pool/sudo
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 500408 from Base:System

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/500408
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=87
This commit is contained in:
Dominique Leuenberger 2017-06-03 23:48:57 +00:00 committed by Git OBS Bridge
commit a94f80e226
9 changed files with 92 additions and 334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
sudo-1.8.19p2-CVE-2017-1000367.patch
View File

@ -1,246 +0,0 @@
Index: sudo-1.8.19p2/src/ttyname.c
===================================================================
--- sudo-1.8.19p2.orig/src/ttyname.c
+++ sudo-1.8.19p2/src/ttyname.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -145,20 +145,22 @@ sudo_ttyname_dev(dev_t tdev, char *name,
}
#elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__)
/*
- * Devices to search before doing a breadth-first scan.
+ * Device nodes and directories to search before searching all of /dev
*/
static char *search_devs[] = {
"/dev/console",
- "/dev/wscons",
- "/dev/pts/",
- "/dev/vt/",
- "/dev/term/",
- "/dev/zcons/",
+ "/dev/pts/", /* POSIX pty */
+ "/dev/vt/", /* Solaris virtual console */
+ "/dev/term/", /* Solaris serial ports */
+ "/dev/zcons/", /* Solaris zone console */
+ "/dev/pty/", /* HP-UX old-style pty */
NULL
};
+/*
+ * Device nodes to ignore when searching all of /dev
+ */
static char *ignore_devs[] = {
- "/dev/fd/",
"/dev/stdin",
"/dev/stdout",
"/dev/stderr",
@@ -166,16 +168,18 @@ static char *ignore_devs[] = {
};
/*
- * Do a breadth-first scan of dir looking for the specified device.
+ * Do a scan of a directory looking for the specified device.
+ * Does not descend into subdirectories.
* Returns name on success and NULL on failure, setting errno.
*/
static char *
-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen)
+sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen)
{
- size_t sdlen, num_subdirs = 0, max_subdirs = 0;
- char pathbuf[PATH_MAX], **subdirs = NULL;
+ size_t sdlen;
+ char pathbuf[PATH_MAX];
char *ret = NULL;
struct dirent *dp;
+ struct stat sb;
unsigned int i;
DIR *d = NULL;
debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL)
@@ -183,6 +187,18 @@ sudo_ttyname_scan(const char *dir, dev_t
if (dir[0] == '\0' || (d = opendir(dir)) == NULL)
goto done;
+ if (fstat(dirfd(d), &sb) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "unable to fstat %s", dir);
+ goto done;
+ }
+ if ((sb.st_mode & S_IWOTH) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "ignoring world-writable directory %s", dir);
+ errno = ENOENT;
+ goto done;
+ }
+
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"scanning for dev %u in %s", (unsigned int)rdev, dir);
@@ -220,18 +236,6 @@ sudo_ttyname_scan(const char *dir, dev_t
}
if (ignore_devs[i] != NULL)
continue;
- if (!builtin) {
- /* Skip entries in search_devs; we already checked them. */
- for (i = 0; search_devs[i] != NULL; i++) {
- len = strlen(search_devs[i]);
- if (search_devs[i][len - 1] == '/')
- len--;
- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0)
- break;
- }
- if (search_devs[i] != NULL)
- continue;
- }
# if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF)
/*
* Avoid excessive stat() calls by checking dp->d_type.
@@ -244,39 +248,14 @@ sudo_ttyname_scan(const char *dir, dev_t
if (stat(pathbuf, &sb) == -1)
continue;
break;
- case DT_DIR:
- /* Directory, no need to stat() it. */
- sb.st_mode = DTTOIF(dp->d_type);
- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */
- break;
default:
- /* Not a character device, link or directory, skip it. */
+ /* Not a character device or link, skip it. */
continue;
}
# else
if (stat(pathbuf, &sb) == -1)
continue;
# endif
- if (S_ISDIR(sb.st_mode)) {
- if (!builtin) {
- /* Add to list of subdirs to search. */
- if (num_subdirs + 1 > max_subdirs) {
- char **new_subdirs;
-
- new_subdirs = reallocarray(subdirs, max_subdirs + 64,
- sizeof(char *));
- if (new_subdirs == NULL)
- goto done;
- subdirs = new_subdirs;
- max_subdirs += 64;
- }
- subdirs[num_subdirs] = strdup(pathbuf);
- if (subdirs[num_subdirs] == NULL)
- goto done;
- num_subdirs++;
- }
- continue;
- }
if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"resolved dev %u as %s", (unsigned int)rdev, pathbuf);
@@ -292,16 +271,9 @@ sudo_ttyname_scan(const char *dir, dev_t
}
}
- /* Search subdirs if we didn't find it in the root level. */
- for (i = 0; ret == NULL && i < num_subdirs; i++)
- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen);
-
done:
if (d != NULL)
closedir(d);
- for (i = 0; i < num_subdirs; i++)
- free(subdirs[i]);
- free(subdirs);
debug_return_str(ret);
}
@@ -320,7 +292,7 @@ sudo_ttyname_dev(dev_t rdev, char *name,
debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL)
/*
- * First check search_devs for common tty devices.
+ * First check search_devs[] for common tty devices.
*/
for (sd = search_devs; (devname = *sd) != NULL; sd++) {
len = strlen(devname);
@@ -345,7 +317,7 @@ sudo_ttyname_dev(dev_t rdev, char *name,
"comparing dev %u to %s: no", (unsigned int)rdev, buf);
} else {
/* Traverse directory */
- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen);
+ ret = sudo_ttyname_scan(devname, rdev, name, namelen);
if (ret != NULL || errno == ENOMEM)
goto done;
}
@@ -363,9 +335,9 @@ sudo_ttyname_dev(dev_t rdev, char *name,
}
/*
- * Not found? Do a breadth-first traversal of /dev/.
+ * Not found? Check all device nodes in /dev.
*/
- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen);
+ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen);
done:
debug_return_str(ret);
@@ -489,28 +461,35 @@ get_process_ttyname(char *name, size_t n
len = getline(&line, &linesize, fp);
fclose(fp);
if (len != -1) {
- /* Field 7 is the tty dev (0 if no tty) */
- char *cp = line;
- char *ep = line;
- const char *errstr;
- int field = 0;
- while (*++ep != '\0') {
- if (*ep == ' ') {
- *ep = '\0';
- if (++field == 7) {
- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
- if (errstr) {
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
- "%s: tty device %s: %s", path, cp, errstr);
- }
- if (tdev > 0) {
- errno = serrno;
- ret = sudo_ttyname_dev(tdev, name, namelen);
- goto done;
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+ * Since the process name at field 2 "(comm)" may include spaces,
+ * start at the last ')' found.
+ */
+ char *cp = strrchr(line, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+ int field = 1;
+
+ while (*++ep != '\0') {
+ if (*ep == ' ') {
+ *ep = '\0';
+ if (++field == 7) {
+ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
+ if (errstr) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s: tty device %s: %s", path, cp, errstr);
+ }
+ if (tdev > 0) {
+ errno = serrno;
+ ret = sudo_ttyname_dev(tdev, name, namelen);
+ goto done;
+ }
+ break;
}
- break;
+ cp = ep + 1;
}
- cp = ep + 1;
}
}
}

21
sudo-1.8.19p2-decrement_env_len.patch
View File

@ -1,21 +0,0 @@
# HG changeset patch
# User Todd C. Miller <Todd.Miller@courtesan.com>
# Date 1484590376 25200
# Node ID 3d87a008671c73ff8c058ce8576cc791d50086cc
# Parent 5323dfcfb009a2436bf7bd867e4d308e0935356b
In sudo_unsetenv_nodebug(), decrement envp.env_len after removing
the variable. From Paul Zirnik of SUSE.
diff -r 5323dfcfb009 -r 3d87a008671c plugins/sudoers/env.c
--- a/plugins/sudoers/env.c Sun Jan 15 19:13:26 2017 -0700
+++ b/plugins/sudoers/env.c Mon Jan 16 11:12:56 2017 -0700
@@ -497,6 +497,7 @@
char **cur = ep;
while ((*cur = *(cur + 1)) != NULL)
cur++;
+ env.env_len--;
/* Keep going, could be multiple instances of the var. */
} else {
ep++;

57
sudo-1.8.19p2-dont_overwrite_ret_val.patch
View File

@ -1,57 +0,0 @@
# HG changeset patch
# User Todd C. Miller <Todd.Miller@courtesan.com>
# Date 1484590826 25200
# Node ID 448baff2b586d8b777d9e5c01ce8e58d61d62b9a
# Parent 3d87a008671c73ff8c058ce8576cc791d50086cc
Don't overwrite the return value of ldap_sasl_interactive_bind_s()
by the subsequent call to sudo_set_krb5_ccache_name(). From Paul
Zirnik of SUSE.
diff -r 3d87a008671c -r 448baff2b586 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Mon Jan 16 11:12:56 2017 -0700
+++ b/plugins/sudoers/ldap.c Mon Jan 16 11:20:26 2017 -0700
@@ -3002,7 +3002,7 @@
static int
sudo_ldap_bind_s(LDAP *ld)
{
- int ret;
+ int rc, ret;
debug_decl(sudo_ldap_bind_s, SUDOERS_DEBUG_LDAP)
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
@@ -3025,27 +3025,27 @@
}
if (new_ccname != NULL) {
- ret = sudo_set_krb5_ccache_name(new_ccname, &old_ccname);
- if (ret == 0) {
+ rc = sudo_set_krb5_ccache_name(new_ccname, &old_ccname);
+ if (rc == 0) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"set ccache name %s -> %s",
old_ccname ? old_ccname : "(none)", new_ccname);
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
- "sudo_set_krb5_ccache_name() failed: %d", ret);
+ "sudo_set_krb5_ccache_name() failed: %d", rc);
}
}
ret = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
if (new_ccname != NULL) {
- ret = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
- if (ret == 0) {
+ rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
+ if (rc == 0) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"restore ccache name %s -> %s", new_ccname,
old_ccname ? old_ccname : "(none)");
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
- "sudo_set_krb5_ccache_name() failed: %d", ret);
+ "sudo_set_krb5_ccache_name() failed: %d", rc);
}
/* Remove temporary copy of user's credential cache. */
if (tmp_ccname != NULL)

3
sudo-1.8.19p2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:237e18e67c2ad59ecacfa4b7707198b09fcf84914621585a9bc670dcc31a52e0
size 2861855

BIN
sudo-1.8.19p2.tar.gz.sig
View File

Binary file not shown.

3
sudo-1.8.20p2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bd42ae1059e935f795c69ea97b3de09fe9410a58a74b5d5e6836eb5067a445d9
size 2930769

BIN
sudo-1.8.20p2.tar.gz.sig Normal file
View File

Binary file not shown.

87
sudo.changes
View File

@ -1,3 +1,90 @@
-------------------------------------------------------------------
Thu Jun 1 07:04:16 UTC 2017 - michael@stroeder.com
- update to 1.8.20p2 which obsoletes patches:
* sudo-1.8.19p2-CVE-2017-1000367.patch
* sudo-1.8.19p2-decrement_env_len.patch
* sudo-1.8.19p2-dont_overwrite_ret_val.patch
Major changes between sudo 1.8.20p2 and 1.8.20p1:
* Fixed a bug parsing /proc/pid/stat on Linux when the process
name contains newlines. This is not exploitable due to the /dev
traversal changes in sudo 1.8.20p1.
Major changes between sudo 1.8.20p1 and 1.8.20:
* Fixed "make check" when using OpenSSL or GNU crypt.
Bug #787.
* Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux
when the process name contains spaces. Since the user has control
over the command name, this could potentially be used by a user
with sudo access to overwrite an arbitrary file on systems with
SELinux enabled. Also stop performing a breadth-first traversal
of /dev when looking for the device; only a hard-coded list of
directories are checked,
Major changes between sudo 1.8.20 and 1.8.19p2:
* Added support for SASL_MECH in ldap.conf. Bug #764
* Added support for digest matching when the command is a glob-style
pattern or a directory. Previously, only explicit path matches
supported digest checks.
* New "fdexec" Defaults option to control whether a command
is executed by path or by open file descriptor.
* The embedded copy of zlib has been upgraded to version 1.2.11.
* Fixed a bug that prevented sudoers include files with a relative
path starting with the letter 'i' from being opened. Bug #776.
* Added support for command timeouts in sudoers. The command will
be terminated if the timeout expires.
* The SELinux role and type are now displayed in the "sudo -l"
output for the LDAP and SSSD backends, just as they are in the
sudoers backend.
* A new command line option, -T, can be used to specify a command
timeout as long as the user-specified timeout is not longer than
the timeout specified in sudoers. This option may only be
used when the "user_command_timeouts" flag is enabled in sudoers.
* Added NOTBEFORE and NOTAFTER command options to the sudoers
backend similar to what is already available in the LDAP backend.
* Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
crypt instead of the SHA2 implementation bundled with sudo.
* Fixed a compilation error on systems without the stdbool.h header
file. Bug #778.
* Fixed a compilation error in the standalone Kerberos V authentication
module. Bug #777.
* Added the iolog_flush flag to sudoers which causes I/O log data
to be written immediately to disk instead of being buffered.
* I/O log files are now created with group ID 0 by default unless
the "iolog_user" or "iolog_group" options are set in sudoers.
* It is now possible to store I/O log files on an NFS-mounted
file system where uid 0 is remapped to an unprivileged user.
The "iolog_user" option must be set to a non-root user and the
top-level I/O log directory must exist and be owned by that user.
* Added the restricted_env_file setting to sudoers which is similar
to env_file but its contents are subject to the same restrictions
as variables in the invoking user's environment.
* Fixed a use after free bug in the SSSD backend when the fqdn
sudoOption is enabled and no hostname value is present in
/etc/sssd/sssd.conf.
* Fixed a typo that resulted in a compilation error on systems
where the killpg() function is not found by configure.
* Fixed a compilation error with the included version of zlib
when sudo was built outside the source tree.
* Fixed the exit value of sudo when the command is terminated by
a signal other than SIGINT. This was broken in sudo 1.8.15 by
the fix for Bug #722. Bug #784.
* Fixed a regression introduced in sudo 1.8.18 where the "lecture"
option could not be used in a positive boolean context, only
a negative one.
* Fixed an issue where sudo would consume stdin if it was not
connected to a tty even if log_input is not enabled in sudoers.
Bug #786.
* Clarify in the sudoers manual that the #includedir directive
diverts control to the files in the specified directory and,
when parsing of those files is complete, returns control to the
original file. Bug #775.
-------------------------------------------------------------------
Tue May 30 19:11:42 UTC 2017 - sflees@suse.de

9
sudo.spec
View File

@ -17,7 +17,7 @@
Name: sudo
Version: 1.8.19p2
Version: 1.8.20p2
Release: 0
Summary: Execute some commands as root
License: ISC
@ -33,9 +33,6 @@ Source6: %{name}.keyring
Patch0: sudoers2ldif-env.patch
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch1: sudo-sudoers.patch
Patch2: sudo-1.8.19p2-decrement_env_len.patch
Patch3: sudo-1.8.19p2-dont_overwrite_ret_val.patch
Patch4: sudo-1.8.19p2-CVE-2017-1000367.patch
BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
@ -77,9 +74,6 @@ Tests for fate#313276
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
%ifarch s390 s390x %sparc
@ -162,6 +156,7 @@ chmod 0440 %{_sysconfdir}/sudoers
%{_mandir}/man8/visudo.8*
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
%config %attr(0440,root,root) /etc/sudoers.dist
%dir %{_sysconfdir}/sudoers.d
%config %{_sysconfdir}/pam.d/sudo
%attr(4755,root,root) %{_bindir}/sudo