sudo/sme9/sudo-1.8.6p3-CVE-2021-3156.patch

diff -Nur ./src/parse_args.c.heap-buffer ./src/parse_args.c
--- ./src/parse_args.c.heap-buffer      2012-09-18 09:57:43.000000000 -0400
+++ ./src/parse_args.c  2021-02-05 15:19:50.450000000 -0500
@@ -113,6 +113,13 @@
 };
 
 /*
+* Default flags allowed when running a command.
+*/
+#define DEFAULT_VALID_FLAGS     (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
+#define EDIT_VALID_FLAGS        MODE_NONINTERACTIVE
+#define LIST_VALID_FLAGS        (MODE_NONINTERACTIVE|MODE_LONG_LIST)
+#define VALIDATE_VALID_FLAGS    MODE_NONINTERACTIVE
+/*
  * Command line argument parsing.
  * Sets nargc and nargv which corresponds to the argc/argv we'll use
  * for the command to be run (if we are running one).
@@ -140,6 +147,7 @@
     if (strcmp(getprogname(), "sudoedit") == 0) {
        mode = MODE_EDIT;
        sudo_settings[ARG_SUDOEDIT].value = "true";
+       valid_flags = EDIT_VALID_FLAGS;
     }
 
     /* Load local IP addresses and masks. */
@@ -205,7 +213,7 @@
                        usage_excl(1);
                    mode = MODE_EDIT;
                    sudo_settings[ARG_SUDOEDIT].value = "true";
-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = EDIT_VALID_FLAGS;
                    break;
                case 'g':
                    runas_group = optarg;
@@ -213,6 +221,7 @@
                    break;
                case 'H':
                    sudo_settings[ARG_SET_HOME].value = "true";
+                   SET(flags, MODE_RESET_HOME);
                    break;
                case 'h':
                    if (mode && mode != MODE_HELP) {
@@ -244,7 +253,7 @@
                            usage_excl(1);
                    }
                    mode = MODE_LIST;
-                   valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
+                   valid_flags = LIST_VALID_FLAGS;
                    break;
                case 'n':
                    SET(flags, MODE_NONINTERACTIVE);
@@ -252,6 +261,7 @@
                    break;
                case 'P':
                    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
+                   SET(flags, MODE_PRESERVE_GROUPS);
                    break;
                case 'p':
                    sudo_settings[ARG_PROMPT].value = optarg;
@@ -284,7 +294,7 @@
                    if (mode && mode != MODE_VALIDATE)
                        usage_excl(1);
                    mode = MODE_VALIDATE;
-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = VALIDATE_VALID_FLAGS;
                    break;
                case 'V':
                    if (mode && mode != MODE_VERSION)
@@ -317,7 +327,7 @@
     if (!mode) {
        /* Defer -k mode setting until we know whether it is a flag or not */
        if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
-           if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
+           if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
                mode = MODE_INVALIDATE; /* -k by itself */
                sudo_settings[ARG_IGNORE_TICKET].value = NULL;
                valid_flags = 0;
@@ -377,18 +387,22 @@
     /*
      * For shell mode we need to rewrite argv
      */
-    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
+    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
        char **av, *cmnd = NULL;
        int ac = 1;
 
        if (argc != 0) {
            /* shell -c "command" */
            char *src, *dst;
-           size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
-               strlen(argv[argc - 1]) + 1;
+            size_t size = 0;
+
+         for (av = argv; *av != NULL; av++)
+             size += strlen(*av) + 1;
+
+         if (size == 0 || (cmnd = emalloc2(size, 2)) == NULL)
+               exit(1);
 
-           cmnd = dst = emalloc2(cmnd_size, 2);
-           for (av = argv; *av != NULL; av++) {
+            for (dst = cmnd, av = argv; *av != NULL; av++) {
                for (src = *av; *src != '\0'; src++) {
                    /* quote potential meta characters */
                    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-')
diff -Nur ./plugins/sudoers/sudoers.c.heap-buffer ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.heap-buffer     2021-02-04 14:45:39.357000000 -0500
+++ ./plugins/sudoers/sudoers.c 2021-02-04 16:48:14.670000000 -0500
@@ -492,7 +492,7 @@
 
     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
     /* XXX - causes confusion when root is not listed in sudoers */
-    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
        if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
            struct passwd *pw;
 
@@ -927,8 +927,8 @@
     if (user_cmnd == NULL)
        user_cmnd = NewArgv[0];
 
-    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
-       if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
+       if (!ISSET(sudo_mode, MODE_EDIT)) {
            if (def_secure_path && !user_is_exempt())
                path = def_secure_path;
            set_perms(PERM_RUNAS);
@@ -953,7 +953,8 @@
            for (size = 0, av = NewArgv + 1; *av; av++)
                size += strlen(*av) + 1;
            user_args = emalloc(size);
-           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
+           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
+             ISSET(sudo_mode, MODE_RUN)) {
                /*
                 * When running a command via a shell, the sudo front-end
                 * escapes potential meta chars.  We unescape non-spaces
@@ -961,10 +962,18 @@
                 */
                for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
                    while (*from) {
-                       if (from[0] == '\\' && !isspace((unsigned char)from[1]))
+                       if (from[0] == '\\' && from[1] != '\0' &&
+                               !isspace((unsigned char)from[1])) {
                            from++;
+                       }
+                       if (size - (to - user_args) < 1) {
+                           errorx(1, _("internal error, %s overflow"), __func__); /*debug_return_int(3);NOT_FOUND_ERROR*/
+                       }
                        *to++ = *from++;
                    }
+                   if (size - (to - user_args) < 1) {
+                       errorx(1, _("internal error, %s overflow"), __func__); /*debug_return_int(3);NOT_FOUND_ERROR*/
+                   }
                    *to++ = ' ';
                }
                *--to = '\0';
1	jpp	1.1	diff -Nur ./src/parse_args.c.heap-buffer ./src/parse_args.c
2			--- ./src/parse_args.c.heap-buffer 2012-09-18 09:57:43.000000000 -0400
3			+++ ./src/parse_args.c 2021-02-05 15:19:50.450000000 -0500
4			@@ -113,6 +113,13 @@
5			};
6
7			/*
8			+* Default flags allowed when running a command.
9			+*/
10			+#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND\|MODE_PRESERVE_ENV\|MODE_RESET_HOME\|MODE_LOGIN_SHELL\|MODE_NONINTERACTIVE\|MODE_PRESERVE_GROUPS\|MODE_SHELL)
11			+#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
12			+#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE\|MODE_LONG_LIST)
13			+#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
14			+/*
15			* Command line argument parsing.
16			* Sets nargc and nargv which corresponds to the argc/argv we'll use
17			* for the command to be run (if we are running one).
18			@@ -140,6 +147,7 @@
19			if (strcmp(getprogname(), "sudoedit") == 0) {
20			mode = MODE_EDIT;
21			sudo_settings[ARG_SUDOEDIT].value = "true";
22			+ valid_flags = EDIT_VALID_FLAGS;
23			}
24
25			/* Load local IP addresses and masks. */
26			@@ -205,7 +213,7 @@
27			usage_excl(1);
28			mode = MODE_EDIT;
29			sudo_settings[ARG_SUDOEDIT].value = "true";
30			- valid_flags = MODE_NONINTERACTIVE;
31			+ valid_flags = EDIT_VALID_FLAGS;
32			break;
33			case 'g':
34			runas_group = optarg;
35			@@ -213,6 +221,7 @@
36			break;
37			case 'H':
38			sudo_settings[ARG_SET_HOME].value = "true";
39			+ SET(flags, MODE_RESET_HOME);
40			break;
41			case 'h':
42			if (mode && mode != MODE_HELP) {
43			@@ -244,7 +253,7 @@
44			usage_excl(1);
45			}
46			mode = MODE_LIST;
47			- valid_flags = MODE_NONINTERACTIVE\|MODE_LONG_LIST;
48			+ valid_flags = LIST_VALID_FLAGS;
49			break;
50			case 'n':
51			SET(flags, MODE_NONINTERACTIVE);
52			@@ -252,6 +261,7 @@
53			break;
54			case 'P':
55			sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
56			+ SET(flags, MODE_PRESERVE_GROUPS);
57			break;
58			case 'p':
59			sudo_settings[ARG_PROMPT].value = optarg;
60			@@ -284,7 +294,7 @@
61			if (mode && mode != MODE_VALIDATE)
62			usage_excl(1);
63			mode = MODE_VALIDATE;
64			- valid_flags = MODE_NONINTERACTIVE;
65			+ valid_flags = VALIDATE_VALID_FLAGS;
66			break;
67			case 'V':
68			if (mode && mode != MODE_VERSION)
69			@@ -317,7 +327,7 @@
70			if (!mode) {
71			/* Defer -k mode setting until we know whether it is a flag or not */
72			if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
73			- if (argc == 0 && !(flags & (MODE_SHELL\|MODE_LOGIN_SHELL))) {
74			+ if (argc == 0 && !ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL)) {
75			mode = MODE_INVALIDATE; /* -k by itself */
76			sudo_settings[ARG_IGNORE_TICKET].value = NULL;
77			valid_flags = 0;
78			@@ -377,18 +387,22 @@
79			/*
80			* For shell mode we need to rewrite argv
81			*/
82			- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
83			+ if (ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
84			char *av, cmnd = NULL;
85			int ac = 1;
86
87			if (argc != 0) {
88			/* shell -c "command" */
89			char src, dst;
90			- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
91			- strlen(argv[argc - 1]) + 1;
92			+ size_t size = 0;
93			+
94			+ for (av = argv; *av != NULL; av++)
95			+ size += strlen(*av) + 1;
96			+
97			+ if (size == 0 \|\| (cmnd = emalloc2(size, 2)) == NULL)
98			+ exit(1);
99
100			- cmnd = dst = emalloc2(cmnd_size, 2);
101			- for (av = argv; *av != NULL; av++) {
102			+ for (dst = cmnd, av = argv; *av != NULL; av++) {
103			for (src = av; src != '\0'; src++) {
104			/* quote potential meta characters */
105			if (!isalnum((unsigned char)src) && src != '_' && *src != '-')
106			diff -Nur ./plugins/sudoers/sudoers.c.heap-buffer ./plugins/sudoers/sudoers.c
107			--- ./plugins/sudoers/sudoers.c.heap-buffer 2021-02-04 14:45:39.357000000 -0500
108			+++ ./plugins/sudoers/sudoers.c 2021-02-04 16:48:14.670000000 -0500
109			@@ -492,7 +492,7 @@
110
111			/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
112			/* XXX - causes confusion when root is not listed in sudoers */
113			- if (sudo_mode & (MODE_RUN \| MODE_EDIT) && prev_user != NULL) {
114			+ if (ISSET(sudo_mode, MODE_RUN\|MODE_EDIT) && prev_user != NULL) {
115			if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
116			struct passwd *pw;
117
118			@@ -927,8 +927,8 @@
119			if (user_cmnd == NULL)
120			user_cmnd = NewArgv[0];
121
122			- if (sudo_mode & (MODE_RUN \| MODE_EDIT \| MODE_CHECK)) {
123			- if (ISSET(sudo_mode, MODE_RUN \| MODE_CHECK)) {
124			+ if (ISSET(sudo_mode, MODE_RUN\|MODE_EDIT\|MODE_CHECK)) {
125			+ if (!ISSET(sudo_mode, MODE_EDIT)) {
126			if (def_secure_path && !user_is_exempt())
127			path = def_secure_path;
128			set_perms(PERM_RUNAS);
129			@@ -953,7 +953,8 @@
130			for (size = 0, av = NewArgv + 1; *av; av++)
131			size += strlen(*av) + 1;
132			user_args = emalloc(size);
133			- if (ISSET(sudo_mode, MODE_SHELL\|MODE_LOGIN_SHELL)) {
134			+ if (ISSET(sudo_mode, MODE_SHELL\|MODE_LOGIN_SHELL) &&
135			+ ISSET(sudo_mode, MODE_RUN)) {
136			/*
137			* When running a command via a shell, the sudo front-end
138			* escapes potential meta chars. We unescape non-spaces
139			@@ -961,10 +962,18 @@
140			*/
141			for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
142			while (*from) {
143			- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
144			+ if (from[0] == '\\' && from[1] != '\0' &&
145			+ !isspace((unsigned char)from[1])) {
146			from++;
147			+ }
148			+ if (size - (to - user_args) < 1) {
149			+ errorx(1, _("internal error, %s overflow"), __func__); /debug_return_int(3);NOT_FOUND_ERROR/
150			+ }
151			to++ = from++;
152			}
153			+ if (size - (to - user_args) < 1) {
154			+ errorx(1, _("internal error, %s overflow"), __func__); /debug_return_int(3);NOT_FOUND_ERROR/
155			+ }
156			*to++ = ' ';
157			}
158			*--to = '\0';