import sudo-1.9.5p2-7.el9_1.1

This commit is contained in:
CentOS Sources 2023-01-23 03:23:22 -05:00 committed by Stepan Oksanichenko
parent 2c9dcd5f01
commit 89851ca7bd
2 changed files with 134 additions and 1 deletions

View File

@ -0,0 +1,121 @@
diff -up ./plugins/sudoers/editor.c.cve ./plugins/sudoers/editor.c
--- ./plugins/sudoers/editor.c.cve 2021-01-09 21:12:16.000000000 +0100
+++ ./plugins/sudoers/editor.c 2023-01-17 13:57:05.598949058 +0100
@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed
const char *tmp, *cp, *ep = NULL;
const char *edend = ed + edlen;
struct stat user_editor_sb;
- int nargc;
+ int nargc = 0;
debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
/*
@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed
/* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
0, allowlist) != FOUND) {
- free(editor);
- errno = ENOENT;
- debug_return_str(NULL);
+ goto bad;
}
/* Count rest of arguments and allocate editor argv. */
@@ -166,6 +164,18 @@ resolve_editor(const char *ed, size_t ed
nargv[nargc] = copy_arg(cp, ep - cp);
if (nargv[nargc] == NULL)
goto oom;
+
+ /*
+ * We use "--" to separate the editor and arguments from the files
+ * to edit. The editor arguments themselves may not contain "--".
+ */
+ if (strcmp(nargv[nargc], "--") == 0) {
+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
+ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
+ errno = EINVAL;
+ goto bad;
+ }
+
}
if (nfiles != 0) {
nargv[nargc++] = "--";
@@ -179,6 +189,7 @@ resolve_editor(const char *ed, size_t ed
debug_return_str(editor_path);
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+bad:
free(editor);
free(editor_path);
if (nargv != NULL) {
diff -up ./plugins/sudoers/sudoers.c.cve ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.cve 2023-01-17 13:50:33.718255775 +0100
+++ ./plugins/sudoers/sudoers.c 2023-01-17 14:00:53.049710094 +0100
@@ -724,21 +724,34 @@ sudoers_policy_main(int argc, char * con
/* Note: must call audit before uid change. */
if (ISSET(sudo_mode, MODE_EDIT)) {
+ const char *env_editor = NULL;
char **edit_argv;
int edit_argc;
- const char *env_editor;
+
free(safe_cmnd);
safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
&edit_argv, NULL, &env_editor, false);
if (safe_cmnd == NULL) {
- if (errno != ENOENT)
- goto done;
- audit_failure(NewArgv, N_("%s: command not found"),
- env_editor ? env_editor : def_editor);
- sudo_warnx(U_("%s: command not found"),
- env_editor ? env_editor : def_editor);
- goto bad;
+
+ switch (errno) {
+ case ENOENT:
+ audit_failure(NewArgv, N_("%s: command not found"),
+ env_editor ? env_editor : def_editor);
+ sudo_warnx(U_("%s: command not found"),
+ env_editor ? env_editor : def_editor);
+ goto bad;
+ case EINVAL:
+ if (def_env_editor && env_editor != NULL) {
+ /* User tried to do something funny with the editor. */
+ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
+ "invalid user-specified editor: %s", env_editor);
+ goto bad;
+ }
+ FALLTHROUGH;
+ default:
+ goto done;
+ }
}
sudoers_gc_add(GC_VECTOR, edit_argv);
NewArgv = edit_argv;
diff -up ./plugins/sudoers/visudo.c.cve ./plugins/sudoers/visudo.c
--- ./plugins/sudoers/visudo.c.cve 2021-01-09 21:12:16.000000000 +0100
+++ ./plugins/sudoers/visudo.c 2023-01-17 14:02:01.393135129 +0100
@@ -303,7 +303,7 @@ static char *
get_editor(int *editor_argc, char ***editor_argv)
{
char *editor_path = NULL, **allowlist = NULL;
- const char *env_editor;
+ const char *env_editor = NULL;
static char *files[] = { "+1", "sudoers" };
unsigned int allowlist_len = 0;
debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi
if (editor_path == NULL) {
if (def_env_editor && env_editor != NULL) {
/* We are honoring $EDITOR so this is a fatal error. */
- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
+ if (errno == ENOENT) {
+ sudo_warnx(U_("specified editor (%s) doesn't exist"),
+ env_editor);
+ }
+ exit(EXIT_FAILURE);
}
sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
}

View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.9.5p2 Version: 1.9.5p2
Release: 7%{?dist} Release: 7%{?dist}.1
License: ISC License: ISC
URL: https://www.sudo.ws URL: https://www.sudo.ws
@ -25,6 +25,7 @@ BuildRequires: sendmail
BuildRequires: gettext BuildRequires: gettext
BuildRequires: zlib-devel BuildRequires: zlib-devel
Patch1: sudo-conf.patch Patch1: sudo-conf.patch
Patch2: sudo-1.9.5-undefined-symbol.patch Patch2: sudo-1.9.5-undefined-symbol.patch
Patch3: sudo-1.9.5-selinux-t.patch Patch3: sudo-1.9.5-selinux-t.patch
@ -32,6 +33,10 @@ Patch4: sudo-1.9.5-sesh-bad-condition.patch
Patch5: sudo-1.9.5-utmp-leak.patch Patch5: sudo-1.9.5-utmp-leak.patch
Patch6: covscan.patch Patch6: covscan.patch
# 2161224 - EMBARGOED CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user [rhel-9.1.0]
Patch7: sudo-1.9.12-CVE-2023-22809.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands users (or groups of users) the ability to run some (or all) commands
@ -70,6 +75,8 @@ BuildRequires: python3-devel
%patch5 -p1 -b .utmp-leak %patch5 -p1 -b .utmp-leak
%patch6 -p1 -b .covscan %patch6 -p1 -b .covscan
%patch7 -p1 -b .cve
%build %build
# Remove bundled copy of zlib # Remove bundled copy of zlib
rm -rf zlib/ rm -rf zlib/
@ -243,6 +250,11 @@ EOF
%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
%changelog %changelog
* Tue Jan 17 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7.1
RHEL 9.1.0.Z ERRATUM
- CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
Resolves: rhbz#2161224
* Fri Aug 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7 * Fri Aug 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7
- utmp resource leak in sudo - utmp resource leak in sudo
Resolves: rhbz#1986579 Resolves: rhbz#1986579