import CS git sudo-1.9.5p2-1.el8_10.5

2026-04-29 04:41:28 -04:00 · 2026-04-29 04:41:28 -04:00 · 4cd0cb1991
commit 4cd0cb1991
parent cb134d45c4
3 changed files with 218 additions and 1 deletions
--- a/SOURCES/sudo-1.9.17-CVE-2026-35535-1.patch
+++ b/SOURCES/sudo-1.9.17-CVE-2026-35535-1.patch
@ -0,0 +1,58 @@
+From fc252b5dd06cb0159fd31309bcffef410c724688 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Fri, 29 Jan 2021 05:42:34 -0700
+Subject: [PATCH] Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo
+ 1.9.4. init_eventlog_config() is called immediately after initializing the
+ Defaults settings, which is before struct sudo_user is setup.  This adds a
+ call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the
+ invoking user is determined.  Reported by Roman Fiedler.
+
+ (cherry picked from commit e5ad88488d57dd30a7f08f46b395bccfd3957293)
+---
+ plugins/sudoers/logging.c | 7 +------
+ plugins/sudoers/policy.c  | 4 ++++
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
+index 776f881e5..06efbf576 100644
+--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
+@@ -786,11 +786,6 @@ void
+ init_eventlog_config(void)
+ {
+     int logtype = 0;
+-#ifdef NO_ROOT_MAILER
+-    uid_t mailuid = user_uid;
+-#else
+-    uid_t mailuid = ROOT_UID;
+-#endif
+     debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
+ 
+     if (def_syslog)
+@@ -805,7 +800,7 @@ init_eventlog_config(void)
+     eventlog_set_syslog_alertpri(def_syslog_badpri);
+     eventlog_set_syslog_maxlen(def_syslog_maxlen);
+     eventlog_set_file_maxlen(def_loglinelen);
+-    eventlog_set_mailuid(mailuid);
+    eventlog_set_mailuid(ROOT_UID);
+     eventlog_set_omit_hostname(!def_log_host);
+     eventlog_set_logpath(def_logfile);
+     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index d675d2fd4..074c3f0e8 100644
+--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
+@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v)
+     /* Some systems support fexecve() which we use for digest matches. */
+     cmnd_fd = -1;
+ 
+#ifdef NO_ROOT_MAILER
+    eventlog_set_mailuid(user_uid);
+#endif
+
+     /* Dump settings and user info (XXX - plugin args) */
+     for (cur = info->settings; *cur != NULL; cur++)
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
+-- 
+2.53.0
+
--- a/SOURCES/sudo-1.9.17-CVE-2026-35535-2.patch
+++ b/SOURCES/sudo-1.9.17-CVE-2026-35535-2.patch
@ -0,0 +1,148 @@
+From 67448bdde671f298ad472e6af6ad4a380f9e3395 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Sat, 8 Nov 2025 15:34:02 -0700
+Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer
+
+Also make a setuid(), setgid() or setgroups() failure fatal.
+
+Found by the ZeroPath AI Security Engineer <https://zeropath.com>
+
+(cherry picked from commit 3e474c2f201484be83d994ae10a4e20e8c81bb69)
+---
+ include/sudo_eventlog.h      |  3 ++-
+ lib/eventlog/eventlog.c      | 21 +++++++++++++++++----
+ lib/eventlog/eventlog_conf.c |  4 +++-
+ plugins/sudoers/logging.c    |  2 +-
+ plugins/sudoers/policy.c     |  2 +-
+ 5 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
+index 07ef9dcbe..cdf27f0e8 100644
+--- a/include/sudo_eventlog.h
+++ b/include/sudo_eventlog.h
+@@ -78,6 +78,7 @@ struct eventlog_config {
+     int syslog_maxlen;
+     int file_maxlen;
+     uid_t mailuid;
+    gid_t mailgid;
+     bool omit_hostname;
+     const char *logpath;
+     const char *time_fmt;
+@@ -136,7 +137,7 @@ void eventlog_set_syslog_rejectpri(int pri);
+ void eventlog_set_syslog_alertpri(int pri);
+ void eventlog_set_syslog_maxlen(int len);
+ void eventlog_set_file_maxlen(int len);
+-void eventlog_set_mailuid(uid_t uid);
+void eventlog_set_mailuser(uid_t uid, gid_t gid);
+ void eventlog_set_omit_hostname(bool omit_hostname);
+ void eventlog_set_logpath(const char *path);
+ void eventlog_set_time_fmt(const char *fmt);
+diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
+index 0febe66c1..7d042a0ab 100644
+--- a/lib/eventlog/eventlog.c
+++ b/lib/eventlog/eventlog.c
+@@ -280,15 +280,13 @@ exec_mailer(int pipein)
+ 	syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
+ 	sudo_debug_printf(SUDO_DEBUG_ERROR,
+ 	    "unable to dup stdin: %s", strerror(errno));
+-	sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+-	_exit(127);
+	goto bad;
+     }
+ 
+     /* Build up an argv based on the mailer path and flags */
+     if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
+ 	syslog(LOG_ERR, _("unable to allocate memory")); // -V618
+-	sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+-	_exit(127);
+	goto bad;
+     }
+     if ((argv[0] = strrchr(mpath, '/')))
+ 	argv[0]++;
+@@ -310,11 +309,23 @@ exec_mailer(int pipein)
+     if (setuid(ROOT_UID) != 0) {
+ 	sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+ 	    ROOT_UID);
+	goto bad;
+    }
+    if (setgid(evl_conf->mailgid) != 0) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
+	    (unsigned int)evl_conf->mailgid);
+	goto bad;
+    }
+    if (setgroups(1, &evl_conf->mailgid) != 0) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
+	    (unsigned int)evl_conf->mailgid);
+	goto bad;
+     }
+     if (evl_conf->mailuid != ROOT_UID) {
+ 	if (setuid(evl_conf->mailuid) != 0) {
+ 	    sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+ 		(unsigned int)evl_conf->mailuid);
+	    goto bad;
+ 	}
+     }
+     sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+@@ -326,6 +335,9 @@ exec_mailer(int pipein)
+     sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
+ 	mpath, strerror(errno));
+     _exit(127);
+bad:
+    sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+    _exit(127);
+ }
+ 
+ /* Send a message to the mailto user */
+diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c
+index 8ad03851f..1c1d0a690 100644
+--- a/lib/eventlog/eventlog_conf.c
+++ b/lib/eventlog/eventlog_conf.c
+@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = {
+     MAXSYSLOGLEN,		/* syslog_maxlen */
+     0,				/* file_maxlen */
+     ROOT_UID,			/* mailuid */
+    ROOT_GID,			/* mailgid */
+     false,			/* omit_hostname */
+     _PATH_SUDO_LOGFILE,		/* logpath */
+     "%h %e %T",			/* time_fmt */
+@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len)
+ }
+ 
+ void
+-eventlog_set_mailuid(uid_t uid)
+eventlog_set_mailuser(uid_t uid, gid_t gid)
+ {
+     evl_conf.mailuid = uid;
+    evl_conf.mailgid = gid;
+ }
+ 
+ void
+diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
+index 06efbf576..da03f3d96 100644
+--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
+@@ -800,7 +800,7 @@ init_eventlog_config(void)
+     eventlog_set_syslog_alertpri(def_syslog_badpri);
+     eventlog_set_syslog_maxlen(def_syslog_maxlen);
+     eventlog_set_file_maxlen(def_loglinelen);
+-    eventlog_set_mailuid(ROOT_UID);
+    eventlog_set_mailuser(ROOT_UID, ROOT_GID);
+     eventlog_set_omit_hostname(!def_log_host);
+     eventlog_set_logpath(def_logfile);
+     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index 074c3f0e8..cb4c9bbdf 100644
+--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
+@@ -519,7 +519,7 @@ sudoers_policy_deserialize_info(void *v)
+     cmnd_fd = -1;
+ 
+ #ifdef NO_ROOT_MAILER
+-    eventlog_set_mailuid(user_uid);
+    eventlog_set_mailuser(user_uid, user_gid);
+ #endif
+ 
+     /* Dump settings and user info (XXX - plugin args) */
+-- 
+2.53.0
+
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 1%{?dist}.3
+Release: 1%{?dist}.5
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@ -59,6 +59,9 @@ Patch22: sudo-separator.patch

 Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch

+Patch24: sudo-1.9.17-CVE-2026-35535-1.patch
+Patch25: sudo-1.9.17-CVE-2026-35535-2.patch
+
 %description
 Sudo (superuser do) allows a system administrator to give certain
 users (or groups of users) the ability to run some (or all) commands
@ -106,6 +109,9 @@ plugins that use %{name}.
 %patch -P 21 -p1 -b .cmnd_no_wait
 %patch -P 22 -p1 -b .separator
 %patch -P 23 -p1 -b .double-shell
+%patch -P 24 -p1 -b .cve-2026-35535-1
+%patch -P 25 -p1 -b .cve-2026-35535-2
+

 %build
 # Remove bundled copy of zlib
@ -281,6 +287,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*

 %changelog
+* Thu Apr 24 2026 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.5
+RHEL 8.10.0.Z ERRATUM
+- CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls
+Resolves: RHEL-166060
+
 * Mon Nov 17 2025 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.3
 RHEL 8.10.0.Z ERRATUM
 - sudo passes SHELL environment variable twice to the shell being executed [rhel-8]