import sudo-1.8.29-6.el8_3.1

2021-01-26 13:54:50 -05:00 · 2021-01-26 13:54:50 -05:00 · 777d690e00
parent 830d1fc442
commit 777d690e00
2 changed files with 217 additions and 1 deletions
--- a/SOURCES/sudo-1.8.31-CVE-2021-3156.patch
+++ b/SOURCES/sudo-1.8.31-CVE-2021-3156.patch
@ -0,0 +1,206 @@
 diff -up ./plugins/sudoers/policy.c.heap-buffer ./plugins/sudoers/policy.c
 --- ./plugins/sudoers/policy.c.heap-buffer	2019-10-28 13:28:52.000000000 +0100
 +++ ./plugins/sudoers/policy.c	2021-01-20 11:38:06.481807015 +0100
@@ -100,10 +100,11 @@ parse_bool(const char *line, int varlen,
 int
 sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 {
 +    const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
     struct sudoers_policy_open_info *info = v;
 -    char * const *cur;
     const char *p, *errstr, *groups = NULL;
     const char *remhost = NULL;
 +    char * const *cur;
     int flags = 0;
     debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN)
@@ -332,6 +333,12 @@ sudoers_policy_deserialize_info(void *v,
 #endif
     }
 +    /* Sudo front-end should restrict mode flags for sudoedit. */
 +    if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
 +	sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
 +	goto bad;
 +    }
 +
     user_gid = (gid_t)-1;
     user_sid = (pid_t)-1;
     user_uid = (gid_t)-1;
 diff -up ./plugins/sudoers/sudoers.c.heap-buffer ./plugins/sudoers/sudoers.c
 --- ./plugins/sudoers/sudoers.c.heap-buffer	2021-01-20 11:34:57.523317977 +0100
 +++ ./plugins/sudoers/sudoers.c	2021-01-20 12:08:01.331553520 +0100
@@ -451,7 +451,7 @@ sudoers_policy_main(int argc, char * con
     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
     /* XXX - causes confusion when root is not listed in sudoers */
 -    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
 +    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
 	if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
 	    struct passwd *pw;
@@ -834,8 +834,8 @@ set_cmnd(void)
     if (user_cmnd == NULL)
 	user_cmnd = NewArgv[0];
 -    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
 -	if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
 +    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
 +	if (!ISSET(sudo_mode, MODE_EDIT)) {
 	    if (def_secure_path && !user_is_exempt())
 		path = def_secure_path;
 	    if (!set_perms(PERM_RUNAS))
@@ -873,7 +873,8 @@ set_cmnd(void)
 		sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 		debug_return_int(-1);
 	    }
 -	    if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
 +	    if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
 +            ISSET(sudo_mode, MODE_RUN)) {
 		/*
 		 * When running a command via a shell, the sudo front-end
 		 * escapes potential meta chars.  We unescape non-spaces
@@ -881,10 +882,22 @@ set_cmnd(void)
 		 */
 		for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
 		    while (*from) {
 -			if (from[0] == '\\' && !isspace((unsigned char)from[1]))
 +			if (from[0] == '\\' && from[1] != '\0' &&
 +				!isspace((unsigned char)from[1])) {
 			    from++;
 +			}
 +			if (size - (to - user_args) < 1) {
 +			    sudo_warnx(U_("internal error, %s overflow"),
 +				__func__);
 +			    debug_return_int(NOT_FOUND_ERROR);
 +			}
 			*to++ = *from++;
 		    }
 +		    if (size - (to - user_args) < 1) {
 +			sudo_warnx(U_("internal error, %s overflow"),
 +			    __func__);
 +			debug_return_int(NOT_FOUND_ERROR);
 +		    }
 		    *to++ = ' ';
 		}
 		*--to = '\0';
 diff -up ./plugins/sudoers/timestamp.c.heap-buffer ./plugins/sudoers/timestamp.c
 --- ./plugins/sudoers/timestamp.c.heap-buffer	2021-01-20 12:11:28.218774128 +0100
 +++ ./plugins/sudoers/timestamp.c	2021-01-20 12:20:41.772324808 +0100
@@ -652,8 +652,8 @@ timestamp_lock(void *vcookie, struct pas
     } else if (entry.type != TS_LOCKEXCL) {
 	/* Old sudo record, convert it to TS_LOCKEXCL. */
 	entry.type = TS_LOCKEXCL;
 -	memset((char *)&entry + offsetof(struct timestamp_entry, type), 0,
 -	    nread - offsetof(struct timestamp_entry, type));
 +	memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
 +	    nread - offsetof(struct timestamp_entry, flags));
 	if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
 	    debug_return_bool(false);
     }
 diff -up ./src/parse_args.c.heap-buffer ./src/parse_args.c
 --- ./src/parse_args.c.heap-buffer	2021-01-20 11:35:18.231043445 +0100
 +++ ./src/parse_args.c	2021-01-20 12:26:31.290591673 +0100
@@ -124,7 +124,10 @@ struct environment {
 /*
  * Default flags allowed when running a command.
  */
 -#define DEFAULT_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
 +#define DEFAULT_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
 +#define EDIT_VALID_FLAGS	MODE_NONINTERACTIVE
 +#define LIST_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_LONG_LIST)
 +#define VALIDATE_VALID_FLAGS	MODE_NONINTERACTIVE
 /* Option number for the --host long option due to ambiguity of the -h flag. */
 #define OPT_HOSTNAME	256
@@ -269,6 +272,7 @@ parse_args(int argc, char **argv, int *n
 	progname = "sudoedit";
 	mode = MODE_EDIT;
 	sudo_settings[ARG_SUDOEDIT].value = "true";
 +	valid_flags = EDIT_VALID_FLAGS;
     }
     /* Load local IP addresses and masks. */
@@ -360,7 +364,7 @@ parse_args(int argc, char **argv, int *n
 			usage_excl(1);
 		    mode = MODE_EDIT;
 		    sudo_settings[ARG_SUDOEDIT].value = "true";
 -		    valid_flags = MODE_NONINTERACTIVE;
 +		    valid_flags = EDIT_VALID_FLAGS;
 		    break;
 		case 'g':
 		    assert(optarg != NULL);
@@ -371,6 +375,7 @@ parse_args(int argc, char **argv, int *n
 		    break;
 		case 'H':
 		    sudo_settings[ARG_SET_HOME].value = "true";
 +		    SET(flags, MODE_RESET_HOME);
 		    break;
 		case 'h':
 		    if (optarg == NULL) {
@@ -421,7 +426,7 @@ parse_args(int argc, char **argv, int *n
 			    usage_excl(1);
 		    }
 		    mode = MODE_LIST;
 -		    valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
 +		    valid_flags = LIST_VALID_FLAGS;
 		    break;
 		case 'n':
 		    SET(flags, MODE_NONINTERACTIVE);
@@ -429,6 +434,7 @@ parse_args(int argc, char **argv, int *n
 		    break;
 		case 'P':
 		    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
 +		    SET(flags, MODE_PRESERVE_GROUPS);
 		    break;
 		case 'p':
 		    /* An empty prompt is allowed. */
@@ -478,7 +484,7 @@ parse_args(int argc, char **argv, int *n
 		    if (mode && mode != MODE_VALIDATE)
 			usage_excl(1);
 		    mode = MODE_VALIDATE;
 -		    valid_flags = MODE_NONINTERACTIVE;
 +		    valid_flags = VALIDATE_VALID_FLAGS;
 		    break;
 		case 'V':
 		    if (mode && mode != MODE_VERSION)
@@ -505,7 +511,7 @@ parse_args(int argc, char **argv, int *n
     if (!mode) {
 	/* Defer -k mode setting until we know whether it is a flag or not */
 	if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
 -	    if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
 +	    if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
 		mode = MODE_INVALIDATE;	/* -k by itself */
 		sudo_settings[ARG_IGNORE_TICKET].value = NULL;
 		valid_flags = 0;
@@ -568,23 +574,24 @@ parse_args(int argc, char **argv, int *n
     /*
      * For shell mode we need to rewrite argv
      */
 -    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
 +    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
 	char **av, *cmnd = NULL;
 	int ac = 1;
 	if (argc != 0) {
 	    /* shell -c "command" */
 	    char *src, *dst;
 -	    size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
 -		strlen(argv[argc - 1]) + 1;
 +        size_t size = 0;
 -	    cmnd = dst = reallocarray(NULL, cmnd_size, 2);
 -	    if (cmnd == NULL)
 +        for (av = argv; *av != NULL; av++)
 +            size += strlen(*av) + 1;
 +
 +        if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
 		sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	    if (!gc_add(GC_PTR, cmnd))
 		exit(1);
 -	    for (av = argv; *av != NULL; av++) {
 +        for (dst = cmnd, av = argv; *av != NULL; av++) {
 		for (src = *av; *src != '\0'; src++) {
 		    /* quote potential meta characters */
 		    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.29
-Release: 6%{?dist}
+Release: 6%{?dist}.1
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@ -56,6 +56,9 @@ Patch9: sudo-1.8.29-CVE-2019-18634.patch
 Patch10: sudo-1.8.29-expired-password-part1.patch
 Patch11: sudo-1.8.29-expired-password-part2.patch
 # 1917732 - EMBARGOED CVE-2021-3156 sudo: Heap-buffer overflow in argument parsing [rhel-8.3.0.z]
 Patch12: sudo-1.8.31-CVE-2021-3156.patch
 %description
 Sudo (superuser do) allows a system administrator to give certain
 users (or groups of users) the ability to run some (or all) commands
@ -92,6 +95,8 @@ plugins that use %{name}.
 %patch10 -p1 -b .expired1
 %patch11 -p1 -b .expired2
 %patch12 -p1 -b .heap-buffer
 %build
 # Remove bundled copy of zlib
 rm -rf zlib/
@ -250,6 +255,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 %changelog
 * Wed Jan 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-6.1
 - RHEL 8.3.Z ERRATUM
 - CVE-2021-3156
 Resolves: rhbz#1917732
 * Tue Apr 28 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-6
 - RHEL 8.3 ERRATUM
 - sudo allows privilege escalation with expire password