/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-CVE-2014-9680.patch
ViewVC logotype

Contents of /rpms/sudo/sme9/sudo-1.8.6p3-CVE-2014-9680.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Feb 4 19:44:04 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Sudo

1 diff -up sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 sudo-1.8.6p3/aclocal.m4
2 --- sudo-1.8.6p3/aclocal.m4.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
3 +++ sudo-1.8.6p3/aclocal.m4 2015-03-31 12:55:08.392841672 +0200
4 @@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
5 AC_MSG_RESULT($iolog_dir)
6 ])dnl
7
8 +dnl Detect time zone file directory, if any.
9 +dnl
10 +AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
11 +tzdir="$with_tzdir"
12 +if test -z "$tzdir"; then
13 + tzdir=no
14 + for d in /usr/share /usr/share/lib /usr/lib /etc; do
15 + if test -d "$d/zoneinfo"; then
16 + tzdir="$d/zoneinfo"
17 + break
18 + fi
19 + done
20 +fi
21 +AC_MSG_RESULT([$tzdir])
22 +if test "${tzdir}" != "no"; then
23 + SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
24 +fi
25 +])dnl
26 +
27 dnl
28 dnl check for working fnmatch(3)
29 dnl
30 diff -up sudo-1.8.6p3/configure.in.CVE-2014-9680 sudo-1.8.6p3/configure.in
31 --- sudo-1.8.6p3/configure.in.CVE-2014-9680 2015-03-31 12:55:08.375841856 +0200
32 +++ sudo-1.8.6p3/configure.in 2015-03-31 12:55:08.393841662 +0200
33 @@ -774,6 +774,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
34 ;;
35 esac])
36
37 +AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
38 +[case $with_tzdir in
39 + yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
40 + ;;
41 +esac])
42 +
43 AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
44 AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
45 [case $with_sendmail in
46 @@ -3240,6 +3246,7 @@ fi
47 SUDO_LOGFILE
48 SUDO_TIMEDIR
49 SUDO_IO_LOGDIR
50 +SUDO_TZDIR
51
52 dnl
53 dnl Turn warnings into errors.
54 diff -up sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.cat
55 --- sudo-1.8.6p3/doc/sudoers.cat.CVE-2014-9680 2015-03-31 12:55:08.365841964 +0200
56 +++ sudo-1.8.6p3/doc/sudoers.cat 2015-03-31 13:00:04.625640465 +0200
57 @@ -1421,20 +1421,36 @@ SSUUDDOOEERRSS OOPPTTIIOONN
58
59 LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
60
61 - env_check Environment variables to be removed from the user's
62 - environment if the variable's value contains `%' or `/'
63 + env_check Environment variables to be removed from the user's
64 + environment if unless they are considered ``safe''.
65 + For all variables except TZ, ``safe'' means that the
66 + variable's value does not contain any `%' or `/'
67 characters. This can be used to guard against printf-
68 style format vulnerabilities in poorly-written
69 - programs. The argument may be a double-quoted, space-
70 - separated list or a single value without double-quotes.
71 - The list can be replaced, added to, deleted from, or
72 - disabled by using the =, +=, -=, and ! operators
73 - respectively. Regardless of whether the env_reset
74 - option is enabled or disabled, variables specified by
75 - env_check will be preserved in the environment if they
76 - pass the aforementioned check. The default list of
77 - environment variables to check is displayed when ssuuddoo
78 - is run by root with the --VV option.
79 + programs. The TZ variable is considerd unsafe if any
80 + of the following are true:
81 +
82 + ++oo It consists of a fully-qualified path name,
83 + optionally prefixed with a colon (`:'), that does
84 + not match the location of the _z_o_n_e_i_n_f_o directory.
85 +
86 + ++oo It contains a _._. path element.
87 +
88 + ++oo It contains white space or non-printable
89 + characters.
90 +
91 + ++oo It is longer than the value of PATH_MAX.
92 +
93 + The argument may be a double-quoted, space-separated
94 + list or a single value without double-quotes. The list
95 + can be replaced, added to, deleted from, or disabled by
96 + using the =, +=, -=, and ! operators respectively.
97 + Regardless of whether the env_reset option is enabled
98 + or disabled, variables specified by env_check will be
99 + preserved in the environment if they pass the
100 + aforementioned check. The default list of environment
101 + variables to check is displayed when ssuuddoo is run by
102 + root with the --VV option.
103
104 env_delete Environment variables to be removed from the user's
105 environment when the _e_n_v___r_e_s_e_t option is not in effect.
106 diff -up sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.man.in
107 --- sudo-1.8.6p3/doc/sudoers.man.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
108 +++ sudo-1.8.6p3/doc/sudoers.man.in 2015-03-31 13:01:57.539420274 +0200
109 @@ -3002,14 +3002,47 @@ The default value is
110 \fBLists that can be used in a boolean context\fR:
111 .TP 18n
112 env_check
113 -Environment variables to be removed from the user's environment if
114 -the variable's value contains
115 -`%'
116 + Environment variables to be removed from the user's environment if
117 +unless they are considered
118 +\(lqsafe\(rq.
119 +For all variables except
120 +\fRTZ\fR,
121 +\(lqsafe\(rq
122 +means that the variable's value does not contain any
123 +\(oq%\(cq
124 or
125 -`/'
126 +\(oq/\(cq
127 characters.
128 This can be used to guard against printf-style format vulnerabilities
129 in poorly-written programs.
130 +The
131 +\fRTZ\fR
132 +variable is considerd unsafe if any of the following are true:
133 +.PP
134 +.RS 18n
135 +.PD 0
136 +.TP 4n
137 +\fB\(bu\fR
138 +It consists of a fully-qualified path name,
139 +optionally prefixed with a colon
140 +(\(oq:\&\(cq),
141 +that does not match the location of the
142 +\fIzoneinfo\fR
143 +directory.
144 +.PD
145 +.TP 4n
146 +\fB\(bu\fR
147 +It contains a
148 +\fI..\fR
149 +path element.
150 +.TP 4n
151 +\fB\(bu\fR
152 +It contains white space or non-printable characters.
153 +.TP 4n
154 +\fB\(bu\fR
155 +It is longer than the value of
156 +\fRPATH_MAX\fR.
157 +.PP
158 The argument may be a double-quoted, space-separated list or a
159 single value without double-quotes.
160 The list can be replaced, added to, deleted from, or disabled by using
161 @@ -3031,6 +3064,7 @@ is run by root with
162 the
163 \fB\-V\fR
164 option.
165 +.RE
166 .TP 18n
167 env_delete
168 Environment variables to be removed from the user's environment when the
169 diff -up sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p3/doc/sudoers.mdoc.in
170 --- sudo-1.8.6p3/doc/sudoers.mdoc.in.CVE-2014-9680 2015-03-31 12:55:08.366841953 +0200
171 +++ sudo-1.8.6p3/doc/sudoers.mdoc.in 2015-03-31 13:03:21.721510569 +0200
172 @@ -2791,13 +2791,40 @@ The default value is
173 .Bl -tag -width 16n
174 .It env_check
175 Environment variables to be removed from the user's environment if
176 -the variable's value contains
177 +unless they are considered
178 +.Dq safe .
179 +For all variables except
180 +.Li TZ ,
181 +.Dq safe
182 +means that the variable's value does not contain any
183 .Ql %
184 or
185 .Ql /
186 characters.
187 This can be used to guard against printf-style format vulnerabilities
188 in poorly-written programs.
189 +The
190 +.Li TZ
191 +variable is considerd unsafe if any of the following are true:
192 +.Bl -bullet
193 +.It
194 +It consists of a fully-qualified path name,
195 +optionally prefixed with a colon
196 +.Pq Ql :\& ,
197 +that does not match the location of the
198 +.Pa zoneinfo
199 +directory.
200 +.It
201 +It contains a
202 +.Pa ..
203 +path element.
204 +.It
205 +It contains white space or non-printable characters.
206 +.It
207 +It is longer than the value of
208 +.Li PATH_MAX .
209 +.El
210 +.Pp
211 The argument may be a double-quoted, space-separated list or a
212 single value without double-quotes.
213 The list can be replaced, added to, deleted from, or disabled by using
214 diff -up sudo-1.8.6p3/INSTALL.CVE-2014-9680 sudo-1.8.6p3/INSTALL
215 --- sudo-1.8.6p3/INSTALL.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
216 +++ sudo-1.8.6p3/INSTALL 2015-03-31 12:55:08.394841651 +0200
217 @@ -461,6 +461,16 @@ The following options are also configura
218 Override the default location of the sudo timestamp directory and
219 use "path" instead.
220
221 + --with-tzdir=DIR
222 + Set the directory to the system's time zone data files. This
223 + is only used when sanitizing the TZ environment variable to
224 + allow for fully-qualified paths in TZ.
225 + By default, configure will look for an existing "zoneinfo"
226 + directory in the following locations:
227 + /usr/share /usr/share/lib /usr/lib /etc
228 + If no zoneinfo directory is found, the TZ variable may not
229 + contain a fully-qualified path.
230 +
231 --with-sendmail=PATH
232 Override configure's guess as to the location of sendmail.
233
234 diff -up sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p3/pathnames.h.in
235 --- sudo-1.8.6p3/pathnames.h.in.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
236 +++ sudo-1.8.6p3/pathnames.h.in 2015-03-31 12:55:08.394841651 +0200
237 @@ -168,3 +168,7 @@
238 #ifndef _PATH_NETSVC_CONF
239 #undef _PATH_NETSVC_CONF
240 #endif /* _PATH_NETSVC_CONF */
241 +
242 +#ifndef _PATH_ZONEINFO
243 +# undef _PATH_ZONEINFO
244 +#endif /* _PATH_ZONEINFO */
245 diff -up sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p3/plugins/sudoers/env.c
246 --- sudo-1.8.6p3/plugins/sudoers/env.c.CVE-2014-9680 2012-09-18 15:57:43.000000000 +0200
247 +++ sudo-1.8.6p3/plugins/sudoers/env.c 2015-03-31 12:55:08.394841651 +0200
248 @@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
249 "LC_*",
250 "LINGUAS",
251 "TERM",
252 + "TZ",
253 NULL
254 };
255
256 @@ -213,7 +214,6 @@ static const char *initial_keepenv_table
257 "PATH",
258 "PS1",
259 "PS2",
260 - "TZ",
261 "XAUTHORITY",
262 "XAUTHORIZATION",
263 NULL
264 @@ -584,6 +584,54 @@ matches_env_delete(const char *var)
265 }
266
267 /*
268 + * Sanity-check the TZ environment variable.
269 + * On many systems it is possible to set this to a pathname.
270 + */
271 +static bool
272 +tz_is_sane(const char *tzval)
273 +{
274 + const char *cp;
275 + char lastch;
276 + debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
277 +
278 + /* tzcode treats a value beginning with a ':' as a path. */
279 + if (tzval[0] == ':')
280 + tzval++;
281 +
282 + /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
283 + if (tzval[0] == '/') {
284 +#ifdef _PATH_ZONEINFO
285 + if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
286 + tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
287 + debug_return_bool(false);
288 +#else
289 + /* Assume the worst. */
290 + debug_return_bool(false);
291 +#endif
292 + }
293 +
294 + /*
295 + * Make sure TZ only contains printable non-space characters
296 + * and does not contain a '..' path element.
297 + */
298 + lastch = '/';
299 + for (cp = tzval; *cp != '\0'; cp++) {
300 + if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
301 + debug_return_bool(false);
302 + if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
303 + (cp[2] == '/' || cp[2] == '\0'))
304 + debug_return_bool(false);
305 + lastch = *cp;
306 + }
307 +
308 + /* Reject extra long TZ values (even if not a path). */
309 + if ((size_t)(cp - tzval) >= PATH_MAX)
310 + debug_return_bool(false);
311 +
312 + debug_return_bool(true);
313 +}
314 +
315 +/*
316 * Apply the env_check list.
317 * Returns true if the variable is allowed, false if denied
318 * or -1 if no match.
319 @@ -607,8 +655,13 @@ matches_env_check(const char *var)
320 iswild = false;
321 if (strncmp(cur->value, var, len) == 0 &&
322 (iswild || var[len] == '=')) {
323 + if (strncmp(var, "TZ=", 3) == 0 ) {
324 + /* Sperial case for TZ */
325 + keepit = tz_is_sane(var + 3);
326 + } else {
327 keepit = !strpbrk(var, "/%");
328 - break;
329 + }
330 + break;
331 }
332 }
333 debug_return_bool(keepit);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed