Accepting request 156978 from Base:System

- added two security fixes: * CVE-2013-1775 (bnc#806919) + sudo-1.8.6p3-CVE-2013-1775.patch * CVE-2013-1776 (bnc#806921) + sudo-1.8.6p3-CVE-2013-1776.patch (forwarded request 156969 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/156978 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=54
2013-03-01 19:45:08 +00:00 · 2013-03-01 19:45:08 +00:00 · 04df74a6bc
commit 04df74a6bc
parent 65a75b053a c942c5ab82
4 changed files with 153 additions and 1 deletions
--- a/sudo-1.8.6p3-CVE-2013-1775.patch
+++ b/sudo-1.8.6p3-CVE-2013-1775.patch
@ -0,0 +1,68 @@
+63210a2b8f2f199b521f6c8213bb29775c09375c
+ plugins/sudoers/check.c |   53 +++++++++++++++++++++++++----------------------
+ 1 file changed, 28 insertions(+), 25 deletions(-)
+
+Index: sudo-1.8.6p3/plugins/sudoers/check.c
+===================================================================
+--- sudo-1.8.6p3.orig/plugins/sudoers/check.c	2012-09-18 15:56:29.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/check.c	2013-03-01 12:10:34.285863069 +0100
+@@ -627,31 +627,34 @@ timestamp_status(char *timestampdir, cha
+      */
+     if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
+ 	mtim_get(&sb, &mtime);
+-	/* Negative timeouts only expire manually (sudo -k). */
+-	if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
+-	    status = TS_CURRENT;
+-	else {
+-	    now = time(NULL);
+-	    if (def_timestamp_timeout &&
+-		now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+-		/*
+-		 * Check for bogus time on the stampfile.  The clock may
+-		 * have been set back or someone could be trying to spoof us.
+-		 */
+-		if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+-		    time_t tv_sec = (time_t)mtime.tv_sec;
+-		    log_error(0,
+-			_("timestamp too far in the future: %20.20s"),
+-			4 + ctime(&tv_sec));
+-		    if (timestampfile)
+-			(void) unlink(timestampfile);
+-		    else
+-			(void) rmdir(timestampdir);
+-		    status = TS_MISSING;
+-		} else if (get_boottime(&boottime) && timevalcmp(&mtime, &boottime, <)) {
+-		    status = TS_OLD;
+-		} else {
+-		    status = TS_CURRENT;
+	if (timevalisset(&mtime)) {
+	    /* Negative timeouts only expire manually (sudo -k). */
+	    if (def_timestamp_timeout < 0) {
+		status = TS_CURRENT;
+	    } else {
+		now = time(NULL);
+		if (def_timestamp_timeout &&
+		    now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+		    /*
+		     * Check for bogus time on the stampfile.  The clock may
+		     * have been set back or user could be trying to spoof us.
+		     */
+		    if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+			time_t tv_sec = (time_t)mtime.tv_sec;
+			log_error(0,
+			    _("timestamp too far in the future: %20.20s"),
+			    4 + ctime(&tv_sec));
+			if (timestampfile)
+			    (void) unlink(timestampfile);
+			else
+			    (void) rmdir(timestampdir);
+			status = TS_MISSING;
+		    } else if (get_boottime(&boottime) &&
+			timevalcmp(&mtime, &boottime, <)) {
+			status = TS_OLD;
+		    } else {
+			status = TS_CURRENT;
+		    }
+ 		}
+ 	    }
+ 	}
--- a/sudo-1.8.6p3-CVE-2013-1776.patch
+++ b/sudo-1.8.6p3-CVE-2013-1776.patch
@ -0,0 +1,71 @@
+2b18d55589975e70dd98f24bca5b0aaabc56a9b5
+ plugins/sudoers/check.c   |    4 +++-
+ plugins/sudoers/sudoers.c |    4 ++++
+ plugins/sudoers/sudoers.h |    3 ++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+Index: sudo-1.8.6p3/plugins/sudoers/check.c
+===================================================================
+--- sudo-1.8.6p3.orig/plugins/sudoers/check.c	2013-03-01 12:10:18.668403327 +0100
+++ sudo-1.8.6p3/plugins/sudoers/check.c	2013-03-01 12:10:18.684403798 +0100
+@@ -82,6 +82,7 @@ static struct tty_info {
+     dev_t rdev;			/* tty device ID */
+     ino_t ino;			/* tty inode number */
+     struct timeval ctime;	/* tty inode change time */
+    pid_t sid;			/* ID of session with controlling tty */
+ } tty_info;
+ 
+ static int   build_timestamp(char **, char **);
+@@ -138,13 +139,14 @@ check_user(int validated, int mode)
+     if (ISSET(mode, MODE_IGNORE_TICKET))
+ 	SET(validated, FLAG_CHECK_USER);
+ 
+-    /* Stash the tty's ctime for tty ticket comparison. */
+    /* Stash the tty's device, session ID and ctime for ticket comparison. */
+     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
+ 	tty_info.dev = sb.st_dev;
+ 	tty_info.ino = sb.st_ino;
+ 	tty_info.rdev = sb.st_rdev;
+ 	if (tty_is_devpts(user_ttypath))
+ 	    ctim_get(&sb, &tty_info.ctime);
+	tty_info.sid = user_sid;
+     }
+ 
+     if (build_timestamp(&timestampdir, &timestampfile) == -1) {
+Index: sudo-1.8.6p3/plugins/sudoers/sudoers.c
+===================================================================
+--- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.c	2012-09-18 15:56:30.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c	2013-03-01 12:10:18.685403827 +0100
+@@ -1410,6 +1410,10 @@ deserialize_info(char * const args[], ch
+ 	    sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
+ 	    continue;
+ 	}
+	if (MATCHES(*cur, "sid=")) {
+	    sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
+	    continue;
+	}
+     }
+     if (user_cwd == NULL)
+ 	user_cwd = "unknown";
+Index: sudo-1.8.6p3/plugins/sudoers/sudoers.h
+===================================================================
+--- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.h	2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h	2013-03-01 12:10:18.685403827 +0100
+@@ -95,6 +95,7 @@ struct sudo_user {
+     int   flags;
+     uid_t uid;
+     uid_t gid;
+    pid_t sid;
+ };
+ 
+ /*
+@@ -171,8 +172,8 @@ struct sudo_user {
+ #define user_name		(sudo_user.name)
+ #define user_uid		(sudo_user.uid)
+ #define user_gid		(sudo_user.gid)
+#define user_sid		(sudo_user.sid)
+ #define user_passwd		(sudo_user.pw->pw_passwd)
+-#define user_uuid		(sudo_user.uuid)
+ #define user_dir		(sudo_user.pw->pw_dir)
+ #define user_gids		(sudo_user.gids)
+ #define user_ngids		(sudo_user.ngids)
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Mar  1 11:12:28 UTC 2013 - vcizek@suse.com
+
+- added two security fixes:
+  * CVE-2013-1775 (bnc#806919)
+    + sudo-1.8.6p3-CVE-2013-1775.patch
+  * CVE-2013-1776 (bnc#806921)
+    + sudo-1.8.6p3-CVE-2013-1776.patch
+
 -------------------------------------------------------------------
 Mon Dec  3 10:58:10 UTC 2012 - cfarrell@suse.com

--- a/sudo.spec
+++ b/sudo.spec
@ -1,7 +1,7 @@
 #
 # spec file for package sudo
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -28,6 +28,8 @@ Source1:        sudo.pamd
 Source2:        README.SUSE
 Patch0:         sudoers2ldif-env.patch
 Patch1:         sudo-sudoers.patch
+Patch2:         sudo-1.8.6p3-CVE-2013-1775.patch
+Patch3:         sudo-1.8.6p3-CVE-2013-1776.patch
 BuildRequires:  audit-devel
 BuildRequires:  groff
 BuildRequires:  libselinux-devel
@ -57,6 +59,8 @@ These header files are needed for building of sudo plugins.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1

 %build
 %ifarch s390 s390x %sparc