import sudo-1.8.29-6.el8

2020-11-03 06:47:08 -05:00 · 2020-11-03 06:47:08 -05:00 · 830d1fc442
commit 830d1fc442
parent d3ad6b3add
3 changed files with 196 additions and 1 deletions
--- a/SOURCES/sudo-1.8.29-expired-password-part1.patch
+++ b/SOURCES/sudo-1.8.29-expired-password-part1.patch
@ -0,0 +1,154 @@
 From 4b6de608c25a6ffbdb507be958e12f814b43077c Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Wed, 4 Dec 2019 12:38:22 -0700
 Subject: [PATCH] Only update the time stamp entry after the approval function
 has succeeded. Bug #910
 ---
 plugins/sudoers/check.c | 59 +++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 32 deletions(-)
 diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
 index db8e05161..ea1d89085 100644
 --- a/plugins/sudoers/check.c
 +++ b/plugins/sudoers/check.c
@@ -51,6 +51,7 @@ static bool display_lecture(int);
 static struct passwd *get_authpw(int);
 struct getpass_closure {
 +    int tstat;
     void *cookie;
     struct passwd *auth_pw;
 };
@@ -89,27 +90,20 @@ getpass_resume(int signo, void *vclosure)
  * or -1 on fatal error.
  */
 static int
 -check_user_interactive(int validated, int mode, struct passwd *auth_pw)
 +check_user_interactive(int validated, int mode, struct getpass_closure *closure)
 {
     struct sudo_conv_callback cb, *callback = NULL;
 -    struct getpass_closure closure;
 -    int status = TS_ERROR;
     int ret = -1;
     char *prompt;
     bool lectured;
     debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH)
 -    /* Setup closure for getpass_{suspend,resume} */
 -    closure.auth_pw = auth_pw;
 -    closure.cookie = NULL;
 -    sudo_pw_addref(closure.auth_pw);
 -
     /* Open, lock and read time stamp file if we are using it. */
     if (!ISSET(mode, MODE_IGNORE_TICKET)) {
 	/* Open time stamp file and check its status. */
 -	closure.cookie = timestamp_open(user_name, user_sid);
 -	if (timestamp_lock(closure.cookie, closure.auth_pw))
 -	    status = timestamp_status(closure.cookie, closure.auth_pw);
 +	closure->cookie = timestamp_open(user_name, user_sid);
 +	if (timestamp_lock(closure->cookie, closure->auth_pw))
 +	    closure->tstat = timestamp_status(closure->cookie, closure->auth_pw);
 	/* Construct callback for getpass function. */
 	memset(&cb, 0, sizeof(cb));
@@ -120,7 +114,7 @@ check_user_interactive(int validated, int mode, struct passwd *auth_pw)
 	callback = &cb;
     }
 -    switch (status) {
 +    switch (closure->tstat) {
     case TS_FATAL:
 	/* Fatal error (usually setuid failure), unsafe to proceed. */
 	goto done;
@@ -144,32 +138,22 @@ check_user_interactive(int validated, int mode, struct passwd *auth_pw)
 	}
 	/* XXX - should not lecture if askpass helper is being used. */
 -	lectured = display_lecture(status);
 +	lectured = display_lecture(closure->tstat);
 	/* Expand any escapes in the prompt. */
 	prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
 -	    closure.auth_pw->pw_name);
 +	    closure->auth_pw->pw_name);
 	if (prompt == NULL)
 	    goto done;
 -	ret = verify_user(closure.auth_pw, prompt, validated, callback);
 +	ret = verify_user(closure->auth_pw, prompt, validated, callback);
 	if (ret == true && lectured)
 	    (void)set_lectured();	/* lecture error not fatal */
 	free(prompt);
 	break;
     }
 -    /*
 -     * Only update time stamp if user was validated.
 -     * Failure to update the time stamp is not a fatal error.
 -     */
 -    if (ret == true && ISSET(validated, VALIDATE_SUCCESS) && status != TS_ERROR)
 -	(void)timestamp_update(closure.cookie, closure.auth_pw);
 done:
 -    if (closure.cookie != NULL)
 -	timestamp_close(closure.cookie);
 -    sudo_pw_delref(closure.auth_pw);
 -
     debug_return_int(ret);
 }
@@ -180,7 +164,7 @@ done:
 int
 check_user(int validated, int mode)
 {
 -    struct passwd *auth_pw;
 +    struct getpass_closure closure = { TS_ERROR };
     int ret = -1;
     bool exempt = false;
     debug_decl(check_user, SUDOERS_DEBUG_AUTH)
@@ -189,9 +173,9 @@ check_user(int validated, int mode)
      * Init authentication system regardless of whether we need a password.
      * Required for proper PAM session support.
      */
 -    if ((auth_pw = get_authpw(mode)) == NULL)
 +    if ((closure.auth_pw = get_authpw(mode)) == NULL)
 	goto done;
 -    if (sudo_auth_init(auth_pw) == -1)
 +    if (sudo_auth_init(closure.auth_pw) == -1)
 	goto done;
     /*
@@ -222,15 +206,26 @@ check_user(int validated, int mode)
 	}
     }
 -    ret = check_user_interactive(validated, mode, auth_pw);
 +    ret = check_user_interactive(validated, mode, &closure);
 done:
     if (ret == true) {
 	/* The approval function may disallow a user post-authentication. */
 -	ret = sudo_auth_approval(auth_pw, validated, exempt);
 +	ret = sudo_auth_approval(closure.auth_pw, validated, exempt);
 +
 +	/*
 +	 * Only update time stamp if user validated and was approved.
 +	 * Failure to update the time stamp is not a fatal error.
 +	 */
 +	if (ret == true && closure.tstat != TS_ERROR) {
 +	    if (ISSET(validated, VALIDATE_SUCCESS))
 +		(void)timestamp_update(closure.cookie, closure.auth_pw);
 +	}
     }
 -    sudo_auth_cleanup(auth_pw);
 -    sudo_pw_delref(auth_pw);
 +    timestamp_close(closure.cookie);
 +    sudo_auth_cleanup(closure.auth_pw);
 +    if (closure.auth_pw != NULL)
 +	sudo_pw_delref(closure.auth_pw);
     debug_return_int(ret);
 }
 -- 
 2.25.1
--- a/SOURCES/sudo-1.8.29-expired-password-part2.patch
+++ b/SOURCES/sudo-1.8.29-expired-password-part2.patch
@ -0,0 +1,29 @@
 From 5472b1751645f750e42a0ba6daac667983b1a56c Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Fri, 24 Jan 2020 11:13:55 -0700
 Subject: [PATCH] Fix crash in sudo 1.8.30 when suspending sudo at the password
 prompt. The closure pointer in sudo_conv_callback was being filled in with a
 struct getpass_closure ** instead of a struct getpass_closure *. The bug was
 introduced in the fix for Bug #910; previously the closure variable was a
 struct getpass_closure, not a pointer. Fix from Michael Norton; Bug #914.
 ---
 plugins/sudoers/check.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
 index 72e87eef6..9b03c7a05 100644
 --- a/plugins/sudoers/check.c
 +++ b/plugins/sudoers/check.c
@@ -108,7 +108,7 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure)
 	/* Construct callback for getpass function. */
 	memset(&cb, 0, sizeof(cb));
 	cb.version = SUDO_CONV_CALLBACK_VERSION;
 -	cb.closure = &closure;
 +	cb.closure = closure;
 	cb.on_suspend = getpass_suspend;
 	cb.on_resume = getpass_resume;
 	callback = &cb;
 -- 
 2.25.1
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.29
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@ -52,6 +52,10 @@ Patch8: sudo-1.8.29-CVE-2019-19234.patch
 # 1798093 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-8.2.0]
 Patch9: sudo-1.8.29-CVE-2019-18634.patch
 # 1815164 - sudo allows privilege escalation with expire password
 Patch10: sudo-1.8.29-expired-password-part1.patch
 Patch11: sudo-1.8.29-expired-password-part2.patch
 %description
 Sudo (superuser do) allows a system administrator to give certain
 users (or groups of users) the ability to run some (or all) commands
@ -85,6 +89,9 @@ plugins that use %{name}.
 %patch8 -p1 -b .target-shell
 %patch9 -p1 -b .CVE-2019-18634
 %patch10 -p1 -b .expired1
 %patch11 -p1 -b .expired2
 %build
 # Remove bundled copy of zlib
 rm -rf zlib/
@ -243,6 +250,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 %changelog
 * Tue Apr 28 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-6
 - RHEL 8.3 ERRATUM
 - sudo allows privilege escalation with expire password
 Resolves: rhbz#1815164
 * Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.29-5
 - RHEL 8.2 ERRATUM
 - CVE-2019-18634