RHEL 10.1 ERRATUM

- CVE-2025-32462 sudo: LPE via host option
Resolves: RHEL-100009
- CVE-2025-32463 sudo: LPE via chroot option
Resolves: RHEL-100022

cve-2025-32462.patch

@@ -0,0 +1,109 @@
+# Local Privilege Escalation via host option
+
+Sudo's host (`-h` or `--host`) option is intended to be used in
+conjunction with the list option (`-l` or `--list`) to list a user's
+sudo privileges on a host other than the current one.  However, due
+to a bug it was not restricted to listing privileges and could be
+used when running a command via `sudo` or editing a file with
+`sudoedit`.  Depending on the rules present in the sudoers file
+this could allow a local privilege escalation attack.
+
+## Sudo versions affected:
+
+Sudo versions 1.8.8 to 1.9.17 inclusive are affected.
+
+## CVE ID:
+
+This vulnerability has been assigned
+[CVE-2025-32462](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462)
+in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database.
+
+## Details:
+
+The intent of sudo's `-h` (`--host`) option is to make it possible
+to list a user's sudo privileges for a host other than the current
+one.  It was only intended be used with in conjunction with the
+`-l` (`--list`) option.
+
+The bug effectively makes the hostname portion of a sudoers rule
+irrelevant since the user can set the host to be used when evaluating
+the rules themselves.  A user must still be listed in the sudoers
+file, but they do not needed to have an entry for the current host.
+
+For example, given the sudoers rule:
+
+``` plain
+alice cerebus = ALL
+```
+
+user __alice__ would be able to run `sudo -h cerebus id` on any host,
+not just _cerebus_.  For example:
+
+``` plain
+alice@hades$ sudo -l
+Sorry, user alice may not run sudo on hades.
+
+alice@hades$ sudo -l -h cerebus
+User alice may run the following commands on cerebus:
+    (root) ALL
+
+alice@hades$ sudo -h cerebus id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+## Impact:
+
+Sudoers files that include rules where the host field is not the
+current host or _ALL_ are affected.  This primarily affects sites
+that use a common sudoers file that is distributed to multiple
+machines.  Sites that use LDAP-based sudoers (including SSSD) are
+similarly impacted.
+
+For example, a sudoers rule such as:
+
+``` plain
+bob ALL = ALL
+```
+
+is not affected since the host _ALL_ already matches any hosts,
+but a rule like:
+
+``` plain
+alice cerebus = ALL
+```
+
+could allow user __alice__ to run any command even if the current
+host is not _cerebus_.
+
+## Fix:
+
+The bug is fixed in sudo 1.9.17p1.
+
+## Credit:
+
+Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for
+reporting and analyzing the bug.
+
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 70a0c1a52..ad2fa2f61 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
+     time_t now;
+     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
+ 
++    /* The user may only specify a host for "sudo -l". */
++    if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
++	if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
++	    log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
++		N_("user not allowed to set remote host for command"));
++	    sudo_warnx("%s",
++		U_("a remote host may only be specified when listing privileges."));
++	    ret = false;
++	    goto done;
++	}
++    }
++
+     /* If given the -P option, set the "preserve_groups" flag. */
+     if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
+ 	def_preserve_groups = true;

sudo.spec

@@ -34,6 +34,8 @@ BuildRequires: zlib-devel
 
 Patch1: coverity.patch
 Patch2: sudo-conf.patch
+Patch3: cve-2025-32462.patch
+Patch4: cve-2025-32463.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain