rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 8.10.0.Z ERRATUM

Browse Source 
- CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls
Resolves: RHEL-166060
This commit is contained in:
Alejandro López 2026-04-21 12:22:00 +02:00
parent eb31d4d8a0
commit 8a9e65f3e5
2 changed files with 150 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
sudo-1.9.17-CVE-2026-35535.patch Normal file
View File

@ -0,0 +1,141 @@
From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Sat, 8 Nov 2025 15:34:02 -0700
Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer
Also make a setuid(), setgid() or setgroups() failure fatal.
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
Backported to RHEL 8.10 by Alejandro López <allopez@redhat.com> with some
help of Claude Code.
---
diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
index 07ef9dc..cdf27f0 100644
--- a/include/sudo_eventlog.h
+++ b/include/sudo_eventlog.h
@@ -78,6 +78,7 @@ struct eventlog_config {
int syslog_maxlen;
int file_maxlen;
uid_t mailuid;
+ gid_t mailgid;
bool omit_hostname;
const char *logpath;
const char *time_fmt;
@@ -136,7 +137,7 @@ void eventlog_set_syslog_rejectpri(int pri);
void eventlog_set_syslog_alertpri(int pri);
void eventlog_set_syslog_maxlen(int len);
void eventlog_set_file_maxlen(int len);
-void eventlog_set_mailuid(uid_t uid);
+void eventlog_set_mailuser(uid_t uid, gid_t gid);
void eventlog_set_omit_hostname(bool omit_hostname);
void eventlog_set_logpath(const char *path);
void eventlog_set_time_fmt(const char *fmt);
diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
index ca8ca96..1ae1176 100644
--- a/lib/eventlog/eventlog.c
+++ b/lib/eventlog/eventlog.c
@@ -280,15 +280,13 @@ exec_mailer(int pipein)
syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
sudo_debug_printf(SUDO_DEBUG_ERROR,
"unable to dup stdin: %s", strerror(errno));
- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
- _exit(127);
+ goto bad;
}
/* Build up an argv based on the mailer path and flags */
if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
syslog(LOG_ERR, _("unable to allocate memory")); // -V618
- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
- _exit(127);
+ goto bad;
}
if ((argv[0] = strrchr(mpath, '/')))
argv[0]++;
@@ -310,11 +308,23 @@ exec_mailer(int pipein)
if (setuid(ROOT_UID) != 0) {
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
ROOT_UID);
+ goto bad;
+ }
+ if (setgid(evl_conf->mailgid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
+ (unsigned int)evl_conf->mailgid);
+ goto bad;
+ }
+ if (setgroups(1, &evl_conf->mailgid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
+ (unsigned int)evl_conf->mailgid);
+ goto bad;
}
if (evl_conf->mailuid != ROOT_UID) {
if (setuid(evl_conf->mailuid) != 0) {
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
(unsigned int)evl_conf->mailuid);
+ goto bad;
}
}
sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
@@ -326,6 +336,9 @@ exec_mailer(int pipein)
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
mpath, strerror(errno));
_exit(127);
+bad:
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+ _exit(127);
}
/* Send a message to the mailto user */
diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c
index 8ad0385..1c1d0a6 100644
--- a/lib/eventlog/eventlog_conf.c
+++ b/lib/eventlog/eventlog_conf.c
@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = {
MAXSYSLOGLEN, /* syslog_maxlen */
0, /* file_maxlen */
ROOT_UID, /* mailuid */
+ ROOT_GID, /* mailgid */
false, /* omit_hostname */
_PATH_SUDO_LOGFILE, /* logpath */
"%h %e %T", /* time_fmt */
@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len)
}
void
-eventlog_set_mailuid(uid_t uid)
+eventlog_set_mailuser(uid_t uid, gid_t gid)
{
evl_conf.mailuid = uid;
+ evl_conf.mailgid = gid;
}
void
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
index 776f881..6046783 100644
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -788,8 +788,10 @@ init_eventlog_config(void)
int logtype = 0;
#ifdef NO_ROOT_MAILER
uid_t mailuid = user_uid;
+ gid_t mailgid = user_gid;
#else
uid_t mailuid = ROOT_UID;
+ gid_t mailgid = ROOT_GID;
#endif
debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
@@ -805,7 +807,7 @@ init_eventlog_config(void)
eventlog_set_syslog_alertpri(def_syslog_badpri);
eventlog_set_syslog_maxlen(def_syslog_maxlen);
eventlog_set_file_maxlen(def_loglinelen);
- eventlog_set_mailuid(mailuid);
+ eventlog_set_mailuser(mailuid, mailgid);
eventlog_set_omit_hostname(!def_log_host);
eventlog_set_logpath(def_logfile);
eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
--
2.53.0

10
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.9.5p2
Release: 1%{?dist}.3
Release: 1%{?dist}.4
License: ISC
Group: Applications/System
URL: https://www.sudo.ws/
@ -59,6 +59,8 @@ Patch22: sudo-separator.patch
Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch
Patch24: sudo-1.9.17-CVE-2026-35535.patch
%description
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
@ -106,6 +108,7 @@ plugins that use %{name}.
%patch -P 21 -p1 -b .cmnd_no_wait
%patch -P 22 -p1 -b .separator
%patch -P 23 -p1 -b .double-shell
%patch -P 24 -p1 -b .cve-2026-35535
%build
# Remove bundled copy of zlib
@ -281,6 +284,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
* Thu Apr 16 2026 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.4
RHEL 8.10.0.Z ERRATUM
- CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls
Resolves: RHEL-166060
* Mon Nov 17 2025 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.3
RHEL 8.10.0.Z ERRATUM
- sudo passes SHELL environment variable twice to the shell being executed [rhel-8]