From f89d04e69e15dbb54c8999e14fef9a5d24091d88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Wed, 16 Jul 2025 11:29:12 +0200 Subject: [PATCH] RHEL 8.10.0.Z ERRATUM - Reintroduce cmnd_no_wait Resolves: RHEL-51956 --- sudo-reintroduce-cmnd_no_wait.patch | 78 +++++++++++++++++++++++++++++ sudo.spec | 10 +++- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 sudo-reintroduce-cmnd_no_wait.patch diff --git a/sudo-reintroduce-cmnd_no_wait.patch b/sudo-reintroduce-cmnd_no_wait.patch new file mode 100644 index 0000000..135b452 --- /dev/null +++ b/sudo-reintroduce-cmnd_no_wait.patch @@ -0,0 +1,78 @@ +From 59cd3a7330a402b289641f7d605ce3ae6671a64f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Wed, 16 Jul 2025 17:02:45 +0200 +Subject: [PATCH] Reintroduce cmnd_no_wait + +--- + plugins/sudoers/def_data.c | 4 ++++ + plugins/sudoers/def_data.h | 2 ++ + plugins/sudoers/def_data.in | 3 +++ + plugins/sudoers/sudoers.c | 13 +++++++++++++ + 4 files changed, 22 insertions(+) + +diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c +index 56cd224..19188a6 100644 +--- a/plugins/sudoers/def_data.c ++++ b/plugins/sudoers/def_data.c +@@ -573,6 +573,10 @@ struct sudo_defs_types sudo_defs_table[] = { + "selinux", T_FLAG, + N_("Enable SELinux RBAC support"), + NULL, ++ }, { ++ "cmnd_no_wait", T_FLAG, ++ N_("Don't fork and wait for the command to finish, just exec it"), ++ NULL, + }, { + NULL, 0, NULL + } +diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h +index 5c712b8..86b0886 100644 +--- a/plugins/sudoers/def_data.h ++++ b/plugins/sudoers/def_data.h +@@ -264,6 +264,8 @@ + #define def_log_format (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple) + #define I_SELINUX 131 + #define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag) ++#define I_CMND_NO_WAIT 132 ++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + + enum def_tuple { + never, +diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in +index e8162e8..b0027c4 100644 +--- a/plugins/sudoers/def_data.in ++++ b/plugins/sudoers/def_data.in +@@ -412,3 +412,6 @@ log_format + selinux + T_FLAG + "Enable SELinux RBAC support" ++cmnd_no_wait ++ T_FLAG ++ "Don't fork and wait for the command to finish, just exec it" +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 80a7089..4a972df 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -221,6 +221,19 @@ sudoers_init(void *info, char * const envp[]) + if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) + ret = true; + ++ /* ++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation ++ * and I/O logging. This will cause sudo to execute the given command ++ * directly instead of forking a separate process for it. ++ */ ++ if (def_cmnd_no_wait) { ++ def_pam_setcred = false; ++ def_pam_session = false; ++ def_use_pty = false; ++ def_log_input = false; ++ def_log_output = false; ++ } ++ + cleanup: + if (!restore_perms()) + ret = -1; +-- +2.50.1 + diff --git a/sudo.spec b/sudo.spec index 6ebea47..46261dc 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 1%{?dist}.1 +Release: 1%{?dist}.2 License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -54,6 +54,8 @@ Patch18: linker.patch Patch19: sudo-1.9.15-CVE-2023-42465.patch Patch20: sudo-1.9.17-CVE-2025-32462.patch +Patch21: sudo-reintroduce-cmnd_no_wait.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -98,6 +100,7 @@ plugins that use %{name}. %patch -P 18 -p1 -b .linker %patch -P 19 -p1 -b .rowhammer %patch -P 20 -p1 -b .cve-host +%patch -P 21 -p1 -b .cmnd_no_wait %build # Remove bundled copy of zlib @@ -273,6 +276,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Jul 16 2025 Alejandro López - 1.9.5p2-10.2 +RHEL 8.10.0.Z ERRATUM +- Reintroduce cmnd_no_wait +Resolves: RHEL-51956 + * Wed Jun 25 2025 Radovan Sroka - 1.9.5p2-10.1 RHEL 8.10.0.Z ERRATUM - CVE-2025-32462 sudo: LPE via host option