.c | 7 +------ + plugins/sudoers/policy.c | 4 ++++ + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 776f881e5..06efbf576 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -786,11 +786,6 @@ void + init_eventlog_config(void) + { + int logtype = 0; +-#ifdef NO_ROOT_MAILER +- uid_t mailuid = user_uid; +-#else +- uid_t mailuid = ROOT_UID; +-#endif + debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING); + + if (def_syslog) +@@ -805,7 +800,7 @@ init_eventlog_config(void) + eventlog_set_syslog_alertpri(def_syslog_badpri); + eventlog_set_syslog_maxlen(def_syslog_maxlen); + eventlog_set_file_maxlen(def_loglinelen); +- eventlog_set_mailuid(mailuid); ++ eventlog_set_mailuid(ROOT_UID); + eventlog_set_omit_hostname(!def_log_host); + eventlog_set_logpath(def_logfile); + eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index d675d2fd4..074c3f0e8 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v) + /* Some systems support fexecve() which we use for digest matches. */ + cmnd_fd = -1; + ++#ifdef NO_ROOT_MAILER ++ eventlog_set_mailuid(user_uid); ++#endif ++ + /* Dump settings and user info (XXX - plugin args) */ + for (cur = info->settings; *cur != NULL; cur++) + sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur); +-- +2.53.0 + diff --git a/sudo-1.9.17-CVE-2026-35535.patch b/sudo-1.9.17-CVE-2026-35535-2.patch similarity index 77% rename from sudo-1.9.17-CVE-2026-35535.patch rename to sudo-1.9.17-CVE-2026-35535-2.patch index 38e0d64..1b05625 100644 --- a/sudo-1.9.17-CVE-2026-35535.patch +++ b/sudo-1.9.17-CVE-2026-35535-2.patch @@ -1,4 +1,4 @@ -From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001 +From 67448bdde671f298ad472e6af6ad4a380f9e3395 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 8 Nov 2025 15:34:02 -0700 Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer @@ -7,12 +7,17 @@ Also make a setuid(), setgid() or setgroups() failure fatal. Found by the ZeroPath AI Security Engineer -Backported to RHEL 8.10 by Alejandro López with some -help of Claude Code. +(cherry picked from commit 3e474c2f201484be83d994ae10a4e20e8c81bb69) --- + include/sudo_eventlog.h | 3 ++- + lib/eventlog/eventlog.c | 21 +++++++++++++++++---- + lib/eventlog/eventlog_conf.c | 4 +++- + plugins/sudoers/logging.c | 2 +- + plugins/sudoers/policy.c | 2 +- + 5 files changed, 24 insertions(+), 8 deletions(-) diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h -index 07ef9dc..cdf27f0 100644 +index 07ef9dcbe..cdf27f0e8 100644 --- a/include/sudo_eventlog.h +++ b/include/sudo_eventlog.h @@ -78,6 +78,7 @@ struct eventlog_config { @@ -33,7 +38,7 @@ index 07ef9dc..cdf27f0 100644 void eventlog_set_logpath(const char *path); void eventlog_set_time_fmt(const char *fmt); diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c -index ca8ca96..1ae1176 100644 +index 0febe66c1..7d042a0ab 100644 --- a/lib/eventlog/eventlog.c +++ b/lib/eventlog/eventlog.c @@ -280,15 +280,13 @@ exec_mailer(int pipein) @@ -44,7 +49,7 @@ index ca8ca96..1ae1176 100644 - _exit(127); + goto bad; } - + /* Build up an argv based on the mailer path and flags */ if ((mflags = strdup(evl_conf->mailerflags)) == NULL) { syslog(LOG_ERR, _("unable to allocate memory")); // -V618 @@ -54,7 +59,7 @@ index ca8ca96..1ae1176 100644 } if ((argv[0] = strrchr(mpath, '/'))) argv[0]++; -@@ -310,11 +308,23 @@ exec_mailer(int pipein) +@@ -310,11 +309,23 @@ exec_mailer(int pipein) if (setuid(ROOT_UID) != 0) { sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", ROOT_UID); @@ -78,7 +83,7 @@ index ca8ca96..1ae1176 100644 } } sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); -@@ -326,6 +336,9 @@ exec_mailer(int pipein) +@@ -326,6 +335,9 @@ exec_mailer(int pipein) sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s", mpath, strerror(errno)); _exit(127); @@ -86,10 +91,10 @@ index ca8ca96..1ae1176 100644 + sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); + _exit(127); } - + /* Send a message to the mailto user */ diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c -index 8ad0385..1c1d0a6 100644 +index 8ad03851f..1c1d0a690 100644 --- a/lib/eventlog/eventlog_conf.c +++ b/lib/eventlog/eventlog_conf.c @@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = { @@ -102,7 +107,7 @@ index 8ad0385..1c1d0a6 100644 "%h %e %T", /* time_fmt */ @@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len) } - + void -eventlog_set_mailuid(uid_t uid) +eventlog_set_mailuser(uid_t uid, gid_t gid) @@ -110,32 +115,34 @@ index 8ad0385..1c1d0a6 100644 evl_conf.mailuid = uid; + evl_conf.mailgid = gid; } - + void diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c -index 776f881..6046783 100644 +index 06efbf576..da03f3d96 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c -@@ -788,8 +788,10 @@ init_eventlog_config(void) - int logtype = 0; - #ifdef NO_ROOT_MAILER - uid_t mailuid = user_uid; -+ gid_t mailgid = user_gid; - #else - uid_t mailuid = ROOT_UID; -+ gid_t mailgid = ROOT_GID; - #endif - debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING); - -@@ -805,7 +807,7 @@ init_eventlog_config(void) +@@ -800,7 +800,7 @@ init_eventlog_config(void) eventlog_set_syslog_alertpri(def_syslog_badpri); eventlog_set_syslog_maxlen(def_syslog_maxlen); eventlog_set_file_maxlen(def_loglinelen); -- eventlog_set_mailuid(mailuid); -+ eventlog_set_mailuser(mailuid, mailgid); +- eventlog_set_mailuid(ROOT_UID); ++ eventlog_set_mailuser(ROOT_UID, ROOT_GID); eventlog_set_omit_hostname(!def_log_host); eventlog_set_logpath(def_logfile); eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); --- +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index 074c3f0e8..cb4c9bbdf 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -519,7 +519,7 @@ sudoers_policy_deserialize_info(void *v) + cmnd_fd = -1; + + #ifdef NO_ROOT_MAILER +- eventlog_set_mailuid(user_uid); ++ eventlog_set_mailuser(user_uid, user_gid); + #endif + + /* Dump settings and user info (XXX - plugin args) */ +-- 2.53.0 diff --git a/sudo.spec b/sudo.spec index 6178eae..7644542 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 1%{?dist}.4 +Release: 1%{?dist}.5 License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -59,7 +59,8 @@ Patch22: sudo-separator.patch Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch -Patch24: sudo-1.9.17-CVE-2026-35535.patch +Patch24: sudo-1.9.17-CVE-2026-35535-1.patch +Patch25: sudo-1.9.17-CVE-2026-35535-2.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -108,7 +109,9 @@ plugins that use %{name}. %patch -P 21 -p1 -b .cmnd_no_wait %patch -P 22 -p1 -b .separator %patch -P 23 -p1 -b .double-shell -%patch -P 24 -p1 -b .cve-2026-35535 +%patch -P 24 -p1 -b .cve-2026-35535-1 +%patch -P 25 -p1 -b .cve-2026-35535-2 + %build # Remove bundled copy of zlib @@ -284,7 +287,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Thu Apr 16 2026 Alejandro López - 1.9.5p2-1.4 +* Thu Apr 24 2026 Alejandro López - 1.9.5p2-1.5 RHEL 8.10.0.Z ERRATUM - CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls Resolves: RHEL-166060