diff --git a/sudo-1.9.17-CVE-2026-35535.patch b/sudo-1.9.17-CVE-2026-35535.patch new file mode 100644 index 0000000..38e0d64 --- /dev/null +++ b/sudo-1.9.17-CVE-2026-35535.patch @@ -0,0 +1,141 @@ +From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Sat, 8 Nov 2025 15:34:02 -0700 +Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer + +Also make a setuid(), setgid() or setgroups() failure fatal. + +Found by the ZeroPath AI Security Engineer + +Backported to RHEL 8.10 by Alejandro López with some +help of Claude Code. +--- + +diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h +index 07ef9dc..cdf27f0 100644 +--- a/include/sudo_eventlog.h ++++ b/include/sudo_eventlog.h +@@ -78,6 +78,7 @@ struct eventlog_config { + int syslog_maxlen; + int file_maxlen; + uid_t mailuid; ++ gid_t mailgid; + bool omit_hostname; + const char *logpath; + const char *time_fmt; +@@ -136,7 +137,7 @@ void eventlog_set_syslog_rejectpri(int pri); + void eventlog_set_syslog_alertpri(int pri); + void eventlog_set_syslog_maxlen(int len); + void eventlog_set_file_maxlen(int len); +-void eventlog_set_mailuid(uid_t uid); ++void eventlog_set_mailuser(uid_t uid, gid_t gid); + void eventlog_set_omit_hostname(bool omit_hostname); + void eventlog_set_logpath(const char *path); + void eventlog_set_time_fmt(const char *fmt); +diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c +index ca8ca96..1ae1176 100644 +--- a/lib/eventlog/eventlog.c ++++ b/lib/eventlog/eventlog.c +@@ -280,15 +280,13 @@ exec_mailer(int pipein) + syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618 + sudo_debug_printf(SUDO_DEBUG_ERROR, + "unable to dup stdin: %s", strerror(errno)); +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + + /* Build up an argv based on the mailer path and flags */ + if ((mflags = strdup(evl_conf->mailerflags)) == NULL) { + syslog(LOG_ERR, _("unable to allocate memory")); // -V618 +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + if ((argv[0] = strrchr(mpath, '/'))) + argv[0]++; +@@ -310,11 +308,23 @@ exec_mailer(int pipein) + if (setuid(ROOT_UID) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + ROOT_UID); ++ goto bad; ++ } ++ if (setgid(evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; ++ } ++ if (setgroups(1, &evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; + } + if (evl_conf->mailuid != ROOT_UID) { + if (setuid(evl_conf->mailuid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + (unsigned int)evl_conf->mailuid); ++ goto bad; + } + } + sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +@@ -326,6 +336,9 @@ exec_mailer(int pipein) + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s", + mpath, strerror(errno)); + _exit(127); ++bad: ++ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); ++ _exit(127); + } + + /* Send a message to the mailto user */ +diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c +index 8ad0385..1c1d0a6 100644 +--- a/lib/eventlog/eventlog_conf.c ++++ b/lib/eventlog/eventlog_conf.c +@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = { + MAXSYSLOGLEN, /* syslog_maxlen */ + 0, /* file_maxlen */ + ROOT_UID, /* mailuid */ ++ ROOT_GID, /* mailgid */ + false, /* omit_hostname */ + _PATH_SUDO_LOGFILE, /* logpath */ + "%h %e %T", /* time_fmt */ +@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len) + } + + void +-eventlog_set_mailuid(uid_t uid) ++eventlog_set_mailuser(uid_t uid, gid_t gid) + { + evl_conf.mailuid = uid; ++ evl_conf.mailgid = gid; + } + + void +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 776f881..6046783 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -788,8 +788,10 @@ init_eventlog_config(void) + int logtype = 0; + #ifdef NO_ROOT_MAILER + uid_t mailuid = user_uid; ++ gid_t mailgid = user_gid; + #else + uid_t mailuid = ROOT_UID; ++ gid_t mailgid = ROOT_GID; + #endif + debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING); + +@@ -805,7 +807,7 @@ init_eventlog_config(void) + eventlog_set_syslog_alertpri(def_syslog_badpri); + eventlog_set_syslog_maxlen(def_syslog_maxlen); + eventlog_set_file_maxlen(def_loglinelen); +- eventlog_set_mailuid(mailuid); ++ eventlog_set_mailuser(mailuid, mailgid); + eventlog_set_omit_hostname(!def_log_host); + eventlog_set_logpath(def_logfile); + eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); +-- +2.53.0 + diff --git a/sudo.spec b/sudo.spec index edc33c1..6178eae 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 1%{?dist}.3 +Release: 1%{?dist}.4 License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -59,6 +59,8 @@ Patch22: sudo-separator.patch Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch +Patch24: sudo-1.9.17-CVE-2026-35535.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -106,6 +108,7 @@ plugins that use %{name}. %patch -P 21 -p1 -b .cmnd_no_wait %patch -P 22 -p1 -b .separator %patch -P 23 -p1 -b .double-shell +%patch -P 24 -p1 -b .cve-2026-35535 %build # Remove bundled copy of zlib @@ -281,6 +284,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Thu Apr 16 2026 Alejandro López - 1.9.5p2-1.4 +RHEL 8.10.0.Z ERRATUM +- CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls +Resolves: RHEL-166060 + * Mon Nov 17 2025 Alejandro López - 1.9.5p2-1.3 RHEL 8.10.0.Z ERRATUM - sudo passes SHELL environment variable twice to the shell being executed [rhel-8]