From 40ee4d9fc5093390e610a8bc1c5a6d8235b8a346b74bbaca196f568863414be4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Thu, 1 Jun 2017 13:59:33 +0000 Subject: [PATCH] Accepting request 500303 from home:stroeder:branches:Base:System update to 1.8.20p2 OBS-URL: https://build.opensuse.org/request/show/500303 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=120 --- sudo-1.8.19p2-CVE-2017-1000367.patch | 246 --------------------- sudo-1.8.19p2-decrement_env_len.patch | 21 -- sudo-1.8.19p2-dont_overwrite_ret_val.patch | 57 ----- sudo-1.8.19p2.tar.gz | 3 - sudo-1.8.19p2.tar.gz.sig | Bin 72 -> 0 bytes sudo-1.8.20p2.tar.gz | 3 + sudo-1.8.20p2.tar.gz.sig | Bin 0 -> 72 bytes sudo.changes | 87 ++++++++ sudo.spec | 9 +- 9 files changed, 92 insertions(+), 334 deletions(-) delete mode 100644 sudo-1.8.19p2-CVE-2017-1000367.patch delete mode 100644 sudo-1.8.19p2-decrement_env_len.patch delete mode 100644 sudo-1.8.19p2-dont_overwrite_ret_val.patch delete mode 100644 sudo-1.8.19p2.tar.gz delete mode 100644 sudo-1.8.19p2.tar.gz.sig create mode 100644 sudo-1.8.20p2.tar.gz create mode 100644 sudo-1.8.20p2.tar.gz.sig diff --git a/sudo-1.8.19p2-CVE-2017-1000367.patch b/sudo-1.8.19p2-CVE-2017-1000367.patch deleted file mode 100644 index 39e9d0a..0000000 --- a/sudo-1.8.19p2-CVE-2017-1000367.patch +++ /dev/null @@ -1,246 +0,0 @@ -Index: sudo-1.8.19p2/src/ttyname.c -=================================================================== ---- sudo-1.8.19p2.orig/src/ttyname.c -+++ sudo-1.8.19p2/src/ttyname.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2012-2016 Todd C. Miller -+ * Copyright (c) 2012-2017 Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -145,20 +145,22 @@ sudo_ttyname_dev(dev_t tdev, char *name, - } - #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__) - /* -- * Devices to search before doing a breadth-first scan. -+ * Device nodes and directories to search before searching all of /dev - */ - static char *search_devs[] = { - "/dev/console", -- "/dev/wscons", -- "/dev/pts/", -- "/dev/vt/", -- "/dev/term/", -- "/dev/zcons/", -+ "/dev/pts/", /* POSIX pty */ -+ "/dev/vt/", /* Solaris virtual console */ -+ "/dev/term/", /* Solaris serial ports */ -+ "/dev/zcons/", /* Solaris zone console */ -+ "/dev/pty/", /* HP-UX old-style pty */ - NULL - }; - -+/* -+ * Device nodes to ignore when searching all of /dev -+ */ - static char *ignore_devs[] = { -- "/dev/fd/", - "/dev/stdin", - "/dev/stdout", - "/dev/stderr", -@@ -166,16 +168,18 @@ static char *ignore_devs[] = { - }; - - /* -- * Do a breadth-first scan of dir looking for the specified device. -+ * Do a scan of a directory looking for the specified device. -+ * Does not descend into subdirectories. - * Returns name on success and NULL on failure, setting errno. - */ - static char * --sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen) -+sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen) - { -- size_t sdlen, num_subdirs = 0, max_subdirs = 0; -- char pathbuf[PATH_MAX], **subdirs = NULL; -+ size_t sdlen; -+ char pathbuf[PATH_MAX]; - char *ret = NULL; - struct dirent *dp; -+ struct stat sb; - unsigned int i; - DIR *d = NULL; - debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL) -@@ -183,6 +187,18 @@ sudo_ttyname_scan(const char *dir, dev_t - if (dir[0] == '\0' || (d = opendir(dir)) == NULL) - goto done; - -+ if (fstat(dirfd(d), &sb) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "unable to fstat %s", dir); -+ goto done; -+ } -+ if ((sb.st_mode & S_IWOTH) != 0) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "ignoring world-writable directory %s", dir); -+ errno = ENOENT; -+ goto done; -+ } -+ - sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "scanning for dev %u in %s", (unsigned int)rdev, dir); - -@@ -220,18 +236,6 @@ sudo_ttyname_scan(const char *dir, dev_t - } - if (ignore_devs[i] != NULL) - continue; -- if (!builtin) { -- /* Skip entries in search_devs; we already checked them. */ -- for (i = 0; search_devs[i] != NULL; i++) { -- len = strlen(search_devs[i]); -- if (search_devs[i][len - 1] == '/') -- len--; -- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0) -- break; -- } -- if (search_devs[i] != NULL) -- continue; -- } - # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF) - /* - * Avoid excessive stat() calls by checking dp->d_type. -@@ -244,39 +248,14 @@ sudo_ttyname_scan(const char *dir, dev_t - if (stat(pathbuf, &sb) == -1) - continue; - break; -- case DT_DIR: -- /* Directory, no need to stat() it. */ -- sb.st_mode = DTTOIF(dp->d_type); -- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */ -- break; - default: -- /* Not a character device, link or directory, skip it. */ -+ /* Not a character device or link, skip it. */ - continue; - } - # else - if (stat(pathbuf, &sb) == -1) - continue; - # endif -- if (S_ISDIR(sb.st_mode)) { -- if (!builtin) { -- /* Add to list of subdirs to search. */ -- if (num_subdirs + 1 > max_subdirs) { -- char **new_subdirs; -- -- new_subdirs = reallocarray(subdirs, max_subdirs + 64, -- sizeof(char *)); -- if (new_subdirs == NULL) -- goto done; -- subdirs = new_subdirs; -- max_subdirs += 64; -- } -- subdirs[num_subdirs] = strdup(pathbuf); -- if (subdirs[num_subdirs] == NULL) -- goto done; -- num_subdirs++; -- } -- continue; -- } - if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) { - sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "resolved dev %u as %s", (unsigned int)rdev, pathbuf); -@@ -292,16 +271,9 @@ sudo_ttyname_scan(const char *dir, dev_t - } - } - -- /* Search subdirs if we didn't find it in the root level. */ -- for (i = 0; ret == NULL && i < num_subdirs; i++) -- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen); -- - done: - if (d != NULL) - closedir(d); -- for (i = 0; i < num_subdirs; i++) -- free(subdirs[i]); -- free(subdirs); - debug_return_str(ret); - } - -@@ -320,7 +292,7 @@ sudo_ttyname_dev(dev_t rdev, char *name, - debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL) - - /* -- * First check search_devs for common tty devices. -+ * First check search_devs[] for common tty devices. - */ - for (sd = search_devs; (devname = *sd) != NULL; sd++) { - len = strlen(devname); -@@ -345,7 +317,7 @@ sudo_ttyname_dev(dev_t rdev, char *name, - "comparing dev %u to %s: no", (unsigned int)rdev, buf); - } else { - /* Traverse directory */ -- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen); -+ ret = sudo_ttyname_scan(devname, rdev, name, namelen); - if (ret != NULL || errno == ENOMEM) - goto done; - } -@@ -363,9 +335,9 @@ sudo_ttyname_dev(dev_t rdev, char *name, - } - - /* -- * Not found? Do a breadth-first traversal of /dev/. -+ * Not found? Check all device nodes in /dev. - */ -- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen); -+ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen); - - done: - debug_return_str(ret); -@@ -489,28 +461,35 @@ get_process_ttyname(char *name, size_t n - len = getline(&line, &linesize, fp); - fclose(fp); - if (len != -1) { -- /* Field 7 is the tty dev (0 if no tty) */ -- char *cp = line; -- char *ep = line; -- const char *errstr; -- int field = 0; -- while (*++ep != '\0') { -- if (*ep == ' ') { -- *ep = '\0'; -- if (++field == 7) { -- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); -- if (errstr) { -- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -- "%s: tty device %s: %s", path, cp, errstr); -- } -- if (tdev > 0) { -- errno = serrno; -- ret = sudo_ttyname_dev(tdev, name, namelen); -- goto done; -+ /* -+ * Field 7 is the tty dev (0 if no tty). -+ * Since the process name at field 2 "(comm)" may include spaces, -+ * start at the last ')' found. -+ */ -+ char *cp = strrchr(line, ')'); -+ if (cp != NULL) { -+ char *ep = cp; -+ const char *errstr; -+ int field = 1; -+ -+ while (*++ep != '\0') { -+ if (*ep == ' ') { -+ *ep = '\0'; -+ if (++field == 7) { -+ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); -+ if (errstr) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "%s: tty device %s: %s", path, cp, errstr); -+ } -+ if (tdev > 0) { -+ errno = serrno; -+ ret = sudo_ttyname_dev(tdev, name, namelen); -+ goto done; -+ } -+ break; - } -- break; -+ cp = ep + 1; - } -- cp = ep + 1; - } - } - } diff --git a/sudo-1.8.19p2-decrement_env_len.patch b/sudo-1.8.19p2-decrement_env_len.patch deleted file mode 100644 index 8cddbfd..0000000 --- a/sudo-1.8.19p2-decrement_env_len.patch +++ /dev/null @@ -1,21 +0,0 @@ -# HG changeset patch -# User Todd C. Miller -# Date 1484590376 25200 -# Node ID 3d87a008671c73ff8c058ce8576cc791d50086cc -# Parent 5323dfcfb009a2436bf7bd867e4d308e0935356b -In sudo_unsetenv_nodebug(), decrement envp.env_len after removing -the variable. From Paul Zirnik of SUSE. - -diff -r 5323dfcfb009 -r 3d87a008671c plugins/sudoers/env.c ---- a/plugins/sudoers/env.c Sun Jan 15 19:13:26 2017 -0700 -+++ b/plugins/sudoers/env.c Mon Jan 16 11:12:56 2017 -0700 -@@ -497,6 +497,7 @@ - char **cur = ep; - while ((*cur = *(cur + 1)) != NULL) - cur++; -+ env.env_len--; - /* Keep going, could be multiple instances of the var. */ - } else { - ep++; - - diff --git a/sudo-1.8.19p2-dont_overwrite_ret_val.patch b/sudo-1.8.19p2-dont_overwrite_ret_val.patch deleted file mode 100644 index 6cfd2f5..0000000 --- a/sudo-1.8.19p2-dont_overwrite_ret_val.patch +++ /dev/null @@ -1,57 +0,0 @@ -# HG changeset patch -# User Todd C. Miller -# Date 1484590826 25200 -# Node ID 448baff2b586d8b777d9e5c01ce8e58d61d62b9a -# Parent 3d87a008671c73ff8c058ce8576cc791d50086cc -Don't overwrite the return value of ldap_sasl_interactive_bind_s() -by the subsequent call to sudo_set_krb5_ccache_name(). From Paul -Zirnik of SUSE. - -diff -r 3d87a008671c -r 448baff2b586 plugins/sudoers/ldap.c ---- a/plugins/sudoers/ldap.c Mon Jan 16 11:12:56 2017 -0700 -+++ b/plugins/sudoers/ldap.c Mon Jan 16 11:20:26 2017 -0700 -@@ -3002,7 +3002,7 @@ - static int - sudo_ldap_bind_s(LDAP *ld) - { -- int ret; -+ int rc, ret; - debug_decl(sudo_ldap_bind_s, SUDOERS_DEBUG_LDAP) - - #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S -@@ -3025,27 +3025,27 @@ - } - - if (new_ccname != NULL) { -- ret = sudo_set_krb5_ccache_name(new_ccname, &old_ccname); -- if (ret == 0) { -+ rc = sudo_set_krb5_ccache_name(new_ccname, &old_ccname); -+ if (rc == 0) { - sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "set ccache name %s -> %s", - old_ccname ? old_ccname : "(none)", new_ccname); - } else { - sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, -- "sudo_set_krb5_ccache_name() failed: %d", ret); -+ "sudo_set_krb5_ccache_name() failed: %d", rc); - } - } - ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI", - NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id); - if (new_ccname != NULL) { -- ret = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL); -- if (ret == 0) { -+ rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL); -+ if (rc == 0) { - sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "restore ccache name %s -> %s", new_ccname, - old_ccname ? old_ccname : "(none)"); - } else { - sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, -- "sudo_set_krb5_ccache_name() failed: %d", ret); -+ "sudo_set_krb5_ccache_name() failed: %d", rc); - } - /* Remove temporary copy of user's credential cache. */ - if (tmp_ccname != NULL) - - diff --git a/sudo-1.8.19p2.tar.gz b/sudo-1.8.19p2.tar.gz deleted file mode 100644 index 0d7dfde..0000000 --- a/sudo-1.8.19p2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:237e18e67c2ad59ecacfa4b7707198b09fcf84914621585a9bc670dcc31a52e0 -size 2861855 diff --git a/sudo-1.8.19p2.tar.gz.sig b/sudo-1.8.19p2.tar.gz.sig deleted file mode 100644 index be61a9571be51eee1c8ee02b509920ed1d9c0b9cd71dda5d03aba28537052ba2..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 72 zcmV-O0Jr~$Mg#y60ssaD0$6#ewEzkU5L$`fqJHFX#BK!upIU&^l&8bX)NPqgJ&{Z2 e*@xsmL;#<7(2-Y(v1kNb)%yh`qnd&V11}Na(H)Bb diff --git a/sudo-1.8.20p2.tar.gz b/sudo-1.8.20p2.tar.gz new file mode 100644 index 0000000..7d8852f --- /dev/null +++ b/sudo-1.8.20p2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bd42ae1059e935f795c69ea97b3de09fe9410a58a74b5d5e6836eb5067a445d9 +size 2930769 diff --git a/sudo-1.8.20p2.tar.gz.sig b/sudo-1.8.20p2.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..44e069049adf085a21a5704c96db1a6e9f8c18b5d3934b9877a17ad4287a60ce GIT binary patch literal 72 zcmV-O0Jr~$Mg#y60ssaD0$DEJy8sFa5L$`fqJHFX#P|3Bpx#OEAu0e?WFg~Uoe9fG e1n5rVS^%G39(L}rL1fQqAIufKP{0ySFd|61gB(Es literal 0 HcmV?d00001 diff --git a/sudo.changes b/sudo.changes index ad2a841..145bc79 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Thu Jun 1 07:04:16 UTC 2017 - michael@stroeder.com + +- update to 1.8.20p2 which obsoletes patches: + * sudo-1.8.19p2-CVE-2017-1000367.patch + * sudo-1.8.19p2-decrement_env_len.patch + * sudo-1.8.19p2-dont_overwrite_ret_val.patch + +Major changes between sudo 1.8.20p2 and 1.8.20p1: + + * Fixed a bug parsing /proc/pid/stat on Linux when the process + name contains newlines. This is not exploitable due to the /dev + traversal changes in sudo 1.8.20p1. + +Major changes between sudo 1.8.20p1 and 1.8.20: + + * Fixed "make check" when using OpenSSL or GNU crypt. + Bug #787. + * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux + when the process name contains spaces. Since the user has control + over the command name, this could potentially be used by a user + with sudo access to overwrite an arbitrary file on systems with + SELinux enabled. Also stop performing a breadth-first traversal + of /dev when looking for the device; only a hard-coded list of + directories are checked, + +Major changes between sudo 1.8.20 and 1.8.19p2: + + * Added support for SASL_MECH in ldap.conf. Bug #764 + * Added support for digest matching when the command is a glob-style + pattern or a directory. Previously, only explicit path matches + supported digest checks. + * New "fdexec" Defaults option to control whether a command + is executed by path or by open file descriptor. + * The embedded copy of zlib has been upgraded to version 1.2.11. + * Fixed a bug that prevented sudoers include files with a relative + path starting with the letter 'i' from being opened. Bug #776. + * Added support for command timeouts in sudoers. The command will + be terminated if the timeout expires. + * The SELinux role and type are now displayed in the "sudo -l" + output for the LDAP and SSSD backends, just as they are in the + sudoers backend. + * A new command line option, -T, can be used to specify a command + timeout as long as the user-specified timeout is not longer than + the timeout specified in sudoers. This option may only be + used when the "user_command_timeouts" flag is enabled in sudoers. + * Added NOTBEFORE and NOTAFTER command options to the sudoers + backend similar to what is already available in the LDAP backend. + * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU + crypt instead of the SHA2 implementation bundled with sudo. + * Fixed a compilation error on systems without the stdbool.h header + file. Bug #778. + * Fixed a compilation error in the standalone Kerberos V authentication + module. Bug #777. + * Added the iolog_flush flag to sudoers which causes I/O log data + to be written immediately to disk instead of being buffered. + * I/O log files are now created with group ID 0 by default unless + the "iolog_user" or "iolog_group" options are set in sudoers. + * It is now possible to store I/O log files on an NFS-mounted + file system where uid 0 is remapped to an unprivileged user. + The "iolog_user" option must be set to a non-root user and the + top-level I/O log directory must exist and be owned by that user. + * Added the restricted_env_file setting to sudoers which is similar + to env_file but its contents are subject to the same restrictions + as variables in the invoking user's environment. + * Fixed a use after free bug in the SSSD backend when the fqdn + sudoOption is enabled and no hostname value is present in + /etc/sssd/sssd.conf. + * Fixed a typo that resulted in a compilation error on systems + where the killpg() function is not found by configure. + + * Fixed a compilation error with the included version of zlib + when sudo was built outside the source tree. + * Fixed the exit value of sudo when the command is terminated by + a signal other than SIGINT. This was broken in sudo 1.8.15 by + the fix for Bug #722. Bug #784. + * Fixed a regression introduced in sudo 1.8.18 where the "lecture" + option could not be used in a positive boolean context, only + a negative one. + * Fixed an issue where sudo would consume stdin if it was not + connected to a tty even if log_input is not enabled in sudoers. + Bug #786. + * Clarify in the sudoers manual that the #includedir directive + diverts control to the files in the specified directory and, + when parsing of those files is complete, returns control to the + original file. Bug #775. + ------------------------------------------------------------------- Tue May 30 19:11:42 UTC 2017 - sflees@suse.de diff --git a/sudo.spec b/sudo.spec index d6396da..f6ae328 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,7 +17,7 @@ Name: sudo -Version: 1.8.19p2 +Version: 1.8.20p2 Release: 0 Summary: Execute some commands as root License: ISC @@ -33,9 +33,6 @@ Source6: %{name}.keyring Patch0: sudoers2ldif-env.patch # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch1: sudo-sudoers.patch -Patch2: sudo-1.8.19p2-decrement_env_len.patch -Patch3: sudo-1.8.19p2-dont_overwrite_ret_val.patch -Patch4: sudo-1.8.19p2-CVE-2017-1000367.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -77,9 +74,6 @@ Tests for fate#313276 %setup -q %patch0 -p1 %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 %build %ifarch s390 s390x %sparc @@ -162,6 +156,7 @@ chmod 0440 %{_sysconfdir}/sudoers %{_mandir}/man8/visudo.8* %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers +%config %attr(0440,root,root) /etc/sudoers.dist %dir %{_sysconfdir}/sudoers.d %config %{_sysconfdir}/pam.d/sudo %attr(4755,root,root) %{_bindir}/sudo