From 3bc44be4ca7524849af1c6a378440a13b0ed3118 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 30 Jun 2025 21:42:35 +0000
Subject: [PATCH] import UBI sudo-1.9.5p2-10.el9_6.1

---
 SOURCES/sudo-1.9.17-CVE-2025-32462.patch | 22 ++++++++++++++++++++++
 SPECS/sudo.spec                          |  9 ++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/sudo-1.9.17-CVE-2025-32462.patch

diff --git a/SOURCES/sudo-1.9.17-CVE-2025-32462.patch b/SOURCES/sudo-1.9.17-CVE-2025-32462.patch
new file mode 100644
index 0000000..42117c6
--- /dev/null
+++ b/SOURCES/sudo-1.9.17-CVE-2025-32462.patch
@@ -0,0 +1,22 @@
+diff -up ./plugins/sudoers/sudoers.c.cve-host ./plugins/sudoers/sudoers.c
+--- ./plugins/sudoers/sudoers.c.cve-host	2025-06-25 14:10:11.369219892 +0200
++++ ./plugins/sudoers/sudoers.c	2025-06-25 14:11:48.395137626 +0200
+@@ -393,6 +393,18 @@ sudoers_policy_main(int argc, char * con
+ 	}
+     }
+ 
++    /* The user may only specify a host for "sudo -l". */
++    if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) {
++       if (strcmp(user_runhost, user_host) != 0) {
++           log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
++               N_("user not allowed to set remote host for command"));
++           sudo_warnx("%s",
++               U_("a remote host may only be specified when listing privileges."));
++           ret = false;
++           goto done;
++       }
++    }
++
+     /* If given the -P option, set the "preserve_groups" flag. */
+     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
+ 	def_preserve_groups = true;
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 857e95f..c3f0dea 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 10%{?dist}
+Release: 10%{?dist}.1
 License: ISC
 URL: https://www.sudo.ws
 
@@ -47,6 +47,7 @@ Patch17: sudo-1.9.13-CVE-2023-28486-7-9.patch
 Patch18: linker.patch
 
 Patch19: sudo-1.9.15-CVE-2023-42465.patch
+Patch20: sudo-1.9.17-CVE-2025-32462.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -100,6 +101,7 @@ BuildRequires:  python3-devel
 
 %patch -P 18 -p1 -b .linker
 %patch -P 19 -p1 -b .rowhammer
+%patch -P 20 -p1 -b .cve-host
 
 
 %build
@@ -275,6 +277,11 @@ EOF
 %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
 
 %changelog
+* Wed Jun 25 2025 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-10.1
+RHEL 9.6.0.Z ERRATUM
+- CVE-2025-32462 sudo: LPE via host option
+Resolves: RHEL-100016
+
 * Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-10
 RHEL 9.3.0.Z ERRATUM
 - CVE-2023-28487 sudo: Sudo does not escape control characters in sudoreplay output