/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-CVE-2014-9680.patch
ViewVC logotype

Annotation of /rpms/sudo/sme9/sudo-1.8.6p3-CVE-2014-9680.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Feb 4 19:44:04 2021 UTC (3 years, 9 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Sudo

1 jpp 1.1 diff -up sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 sudo-1.8.6p3/aclocal.m4
2     --- sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
3     +++ sudo-1.8.6p3/aclocal.m4 2015-03-31 12:55:08.392841672 +0200
4     @@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
5     AC_MSG_RESULT($iolog_dir)
6     ])dnl
7    
8     +dnl Detect time zone file directory, if any.
9     +dnl
10     +AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
11     +tzdir="$with_tzdir"
12     +if test -z "$tzdir"; then
13     + tzdir=no
14     + for d in /usr/share /usr/share/lib /usr/lib /etc; do
15     + if test -d "$d/zoneinfo"; then
16     + tzdir="$d/zoneinfo"
17     + break
18     + fi
19     + done
20     +fi
21     +AC_MSG_RESULT([$tzdir])
22     +if test "${tzdir}" != "no"; then
23     + SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
24     +fi
25     +])dnl
26     +
27     dnl
28     dnl check for working fnmatch(3)
29     dnl
30     diff -up sudo-1.8.6p3/configure.in.CVE-2014-9680 sudo-1.8.6p3/configure.in
31     --- sudo-1.8.6p3/configure.in.CVE-2014-9680 2015-03-31 12:55:08.375841856 +0200
32     +++ sudo-1.8.6p3/configure.in 2015-03-31 12:55:08.393841662 +0200
33     @@ -774,6 +774,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
34     ;;
35     esac])
36    
37     +AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
38     +[case $with_tzdir in
39     + yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
40     + ;;
41     +esac])
42     +
43     AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
44     AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
45     [case $with_sendmail in
46     @@ -3240,6 +3246,7 @@ fi
47     SUDO_LOGFILE
48     SUDO_TIMEDIR
49     SUDO_IO_LOGDIR
50     +SUDO_TZDIR
51    
52     dnl
53     dnl Turn warnings into errors.
54     diff -up sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.cat
55     --- sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 2015-03-31 12:55:08.365841964 +0200
56     +++ sudo-1.8.6p3/doc/sudoers.cat 2015-03-31 13:00:04.625640465 +0200
57     @@ -1421,20 +1421,36 @@ SSUUDDOOEERRSS OOPPTTIIOONN
58    
59     LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
60    
61     - env_check Environment variables to be removed from the user's
62     - environment if the variable's value contains `%' or `/'
63     + env_check Environment variables to be removed from the user's
64     + environment if unless they are considered ``safe''.
65     + For all variables except TZ, ``safe'' means that the
66     + variable's value does not contain any `%' or `/'
67     characters. This can be used to guard against printf-
68     style format vulnerabilities in poorly-written
69     - programs. The argument may be a double-quoted, space-
70     - separated list or a single value without double-quotes.
71     - The list can be replaced, added to, deleted from, or
72     - disabled by using the =, +=, -=, and ! operators
73     - respectively. Regardless of whether the env_reset
74     - option is enabled or disabled, variables specified by
75     - env_check will be preserved in the environment if they
76     - pass the aforementioned check. The default list of
77     - environment variables to check is displayed when ssuuddoo
78     - is run by root with the --VV option.
79     + programs. The TZ variable is considerd unsafe if any
80     + of the following are true:
81     +
82     + ++oo It consists of a fully-qualified path name,
83     + optionally prefixed with a colon (`:'), that does
84     + not match the location of the _z_o_n_e_i_n_f_o directory.
85     +
86     + ++oo It contains a _._. path element.
87     +
88     + ++oo It contains white space or non-printable
89     + characters.
90     +
91     + ++oo It is longer than the value of PATH_MAX.
92     +
93     + The argument may be a double-quoted, space-separated
94     + list or a single value without double-quotes. The list
95     + can be replaced, added to, deleted from, or disabled by
96     + using the =, +=, -=, and ! operators respectively.
97     + Regardless of whether the env_reset option is enabled
98     + or disabled, variables specified by env_check will be
99     + preserved in the environment if they pass the
100     + aforementioned check. The default list of environment
101     + variables to check is displayed when ssuuddoo is run by
102     + root with the --VV option.
103    
104     env_delete Environment variables to be removed from the user's
105     environment when the _e_n_v___r_e_s_e_t option is not in effect.
106     diff -up sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.man.in
107     --- sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
108     +++ sudo-1.8.6p3/doc/sudoers.man.in 2015-03-31 13:01:57.539420274 +0200
109     @@ -3002,14 +3002,47 @@ The default value is
110     \fBLists that can be used in a boolean context\fR:
111     .TP 18n
112     env_check
113     -Environment variables to be removed from the user's environment if
114     -the variable's value contains
115     -`%'
116     + Environment variables to be removed from the user's environment if
117     +unless they are considered
118     +\(lqsafe\(rq.
119     +For all variables except
120     +\fRTZ\fR,
121     +\(lqsafe\(rq
122     +means that the variable's value does not contain any
123     +\(oq%\(cq
124     or
125     -`/'
126     +\(oq/\(cq
127     characters.
128     This can be used to guard against printf-style format vulnerabilities
129     in poorly-written programs.
130     +The
131     +\fRTZ\fR
132     +variable is considerd unsafe if any of the following are true:
133     +.PP
134     +.RS 18n
135     +.PD 0
136     +.TP 4n
137     +\fB\(bu\fR
138     +It consists of a fully-qualified path name,
139     +optionally prefixed with a colon
140     +(\(oq:\&\(cq),
141     +that does not match the location of the
142     +\fIzoneinfo\fR
143     +directory.
144     +.PD
145     +.TP 4n
146     +\fB\(bu\fR
147     +It contains a
148     +\fI..\fR
149     +path element.
150     +.TP 4n
151     +\fB\(bu\fR
152     +It contains white space or non-printable characters.
153     +.TP 4n
154     +\fB\(bu\fR
155     +It is longer than the value of
156     +\fRPATH_MAX\fR.
157     +.PP
158     The argument may be a double-quoted, space-separated list or a
159     single value without double-quotes.
160     The list can be replaced, added to, deleted from, or disabled by using
161     @@ -3031,6 +3064,7 @@ is run by root with
162     the
163     \fB\-V\fR
164     option.
165     +.RE
166     .TP 18n
167     env_delete
168     Environment variables to be removed from the user's environment when the
169     diff -up sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.mdoc.in
170     --- sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
171     +++ sudo-1.8.6p3/doc/sudoers.mdoc.in 2015-03-31 13:03:21.721510569 +0200
172     @@ -2791,13 +2791,40 @@ The default value is
173     .Bl -tag -width 16n
174     .It env_check
175     Environment variables to be removed from the user's environment if
176     -the variable's value contains
177     +unless they are considered
178     +.Dq safe .
179     +For all variables except
180     +.Li TZ ,
181     +.Dq safe
182     +means that the variable's value does not contain any
183     .Ql %
184     or
185     .Ql /
186     characters.
187     This can be used to guard against printf-style format vulnerabilities
188     in poorly-written programs.
189     +The
190     +.Li TZ
191     +variable is considerd unsafe if any of the following are true:
192     +.Bl -bullet
193     +.It
194     +It consists of a fully-qualified path name,
195     +optionally prefixed with a colon
196     +.Pq Ql :\& ,
197     +that does not match the location of the
198     +.Pa zoneinfo
199     +directory.
200     +.It
201     +It contains a
202     +.Pa ..
203     +path element.
204     +.It
205     +It contains white space or non-printable characters.
206     +.It
207     +It is longer than the value of
208     +.Li PATH_MAX .
209     +.El
210     +.Pp
211     The argument may be a double-quoted, space-separated list or a
212     single value without double-quotes.
213     The list can be replaced, added to, deleted from, or disabled by using
214     diff -up sudo-1.8.6p3/INSTALL.CVE-2014-9680 sudo-1.8.6p3/INSTALL
215     --- sudo-1.8.6p3/INSTALL.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
216     +++ sudo-1.8.6p3/INSTALL 2015-03-31 12:55:08.394841651 +0200
217     @@ -461,6 +461,16 @@ The following options are also configura
218     Override the default location of the sudo timestamp directory and
219     use "path" instead.
220    
221     + --with-tzdir=DIR
222     + Set the directory to the system's time zone data files. This
223     + is only used when sanitizing the TZ environment variable to
224     + allow for fully-qualified paths in TZ.
225     + By default, configure will look for an existing "zoneinfo"
226     + directory in the following locations:
227     + /usr/share /usr/share/lib /usr/lib /etc
228     + If no zoneinfo directory is found, the TZ variable may not
229     + contain a fully-qualified path.
230     +
231     --with-sendmail=PATH
232     Override configure's guess as to the location of sendmail.
233    
234     diff -up sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p3/pathnames.h.in
235     --- sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
236     +++ sudo-1.8.6p3/pathnames.h.in 2015-03-31 12:55:08.394841651 +0200
237     @@ -168,3 +168,7 @@
238     #ifndef _PATH_NETSVC_CONF
239     #undef _PATH_NETSVC_CONF
240     #endif /* _PATH_NETSVC_CONF */
241     +
242     +#ifndef _PATH_ZONEINFO
243     +# undef _PATH_ZONEINFO
244     +#endif /* _PATH_ZONEINFO */
245     diff -up sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p3/plugins/sudoers/env.c
246     --- sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
247     +++ sudo-1.8.6p3/plugins/sudoers/env.c 2015-03-31 12:55:08.394841651 +0200
248     @@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
249     "LC_*",
250     "LINGUAS",
251     "TERM",
252     + "TZ",
253     NULL
254     };
255    
256     @@ -213,7 +214,6 @@ static const char *initial_keepenv_table
257     "PATH",
258     "PS1",
259     "PS2",
260     - "TZ",
261     "XAUTHORITY",
262     "XAUTHORIZATION",
263     NULL
264     @@ -584,6 +584,54 @@ matches_env_delete(const char *var)
265     }
266    
267     /*
268     + * Sanity-check the TZ environment variable.
269     + * On many systems it is possible to set this to a pathname.
270     + */
271     +static bool
272     +tz_is_sane(const char *tzval)
273     +{
274     + const char *cp;
275     + char lastch;
276     + debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
277     +
278     + /* tzcode treats a value beginning with a ':' as a path. */
279     + if (tzval[0] == ':')
280     + tzval++;
281     +
282     + /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
283     + if (tzval[0] == '/') {
284     +#ifdef _PATH_ZONEINFO
285     + if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
286     + tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
287     + debug_return_bool(false);
288     +#else
289     + /* Assume the worst. */
290     + debug_return_bool(false);
291     +#endif
292     + }
293     +
294     + /*
295     + * Make sure TZ only contains printable non-space characters
296     + * and does not contain a '..' path element.
297     + */
298     + lastch = '/';
299     + for (cp = tzval; *cp != '\0'; cp++) {
300     + if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
301     + debug_return_bool(false);
302     + if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
303     + (cp[2] == '/' || cp[2] == '\0'))
304     + debug_return_bool(false);
305     + lastch = *cp;
306     + }
307     +
308     + /* Reject extra long TZ values (even if not a path). */
309     + if ((size_t)(cp - tzval) >= PATH_MAX)
310     + debug_return_bool(false);
311     +
312     + debug_return_bool(true);
313     +}
314     +
315     +/*
316     * Apply the env_check list.
317     * Returns true if the variable is allowed, false if denied
318     * or -1 if no match.
319     @@ -607,8 +655,13 @@ matches_env_check(const char *var)
320     iswild = false;
321     if (strncmp(cur->value, var, len) == 0 &&
322     (iswild || var[len] == '=')) {
323     + if (strncmp(var, "TZ=", 3) == 0 ) {
324     + /* Sperial case for TZ */
325     + keepit = tz_is_sane(var + 3);
326     + } else {
327     keepit = !strpbrk(var, "/%");
328     - break;
329     + }
330     + break;
331     }
332     }
333     debug_return_bool(keepit);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed