/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-CVE-2021-3156.patch
ViewVC logotype

Annotation of /rpms/sudo/sme9/sudo-1.8.6p3-CVE-2021-3156.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Sat Feb 6 20:26:19 2021 UTC (3 years, 9 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, HEAD
* Thu Feb 04 2021 Jean-Philipe Pialasse <tests@pialasse.com> 1.8.6p3-30.sme
- fix CVE-2021-3156 [SME: 11339]

1 jpp 1.1 diff -Nur ./src/parse_args.c.heap-buffer ./src/parse_args.c
2     --- ./src/parse_args.c.heap-buffer 2012-09-18 09:57:43.000000000 -0400
3     +++ ./src/parse_args.c 2021-02-05 15:19:50.450000000 -0500
4     @@ -113,6 +113,13 @@
5     };
6    
7     /*
8     +* Default flags allowed when running a command.
9     +*/
10     +#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
11     +#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
12     +#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST)
13     +#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
14     +/*
15     * Command line argument parsing.
16     * Sets nargc and nargv which corresponds to the argc/argv we'll use
17     * for the command to be run (if we are running one).
18     @@ -140,6 +147,7 @@
19     if (strcmp(getprogname(), "sudoedit") == 0) {
20     mode = MODE_EDIT;
21     sudo_settings[ARG_SUDOEDIT].value = "true";
22     + valid_flags = EDIT_VALID_FLAGS;
23     }
24    
25     /* Load local IP addresses and masks. */
26     @@ -205,7 +213,7 @@
27     usage_excl(1);
28     mode = MODE_EDIT;
29     sudo_settings[ARG_SUDOEDIT].value = "true";
30     - valid_flags = MODE_NONINTERACTIVE;
31     + valid_flags = EDIT_VALID_FLAGS;
32     break;
33     case 'g':
34     runas_group = optarg;
35     @@ -213,6 +221,7 @@
36     break;
37     case 'H':
38     sudo_settings[ARG_SET_HOME].value = "true";
39     + SET(flags, MODE_RESET_HOME);
40     break;
41     case 'h':
42     if (mode && mode != MODE_HELP) {
43     @@ -244,7 +253,7 @@
44     usage_excl(1);
45     }
46     mode = MODE_LIST;
47     - valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
48     + valid_flags = LIST_VALID_FLAGS;
49     break;
50     case 'n':
51     SET(flags, MODE_NONINTERACTIVE);
52     @@ -252,6 +261,7 @@
53     break;
54     case 'P':
55     sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
56     + SET(flags, MODE_PRESERVE_GROUPS);
57     break;
58     case 'p':
59     sudo_settings[ARG_PROMPT].value = optarg;
60     @@ -284,7 +294,7 @@
61     if (mode && mode != MODE_VALIDATE)
62     usage_excl(1);
63     mode = MODE_VALIDATE;
64     - valid_flags = MODE_NONINTERACTIVE;
65     + valid_flags = VALIDATE_VALID_FLAGS;
66     break;
67     case 'V':
68     if (mode && mode != MODE_VERSION)
69     @@ -317,7 +327,7 @@
70     if (!mode) {
71     /* Defer -k mode setting until we know whether it is a flag or not */
72     if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
73     - if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
74     + if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
75     mode = MODE_INVALIDATE; /* -k by itself */
76     sudo_settings[ARG_IGNORE_TICKET].value = NULL;
77     valid_flags = 0;
78     @@ -377,18 +387,22 @@
79     /*
80     * For shell mode we need to rewrite argv
81     */
82     - if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
83     + if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
84     char **av, *cmnd = NULL;
85     int ac = 1;
86    
87     if (argc != 0) {
88     /* shell -c "command" */
89     char *src, *dst;
90     - size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
91     - strlen(argv[argc - 1]) + 1;
92     + size_t size = 0;
93     +
94     + for (av = argv; *av != NULL; av++)
95     + size += strlen(*av) + 1;
96     +
97     + if (size == 0 || (cmnd = emalloc2(size, 2)) == NULL)
98     + exit(1);
99    
100     - cmnd = dst = emalloc2(cmnd_size, 2);
101     - for (av = argv; *av != NULL; av++) {
102     + for (dst = cmnd, av = argv; *av != NULL; av++) {
103     for (src = *av; *src != '\0'; src++) {
104     /* quote potential meta characters */
105     if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-')
106     diff -Nur ./plugins/sudoers/sudoers.c.heap-buffer ./plugins/sudoers/sudoers.c
107     --- ./plugins/sudoers/sudoers.c.heap-buffer 2021-02-04 14:45:39.357000000 -0500
108     +++ ./plugins/sudoers/sudoers.c 2021-02-04 16:48:14.670000000 -0500
109     @@ -492,7 +492,7 @@
110    
111     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
112     /* XXX - causes confusion when root is not listed in sudoers */
113     - if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
114     + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
115     if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
116     struct passwd *pw;
117    
118     @@ -927,8 +927,8 @@
119     if (user_cmnd == NULL)
120     user_cmnd = NewArgv[0];
121    
122     - if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
123     - if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
124     + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
125     + if (!ISSET(sudo_mode, MODE_EDIT)) {
126     if (def_secure_path && !user_is_exempt())
127     path = def_secure_path;
128     set_perms(PERM_RUNAS);
129     @@ -953,7 +953,8 @@
130     for (size = 0, av = NewArgv + 1; *av; av++)
131     size += strlen(*av) + 1;
132     user_args = emalloc(size);
133     - if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
134     + if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
135     + ISSET(sudo_mode, MODE_RUN)) {
136     /*
137     * When running a command via a shell, the sudo front-end
138     * escapes potential meta chars. We unescape non-spaces
139     @@ -961,10 +962,18 @@
140     */
141     for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
142     while (*from) {
143     - if (from[0] == '\\' && !isspace((unsigned char)from[1]))
144     + if (from[0] == '\\' && from[1] != '\0' &&
145     + !isspace((unsigned char)from[1])) {
146     from++;
147     + }
148     + if (size - (to - user_args) < 1) {
149     + errorx(1, _("internal error, %s overflow"), __func__); /*debug_return_int(3);NOT_FOUND_ERROR*/
150     + }
151     *to++ = *from++;
152     }
153     + if (size - (to - user_args) < 1) {
154     + errorx(1, _("internal error, %s overflow"), __func__); /*debug_return_int(3);NOT_FOUND_ERROR*/
155     + }
156     *to++ = ' ';
157     }
158     *--to = '\0';

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed