File sudo-CVE-2021-3156.patch of Package sudo.27028
# HG changeset patch
# Parent 2dbbab94d4b60ae05cb2aebf5bad1b9e18cdbb11
Reset valid_flags to MODE_NONINTERACTIVE for sudoedit.
This is consistent with how the -e option is handled.
Also reject -H and -P flags for sudoedit as was done in sudo 1.7.
Found by Qualys.
Index: sudo-1.8.10p3/src/parse_args.c
===================================================================
--- sudo-1.8.10p3.orig/src/parse_args.c
+++ sudo-1.8.10p3/src/parse_args.c
@@ -122,6 +122,9 @@ static struct sudo_settings {
* Default flags allowed when running a command.
*/
#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL)
+#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
+#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST)
+#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
/* Option number for the --host long option due to ambiguity of the -h flag. */
#define OPT_HOSTNAME 256
@@ -192,6 +195,7 @@ parse_args(int argc, char **argv, int *n
if (strcmp(getprogname(), "sudoedit") == 0) {
mode = MODE_EDIT;
sudo_settings[ARG_SUDOEDIT].value = "true";
+ valid_flags = EDIT_VALID_FLAGS;
}
/* Load local IP addresses and masks. */
@@ -264,7 +268,7 @@ parse_args(int argc, char **argv, int *n
usage_excl(1);
mode = MODE_EDIT;
sudo_settings[ARG_SUDOEDIT].value = "true";
- valid_flags = MODE_NONINTERACTIVE;
+ valid_flags = EDIT_VALID_FLAGS;
break;
case 'g':
runas_group = optarg;
@@ -272,6 +276,7 @@ parse_args(int argc, char **argv, int *n
break;
case 'H':
sudo_settings[ARG_SET_HOME].value = "true";
+ SET(flags, MODE_RESET_HOME);
break;
case 'h':
if (optarg == NULL) {
@@ -319,7 +324,7 @@ parse_args(int argc, char **argv, int *n
usage_excl(1);
}
mode = MODE_LIST;
- valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
+ valid_flags = LIST_VALID_FLAGS;
break;
case 'n':
SET(flags, MODE_NONINTERACTIVE);
@@ -327,6 +332,7 @@ parse_args(int argc, char **argv, int *n
break;
case 'P':
sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
+ SET(flags, MODE_PRESERVE_GROUPS);
break;
case 'p':
sudo_settings[ARG_PROMPT].value = optarg;
@@ -357,7 +363,7 @@ parse_args(int argc, char **argv, int *n
if (mode && mode != MODE_VALIDATE)
usage_excl(1);
mode = MODE_VALIDATE;
- valid_flags = MODE_NONINTERACTIVE;
+ valid_flags = VALIDATE_VALID_FLAGS;
break;
case 'V':
if (mode && mode != MODE_VERSION)
@@ -390,7 +396,7 @@ parse_args(int argc, char **argv, int *n
if (!mode) {
/* Defer -k mode setting until we know whether it is a flag or not */
if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
- if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
+ if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
mode = MODE_INVALIDATE; /* -k by itself */
sudo_settings[ARG_IGNORE_TICKET].value = NULL;
valid_flags = 0;
Index: sudo-1.8.10p3/plugins/sudoers/policy.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/policy.c
+++ sudo-1.8.10p3/plugins/sudoers/policy.c
@@ -85,6 +85,7 @@ extern char *login_style;
int
sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
{
+ const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
struct sudoers_policy_open_info *info = v;
char * const *cur;
const char *p, *errstr, *groups = NULL;
@@ -265,6 +266,12 @@ sudoers_policy_deserialize_info(void *v,
}
}
+ /* Sudo front-end should restrict mode flags for sudoedit. */
+ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
+ warningx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
+ goto bad;
+ }
+
for (cur = info->user_info; *cur != NULL; cur++) {
if (MATCHES(*cur, "user=")) {
user_name = estrdup(*cur + sizeof("user=") - 1);
@@ -356,6 +363,9 @@ sudoers_policy_deserialize_info(void *v,
#undef MATCHES
debug_return_int(flags);
+
+bad:
+ debug_return_int(MODE_ERROR);
}
/*
Index: sudo-1.8.10p3/plugins/sudoers/sudoers.c
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.c
+++ sudo-1.8.10p3/plugins/sudoers/sudoers.c
@@ -137,6 +137,8 @@ sudoers_policy_init(void *info, char * c
/* Parse info from front-end. */
sudo_mode = sudoers_policy_deserialize_info(info, &runas_user, &runas_group);
+ if (ISSET(sudo_mode, MODE_ERROR))
+ debug_return_int(-1);
init_vars(envp); /* XXX - move this later? */
@@ -351,7 +353,7 @@ sudoers_policy_main(int argc, char * con
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
/* XXX - causes confusion when root is not listed in sudoers */
- if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
+ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
struct passwd *pw;
@@ -608,8 +610,8 @@ set_cmnd(void)
if (user_cmnd == NULL)
user_cmnd = NewArgv[0];
- if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
- if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
+ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
+ if (!ISSET(sudo_mode, MODE_EDIT)) {
if (def_secure_path && !user_is_exempt())
path = def_secure_path;
set_perms(PERM_RUNAS);
@@ -634,18 +636,30 @@ set_cmnd(void)
for (size = 0, av = NewArgv + 1; *av; av++)
size += strlen(*av) + 1;
user_args = emalloc(size);
- if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
- /*
+ if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
+ ISSET(sudo_mode, MODE_RUN)) { /*
* When running a command via a shell, the sudo front-end
* escapes potential meta chars. We unescape non-spaces
* for sudoers matching and logging purposes.
*/
for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
while (*from) {
- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
+ if (from[0] == '\\' && from[1] != '\0' &&
+ !isspace((unsigned char)from[1])) {
from++;
+ }
+ if (size - (to - user_args) < 1) {
+ warningx(U_("internal error, %s overflow"),
+ __func__);
+ debug_return_int(NOT_FOUND_ERROR);
+ }
*to++ = *from++;
}
+ if (size - (to - user_args) < 1) {
+ warningx(U_("internal error, %s overflow"),
+ __func__);
+ debug_return_int(NOT_FOUND_ERROR);
+ }
*to++ = ' ';
}
*--to = '\0';
Index: sudo-1.8.10p3/plugins/sudoers/sudoers.h
===================================================================
--- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.h
+++ sudo-1.8.10p3/plugins/sudoers/sudoers.h
@@ -133,6 +133,7 @@ struct sudo_user {
#define FOUND 0
#define NOT_FOUND 1
#define NOT_FOUND_DOT 2
+#define NOT_FOUND_ERROR 3
/*
* Various modes sudo can be in (based on arguments) in hex
@@ -147,6 +148,8 @@ struct sudo_user {
#define MODE_LIST 0x00000080
#define MODE_CHECK 0x00000100
#define MODE_LISTDEFS 0x00000200
+/* Npte this is defined as 0x00000200 in later versions */
+#define MODE_ERROR 0x00000400
#define MODE_MASK 0x0000ffff
/* Mode flags */
Index: sudo-1.8.10p3/src/sudo_edit.c
===================================================================
--- sudo-1.8.10p3.orig/src/sudo_edit.c
+++ sudo-1.8.10p3/src/sudo_edit.c
@@ -55,6 +55,20 @@
static char edit_tmpdir[MAX(sizeof(_PATH_VARTMP), sizeof(_PATH_TMP))];
+/*
+ * Directory open flags for use with openat(2).
+ * Use O_SEARCH/O_PATH and/or O_DIRECTORY where possible.
+ */
+#if defined(O_SEARCH)
+# define DIR_OPEN_FLAGS (O_SEARCH|O_DIRECTORY)
+#elif defined(O_PATH)
+# define DIR_OPEN_FLAGS (O_PATH|O_DIRECTORY)
+#elif defined(O_DIRECTORY)
+# define DIR_OPEN_FLAGS (O_RDONLY|O_DIRECTORY)
+#else
+# define DIR_OPEN_FLAGS (O_RDONLY|O_NONBLOCK)
+#endif
+
static void
switch_user(uid_t euid, gid_t egid, int ngroups, GETGROUPS_T *groups)
{
