import sudo-1.8.29-10.el8

2023-03-28 09:11:15 +00:00 · 2023-03-28 09:11:15 +00:00 · 665f7b5ae8
parent af7ca0a14d
commit 665f7b5ae8
5 changed files with 396 additions and 1 deletions
--- a/SOURCES/sha-digest-calc.patch
+++ b/SOURCES/sha-digest-calc.patch
@ -0,0 +1,26 @@
 From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
 From: Tim Shearer <timtimminz@gmail.com>
 Date: Tue, 2 Aug 2022 08:48:32 -0400
 Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
 Resolves an issue where certain message sizes result in an incorrect
 checksum. Specifically, when:
 (n*8) mod 1024 == 896
 where n is the file size in bytes.
 ---
 lib/util/sha2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/util/sha2.c b/lib/util/sha2.c
 index b7a28cca8..f769f77f2 100644
 --- a/lib/util/sha2.c
 +++ b/lib/util/sha2.c
@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
 	SHA512Update(ctx, (uint8_t *)"\200", 1);
 	/* Pad message such that the resulting length modulo 1024 is 896. */
 -	while ((ctx->count[0] & 1008) != 896)
 +	while ((ctx->count[0] & 1016) != 896)
 		SHA512Update(ctx, (uint8_t *)"\0", 1);
 	/* Append length of message in bits and do final SHA512Transform(). */
--- a/SOURCES/sudo-1.9.12-CVE-2023-22809-backports.patch
+++ b/SOURCES/sudo-1.9.12-CVE-2023-22809-backports.patch
@ -0,0 +1,171 @@
 diff -up ./plugins/sudoers/editor.c.other ./plugins/sudoers/editor.c
 --- ./plugins/sudoers/editor.c.other	2023-01-16 17:37:04.659967300 +0100
 +++ ./plugins/sudoers/editor.c	2023-01-16 17:40:35.944400376 +0100
@@ -39,6 +39,82 @@
 #include "sudoers.h"
 /*
 + * Non-destructive word-split that handles single and double quotes and
 + * escaped white space.  Quotes are only recognized at the start of a word.
 + * They are treated as normal characters inside a word.
 + */
 +static const char *
 +wordsplit(const char *str, const char *endstr, const char **last)
 +{
 +    const char *cp;
 +    debug_decl(wordsplit, SUDO_DEBUG_UTIL);
 +
 +    /* If no str specified, use last ptr (if any). */
 +    if (str == NULL) {
 +	str = *last;
 +	/* Consume end quote if present. */
 +	if (*str == '"' || *str == '\'')
 +	    str++;
 +    }
 +
 +    /* Skip leading white space characters. */
 +    while (str < endstr && (*str == ' ' || *str == '\t'))
 +	str++;
 +
 +    /* Empty string? */
 +    if (str >= endstr) {
 +	*last = endstr;
 +	debug_return_ptr(NULL);
 +    }
 +
 +    /* If word is quoted, skip to end quote and return. */
 +    if (*str == '"' || *str == '\'') {
 +	const char *endquote = memchr(str + 1, *str, endstr - str);
 +	if (endquote != NULL) {
 +	    *last = endquote;
 +	    debug_return_const_ptr(str + 1);
 +	}
 +    }
 +
 +    /* Scan str until we encounter white space. */
 +    for (cp = str; cp < endstr; cp++) {
 +	if (*cp == '\\') {
 +	    /* quoted char, do not interpret */
 +	    cp++;
 +	    continue;
 +	}
 +	if (*cp == ' ' || *cp == '\t') {
 +	    /* end of word */
 +	    break;
 +	}
 +    }
 +    *last = cp;
 +    debug_return_const_ptr(str);
 +}
 +
 +/* Copy len chars from string, collapsing chars escaped with a backslash. */
 +static char *
 +copy_arg(const char *src, size_t len)
 +{
 +    const char *src_end = src + len;
 +    char *copy, *dst;
 +    debug_decl(copy_arg, SUDOERS_DEBUG_UTIL);
 +
 +    if ((copy = malloc(len + 1)) != NULL) {
 +	for (dst = copy; src < src_end; ) {
 +	    if (*src == '\\') {
 +		src++;
 +		continue;
 +	    }
 +	    *dst++ = *src++;
 +	}
 +	*dst = '\0';
 +    }
 +
 +    debug_return_ptr(copy);
 +}
 +
 +/*
  * Search for the specified editor in the user's PATH, checking
  * the result against allowlist if non-NULL.  An argument vector
  * suitable for execve() is allocated and stored in argv_out.
@@ -52,7 +128,7 @@ static char *
 resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
     int *argc_out, char ***argv_out, char * const *allowlist)
 {
 -    char **nargv, *editor, *editor_path = NULL;
 +    char **nargv = NULL, *editor = NULL, *editor_path = NULL;
     const char *cp, *ep, *tmp;
     const char *edend = ed + edlen;
     struct stat user_editor_sb;
@@ -64,14 +140,12 @@ resolve_editor(const char *ed, size_t ed
      * The EDITOR and VISUAL environment variables may contain command
      * line args so look for those and alloc space for them too.
      */
 -    cp = sudo_strsplit(ed, edend, " \t", &ep);
 +    cp = wordsplit(ed, edend, &ep);
     if (cp == NULL)
 	debug_return_str(NULL);
 -    editor = strndup(cp, (size_t)(ep - cp));
 -    if (editor == NULL) {
 -	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	debug_return_str(NULL);
 -    }
 +    editor = copy_arg(cp, ep - cp);
 +    if (editor == NULL)
 +        goto oom;
     /* If we can't find the editor in the user's PATH, give up. */
     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, allowlist) != FOUND) {
@@ -81,30 +155,22 @@ resolve_editor(const char *ed, size_t ed
     }
     /* Count rest of arguments and allocate editor argv. */
 -    for (nargc = 1, tmp = ep; sudo_strsplit(NULL, edend, " \t", &tmp) != NULL; )
 +    for (nargc = 1, tmp = ep; wordsplit(NULL, edend, &tmp) != NULL; )
 	nargc++;
     if (nfiles != 0)
 	nargc += nfiles + 1;
     nargv = reallocarray(NULL, nargc + 1, sizeof(char *));
 -    if (nargv == NULL) {
 -	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	free(editor);
 -	free(editor_path);
 -	debug_return_str(NULL);
 -    }
 +    if (nargv == NULL)
 +	goto oom;
     /* Fill in editor argv (assumes files[] is NULL-terminated). */
     nargv[0] = editor;
 -    for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) {
 -	nargv[nargc] = strndup(cp, (size_t)(ep - cp));
 -	if (nargv[nargc] == NULL) {
 -	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	    free(editor_path);
 -	    while (nargc--)
 -		free(nargv[nargc]);
 -	    free(nargv);
 -	    debug_return_str(NULL);
 -	}
 +    editor = NULL;
 +    for (nargc = 1; (cp = wordsplit(NULL, edend, &ep)) != NULL; nargc++) {
 +	/* Copy string, collapsing chars escaped with a backslash. */
 +	nargv[nargc] = copy_arg(cp, ep - cp);
 +	if (nargv[nargc] == NULL)
 +	    goto oom;
     }
     if (nfiles != 0) {
 	nargv[nargc++] = "--";
@@ -116,6 +182,16 @@ resolve_editor(const char *ed, size_t ed
     *argc_out = nargc;
     *argv_out = nargv;
     debug_return_str(editor_path);
 +oom:
 +    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 +    free(editor);
 +    free(editor_path);
 +    if (nargv != NULL) {
 +	while (nargc--)
 +	    free(nargv[nargc]);
 +	free(nargv);
 +    }
 +    debug_return_str(NULL);
 }
 /*
--- a/SOURCES/sudo-1.9.12-CVE-2023-22809-whitelist.patch
+++ b/SOURCES/sudo-1.9.12-CVE-2023-22809-whitelist.patch
@ -0,0 +1,57 @@
 diff -up ./plugins/sudoers/editor.c.whitelist ./plugins/sudoers/editor.c
 --- ./plugins/sudoers/editor.c.whitelist	2023-01-16 17:31:58.108335076 +0100
 +++ ./plugins/sudoers/editor.c	2023-01-16 17:33:37.375547672 +0100
@@ -40,7 +40,7 @@
 /*
  * Search for the specified editor in the user's PATH, checking
 - * the result against whitelist if non-NULL.  An argument vector
 + * the result against allowlist if non-NULL.  An argument vector
  * suitable for execve() is allocated and stored in argv_out.
  * If nfiles is non-zero, files[] is added to the end of argv_out.
  *
@@ -50,7 +50,7 @@
  */
 static char *
 resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
 -    int *argc_out, char ***argv_out, char * const *whitelist)
 +    int *argc_out, char ***argv_out, char * const *allowlist)
 {
     char **nargv, *editor, *editor_path = NULL;
     const char *cp, *ep, *tmp;
@@ -74,7 +74,7 @@ resolve_editor(const char *ed, size_t ed
     }
     /* If we can't find the editor in the user's PATH, give up. */
 -    if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, whitelist) != FOUND) {
 +    if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, allowlist) != FOUND) {
 	free(editor);
 	errno = ENOENT;
 	debug_return_str(NULL);
@@ -130,7 +130,7 @@ resolve_editor(const char *ed, size_t ed
  */
 char *
 find_editor(int nfiles, char **files, int *argc_out, char ***argv_out,
 -     char * const *whitelist, const char **env_editor, bool env_error)
 +     char * const *allowlist, const char **env_editor, bool env_error)
 {
     char *ev[3], *editor_path = NULL;
     unsigned int i;
@@ -149,7 +149,7 @@ find_editor(int nfiles, char **files, in
 	if (editor != NULL && *editor != '\0') {
 	    *env_editor = editor;
 	    editor_path = resolve_editor(editor, strlen(editor),
 -		nfiles, files, argc_out, argv_out, whitelist);
 +		nfiles, files, argc_out, argv_out, allowlist);
 	    if (editor_path != NULL)
 		break;
 	    if (errno != ENOENT)
@@ -169,7 +169,7 @@ find_editor(int nfiles, char **files, in
 	for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep);
 	    cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) {
 	    editor_path = resolve_editor(cp, (size_t)(ep - cp), nfiles,
 -		files, argc_out, argv_out, whitelist);
 +		files, argc_out, argv_out, allowlist);
 	    if (editor_path != NULL)
 		break;
 	    if (errno != ENOENT)
--- a/SOURCES/sudo-1.9.12-CVE-2023-22809.patch
+++ b/SOURCES/sudo-1.9.12-CVE-2023-22809.patch
@ -0,0 +1,122 @@
 diff -up ./plugins/sudoers/editor.c.cve ./plugins/sudoers/editor.c
 --- ./plugins/sudoers/editor.c.cve	2023-01-16 17:52:37.074066664 +0100
 +++ ./plugins/sudoers/editor.c	2023-01-16 17:58:06.603774304 +0100
@@ -132,7 +132,7 @@ resolve_editor(const char *ed, size_t ed
     const char *cp, *ep, *tmp;
     const char *edend = ed + edlen;
     struct stat user_editor_sb;
 -    int nargc;
 +    int nargc = 0;
     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
     /*
@@ -149,9 +149,7 @@ resolve_editor(const char *ed, size_t ed
     /* If we can't find the editor in the user's PATH, give up. */
     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, allowlist) != FOUND) {
 -	free(editor);
 -	errno = ENOENT;
 -	debug_return_str(NULL);
 +        goto bad;
     }
     /* Count rest of arguments and allocate editor argv. */
@@ -171,7 +169,19 @@ resolve_editor(const char *ed, size_t ed
 	nargv[nargc] = copy_arg(cp, ep - cp);
 	if (nargv[nargc] == NULL)
 	    goto oom;
 +
 +	/*
 +	 * We use "--" to separate the editor and arguments from the files
 +	 * to edit.  The editor arguments themselves may not contain "--".
 +	 */
 +	if (strcmp(nargv[nargc], "--") == 0) {
 +	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
 +	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
 +	    errno = EINVAL;
 +	    goto bad;
 +	}
     }
 +
     if (nfiles != 0) {
 	nargv[nargc++] = "--";
 	while (nfiles--)
@@ -184,6 +194,7 @@ resolve_editor(const char *ed, size_t ed
     debug_return_str(editor_path);
 oom:
     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 +bad:
     free(editor);
     free(editor_path);
     if (nargv != NULL) {
 diff -up ./plugins/sudoers/sudoers.c.cve ./plugins/sudoers/sudoers.c
 --- ./plugins/sudoers/sudoers.c.cve	2023-01-16 17:52:37.074066664 +0100
 +++ ./plugins/sudoers/sudoers.c	2023-01-16 18:02:43.928307505 +0100
@@ -634,21 +634,32 @@ sudoers_policy_main(int argc, char * con
     /* Note: must call audit before uid change. */
     if (ISSET(sudo_mode, MODE_EDIT)) {
 -	int edit_argc;
 -	const char *env_editor;
 +        const char *env_editor = NULL;
 +        int edit_argc;
 	free(safe_cmnd);
 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
 	    &edit_argv, NULL, &env_editor, false);
 	if (safe_cmnd == NULL) {
 -	    if (errno != ENOENT)
 -		goto done;
 -	    audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
 -		env_editor ? env_editor : def_editor);
 -	    sudo_warnx(U_("%s: command not found"),
 -		env_editor ? env_editor : def_editor);
 -	    goto bad;
 -	}
 +        switch (errno) {
 +            case ENOENT:
 +                audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
 +                              env_editor ? env_editor : def_editor);
 +                sudo_warnx(U_("%s: command not found"),
 +                           env_editor ? env_editor : def_editor);
 +                goto bad;
 +            case EINVAL:
 +                if (def_env_editor && env_editor != NULL) {
 +                    /* User tried to do something funny with the editor. */
 +                    log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL,
 +                                 "invalid user-specified editor: %s", env_editor);
 +                    goto bad;
 +                }
 +            default:
 +                goto done;
 +        }
 +    }
 +
 	if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
 	    goto done;
 diff -up ./plugins/sudoers/visudo.c.cve ./plugins/sudoers/visudo.c
 --- ./plugins/sudoers/visudo.c.cve	2019-10-28 13:28:54.000000000 +0100
 +++ ./plugins/sudoers/visudo.c	2023-01-16 18:03:48.713975354 +0100
@@ -308,7 +308,7 @@ static char *
 get_editor(int *editor_argc, char ***editor_argv)
 {
     char *editor_path = NULL, **whitelist = NULL;
 -    const char *env_editor;
 +    const char *env_editor = NULL;
     static char *files[] = { "+1", "sudoers" };
     unsigned int whitelist_len = 0;
     debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
@@ -342,7 +342,11 @@ get_editor(int *editor_argc, char ***edi
     if (editor_path == NULL) {
 	if (def_env_editor && env_editor != NULL) {
 	    /* We are honoring $EDITOR so this is a fatal error. */
 -	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
 +	    if (errno == ENOENT) {
 +		sudo_warnx(U_("specified editor (%s) doesn't exist"),
 +		    env_editor);
 +	    }
 +	    exit(EXIT_FAILURE);
 	}
 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
     }
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.29
-Release: 8%{?dist}
+Release: 10%{?dist}
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@ -76,6 +76,13 @@ Patch21: sudo-1.9.7-krb5ccname.patch
 # 1986572 - utmp resource leak in sudo
 Patch22: sudo-1.9.7-utmp-leak.patch
 # 2114576 - sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
 Patch23: sha-digest-calc.patch
 # 2161221 - EMBARGOED CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user [rhel-8.8.0]
 Patch24: sudo-1.9.12-CVE-2023-22809-whitelist.patch
 Patch25: sudo-1.9.12-CVE-2023-22809-backports.patch
 Patch26: sudo-1.9.12-CVE-2023-22809.patch
 %description
 Sudo (superuser do) allows a system administrator to give certain
 users (or groups of users) the ability to run some (or all) commands
@ -128,6 +135,11 @@ plugins that use %{name}.
 %patch21 -p1 -b .krb5ccname
 %patch22 -p1 -b .utmp-leak
 %patch23 -p1 -b .sha-digest
 %patch24 -p1 -b .whitelist
 %patch25 -p1 -b .backports
 %patch26 -p1 -b .cve
 %build
 # Remove bundled copy of zlib
 rm -rf zlib/
@ -286,6 +298,13 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 %changelog
 * Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.8.29.9
 RHEL 8.8.0 ERRATUM
 - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
 Resolves: rhbz#2161221
 - sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
 Resolves: rhbz#2114576
 * Mon Dec 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8
 RHEL 8.6.0 ERRATUM
 - sudoedit does not work with selinux args