rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI sudo-1.9.15-10.p5.el10_1

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-04-27 11:42:04 -04:00
parent ed0c9ad054
commit b31d4ee84a
2 changed files with 149 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
cve-2026-35535.patch Normal file
View File

@ -0,0 +1,142 @@
From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Sat, 8 Nov 2025 15:34:02 -0700
Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer
Also make a setuid(), setgid() or setgroups() failure fatal.
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
Backported to RHEL 10.1.z by Alejandro López <allopez@redhat.com>
---
diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
index eb9f4f4a8..485d2593e 100644
--- a/include/sudo_eventlog.h
+++ b/include/sudo_eventlog.h
@@ -79,6 +79,7 @@ struct eventlog_config {
int syslog_rejectpri;
int syslog_alertpri;
uid_t mailuid;
+ gid_t mailgid;
bool omit_hostname;
const char *logpath;
const char *time_fmt;
@@ -150,7 +151,7 @@ void eventlog_set_syslog_rejectpri(int pri);
void eventlog_set_syslog_alertpri(int pri);
void eventlog_set_syslog_maxlen(size_t len);
void eventlog_set_file_maxlen(size_t len);
-void eventlog_set_mailuid(uid_t uid);
+void eventlog_set_mailuser(uid_t uid, gid_t gid);
void eventlog_set_omit_hostname(bool omit_hostname);
void eventlog_set_logpath(const char *path);
void eventlog_set_time_fmt(const char *fmt);
diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
index f4a9f330d..2db2f251c 100644
--- a/lib/eventlog/eventlog.c
+++ b/lib/eventlog/eventlog.c
@@ -304,15 +304,13 @@ exec_mailer(int pipein)
syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
sudo_debug_printf(SUDO_DEBUG_ERROR,
"unable to dup stdin: %s", strerror(errno));
- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
- _exit(127);
+ goto bad;
}
/* Build up an argv based on the mailer path and flags */
if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
syslog(LOG_ERR, _("unable to allocate memory")); // -V618
- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
- _exit(127);
+ goto bad;
}
argv[0] = sudo_basename(mpath);
@@ -331,11 +329,23 @@ exec_mailer(int pipein)
if (setuid(ROOT_UID) != 0) {
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
ROOT_UID);
+ goto bad;
+ }
+ if (setgid(evl_conf->mailgid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
+ (unsigned int)evl_conf->mailgid);
+ goto bad;
+ }
+ if (setgroups(1, &evl_conf->mailgid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
+ (unsigned int)evl_conf->mailgid);
+ goto bad;
}
if (evl_conf->mailuid != ROOT_UID) {
if (setuid(evl_conf->mailuid) != 0) {
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
(unsigned int)evl_conf->mailuid);
+ goto bad;
}
}
sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
@@ -347,6 +357,9 @@ exec_mailer(int pipein)
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
mpath, strerror(errno));
_exit(127);
+bad:
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+ _exit(127);
}
/* Send a message to the mailto user */
diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c
index bbc3daaac..3d37b632c 100644
--- a/lib/eventlog/eventlog_conf.c
+++ b/lib/eventlog/eventlog_conf.c
@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = {
MAXSYSLOGLEN, /* syslog_maxlen */
0, /* file_maxlen */
ROOT_UID, /* mailuid */
+ ROOT_GID, /* mailgid */
false, /* omit_hostname */
_PATH_SUDO_LOGFILE, /* logpath */
"%h %e %T", /* time_fmt */
@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(size_t len)
}
void
-eventlog_set_mailuid(uid_t uid)
+eventlog_set_mailuser(uid_t uid, gid_t gid)
{
evl_conf.mailuid = uid;
+ evl_conf.mailgid = gid;
}
void
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
index ec092d14e..1626a28cb 100644
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -1142,7 +1142,7 @@ init_eventlog_config(void)
eventlog_set_syslog_alertpri(def_syslog_badpri);
eventlog_set_syslog_maxlen(def_syslog_maxlen);
eventlog_set_file_maxlen(def_loglinelen);
- eventlog_set_mailuid(ROOT_UID);
+ eventlog_set_mailuser(ROOT_UID, ROOT_GID);
eventlog_set_omit_hostname(!def_log_host);
eventlog_set_logpath(def_logfile);
eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
index af3210dda..706c492b7 100644
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -628,7 +628,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
}
#ifdef NO_ROOT_MAILER
- eventlog_set_mailuid(ctx->user.uid);
+ eventlog_set_mailuser(ctx->user.uid, ctx->user.gid);
#endif
/* Dump settings and user info (XXX - plugin args) */
--
2.53.0

9
sudo.spec
View File

@ -1,8 +1,8 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## (rpmautospec version 0.8.3)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 9;
release_number = 10;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -46,6 +46,7 @@ Patch1: coverity.patch
Patch2: sudo-conf.patch
Patch3: cve-2025-32462.patch
Patch4: cve-2025-32463.patch
Patch5: cve-2026-35535.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -248,6 +249,10 @@ EOF
%changelog
## START: Generated by rpmautospec
* Wed Apr 08 2026 Alejandro López <allopez@redhat.com> - 1.9.15-10.p5
- Resolves: RHEL-164619 - CVE-2026-35535 sudo: Sudo: Privilege escalation
due to failure in privilege drop calls
* Tue Jul 08 2025 Alejandro López <allopez@redhat.com> - 1.9.15-9.p5
- RHEL 10.1 ERRATUM
- CVE-2025-32462 sudo: LPE via host option Resolves: RHEL-100009