f8883a97a0
- Rebase to 1.9.5p2 - CVE-2023-28486 sudo: Sudo does not escape control characters in log messages Resolves: RHEL-21825 - CVE-2023-28487 sudo: Sudo does not escape control characters in sudoreplay output Resolves: RHEL-21831 - CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables Resolves: RHEL-21820 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
122 lines
4.1 KiB
Diff
122 lines
4.1 KiB
Diff
diff -up ./plugins/sudoers/editor.c.cve ./plugins/sudoers/editor.c
|
|
--- ./plugins/sudoers/editor.c.cve 2021-01-09 21:12:16.000000000 +0100
|
|
+++ ./plugins/sudoers/editor.c 2023-01-17 13:57:05.598949058 +0100
|
|
@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed
|
|
const char *tmp, *cp, *ep = NULL;
|
|
const char *edend = ed + edlen;
|
|
struct stat user_editor_sb;
|
|
- int nargc;
|
|
+ int nargc = 0;
|
|
debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
|
|
|
|
/*
|
|
@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed
|
|
/* If we can't find the editor in the user's PATH, give up. */
|
|
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
|
|
0, allowlist) != FOUND) {
|
|
- free(editor);
|
|
- errno = ENOENT;
|
|
- debug_return_str(NULL);
|
|
+ goto bad;
|
|
}
|
|
|
|
/* Count rest of arguments and allocate editor argv. */
|
|
@@ -166,6 +164,18 @@ resolve_editor(const char *ed, size_t ed
|
|
nargv[nargc] = copy_arg(cp, ep - cp);
|
|
if (nargv[nargc] == NULL)
|
|
goto oom;
|
|
+
|
|
+ /*
|
|
+ * We use "--" to separate the editor and arguments from the files
|
|
+ * to edit. The editor arguments themselves may not contain "--".
|
|
+ */
|
|
+ if (strcmp(nargv[nargc], "--") == 0) {
|
|
+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
|
|
+ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
|
|
+ errno = EINVAL;
|
|
+ goto bad;
|
|
+ }
|
|
+
|
|
}
|
|
if (nfiles != 0) {
|
|
nargv[nargc++] = "--";
|
|
@@ -179,6 +189,7 @@ resolve_editor(const char *ed, size_t ed
|
|
debug_return_str(editor_path);
|
|
oom:
|
|
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
|
+bad:
|
|
free(editor);
|
|
free(editor_path);
|
|
if (nargv != NULL) {
|
|
diff -up ./plugins/sudoers/sudoers.c.cve ./plugins/sudoers/sudoers.c
|
|
--- ./plugins/sudoers/sudoers.c.cve 2023-01-17 13:50:33.718255775 +0100
|
|
+++ ./plugins/sudoers/sudoers.c 2023-01-17 14:00:53.049710094 +0100
|
|
@@ -724,21 +724,34 @@ sudoers_policy_main(int argc, char * con
|
|
|
|
/* Note: must call audit before uid change. */
|
|
if (ISSET(sudo_mode, MODE_EDIT)) {
|
|
+ const char *env_editor = NULL;
|
|
char **edit_argv;
|
|
int edit_argc;
|
|
- const char *env_editor;
|
|
+
|
|
|
|
free(safe_cmnd);
|
|
safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
|
|
&edit_argv, NULL, &env_editor, false);
|
|
if (safe_cmnd == NULL) {
|
|
- if (errno != ENOENT)
|
|
- goto done;
|
|
- audit_failure(NewArgv, N_("%s: command not found"),
|
|
- env_editor ? env_editor : def_editor);
|
|
- sudo_warnx(U_("%s: command not found"),
|
|
- env_editor ? env_editor : def_editor);
|
|
- goto bad;
|
|
+
|
|
+ switch (errno) {
|
|
+ case ENOENT:
|
|
+ audit_failure(NewArgv, N_("%s: command not found"),
|
|
+ env_editor ? env_editor : def_editor);
|
|
+ sudo_warnx(U_("%s: command not found"),
|
|
+ env_editor ? env_editor : def_editor);
|
|
+ goto bad;
|
|
+ case EINVAL:
|
|
+ if (def_env_editor && env_editor != NULL) {
|
|
+ /* User tried to do something funny with the editor. */
|
|
+ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
|
|
+ "invalid user-specified editor: %s", env_editor);
|
|
+ goto bad;
|
|
+ }
|
|
+ FALLTHROUGH;
|
|
+ default:
|
|
+ goto done;
|
|
+ }
|
|
}
|
|
sudoers_gc_add(GC_VECTOR, edit_argv);
|
|
NewArgv = edit_argv;
|
|
diff -up ./plugins/sudoers/visudo.c.cve ./plugins/sudoers/visudo.c
|
|
--- ./plugins/sudoers/visudo.c.cve 2021-01-09 21:12:16.000000000 +0100
|
|
+++ ./plugins/sudoers/visudo.c 2023-01-17 14:02:01.393135129 +0100
|
|
@@ -303,7 +303,7 @@ static char *
|
|
get_editor(int *editor_argc, char ***editor_argv)
|
|
{
|
|
char *editor_path = NULL, **allowlist = NULL;
|
|
- const char *env_editor;
|
|
+ const char *env_editor = NULL;
|
|
static char *files[] = { "+1", "sudoers" };
|
|
unsigned int allowlist_len = 0;
|
|
debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
|
|
@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi
|
|
if (editor_path == NULL) {
|
|
if (def_env_editor && env_editor != NULL) {
|
|
/* We are honoring $EDITOR so this is a fatal error. */
|
|
- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
|
|
+ if (errno == ENOENT) {
|
|
+ sudo_warnx(U_("specified editor (%s) doesn't exist"),
|
|
+ env_editor);
|
|
+ }
|
|
+ exit(EXIT_FAILURE);
|
|
}
|
|
sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
|
|
}
|