sudo/sme9/sudo-1.8.6p3-CVE-2021-3156.patch

diff -Nur ./src/parse_args.c.heap-buffer ./src/parse_args.c
--- ./src/parse_args.c.heap-buffer      2012-09-18 09:57:43.000000000 -0400
+++ ./src/parse_args.c  2021-02-05 15:19:50.450000000 -0500
@@ -113,6 +113,13 @@
 };
 
 /*
+* Default flags allowed when running a command.
+*/
+#define DEFAULT_VALID_FLAGS     (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL)
+#define EDIT_VALID_FLAGS        MODE_NONINTERACTIVE
+#define LIST_VALID_FLAGS        (MODE_NONINTERACTIVE|MODE_LONG_LIST)
+#define VALIDATE_VALID_FLAGS    MODE_NONINTERACTIVE
+/*
  * Command line argument parsing.
  * Sets nargc and nargv which corresponds to the argc/argv we'll use
  * for the command to be run (if we are running one).
@@ -140,6 +147,7 @@
     if (strcmp(getprogname(), "sudoedit") == 0) {
        mode = MODE_EDIT;
        sudo_settings[ARG_SUDOEDIT].value = "true";
+       valid_flags = EDIT_VALID_FLAGS;
     }
 
     /* Load local IP addresses and masks. */
@@ -205,7 +213,7 @@
                        usage_excl(1);
                    mode = MODE_EDIT;
                    sudo_settings[ARG_SUDOEDIT].value = "true";
-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = EDIT_VALID_FLAGS;
                    break;
                case 'g':
                    runas_group = optarg;
@@ -213,6 +221,7 @@
                    break;
                case 'H':
                    sudo_settings[ARG_SET_HOME].value = "true";
+                   SET(flags, MODE_RESET_HOME);
                    break;
                case 'h':
                    if (mode && mode != MODE_HELP) {
@@ -244,7 +253,7 @@
                            usage_excl(1);
                    }
                    mode = MODE_LIST;
-                   valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST;
+                   valid_flags = LIST_VALID_FLAGS;
                    break;
                case 'n':
                    SET(flags, MODE_NONINTERACTIVE);
@@ -252,6 +261,7 @@
                    break;
                case 'P':
                    sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
+                   SET(flags, MODE_PRESERVE_GROUPS);
                    break;
                case 'p':
                    sudo_settings[ARG_PROMPT].value = optarg;
@@ -284,7 +294,7 @@
                    if (mode && mode != MODE_VALIDATE)
                        usage_excl(1);
                    mode = MODE_VALIDATE;
-                   valid_flags = MODE_NONINTERACTIVE;
+                   valid_flags = VALIDATE_VALID_FLAGS;
                    break;
                case 'V':
                    if (mode && mode != MODE_VERSION)
@@ -317,7 +327,7 @@
     if (!mode) {
        /* Defer -k mode setting until we know whether it is a flag or not */
        if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
-           if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) {
+           if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) {
                mode = MODE_INVALIDATE; /* -k by itself */
                sudo_settings[ARG_IGNORE_TICKET].value = NULL;
                valid_flags = 0;
@@ -377,18 +387,22 @@
     /*
      * For shell mode we need to rewrite argv
      */
-    if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
+    if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
        char **av, *cmnd = NULL;
        int ac = 1;
 
        if (argc != 0) {
            /* shell -c "command" */
            char *src, *dst;
-           size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
-               strlen(argv[argc - 1]) + 1;
+            size_t size = 0;
+
+         for (av = argv; *av != NULL; av++)
+             size += strlen(*av) + 1;
+
+         if (size == 0 || (cmnd = emalloc2(size, 2)) == NULL)
+               exit(1);
 
-           cmnd = dst = emalloc2(cmnd_size, 2);
-           for (av = argv; *av != NULL; av++) {
+            for (dst = cmnd, av = argv; *av != NULL; av++) {
                for (src = *av; *src != '\0'; src++) {
                    /* quote potential meta characters */
                    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-')
diff -Nur ./plugins/sudoers/sudoers.c.heap-buffer ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.heap-buffer     2021-02-04 14:45:39.357000000 -0500
+++ ./plugins/sudoers/sudoers.c 2021-02-04 16:48:14.670000000 -0500
@@ -492,7 +492,7 @@
 
     /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
     /* XXX - causes confusion when root is not listed in sudoers */
-    if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
        if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
            struct passwd *pw;
 
@@ -927,8 +927,8 @@
     if (user_cmnd == NULL)
        user_cmnd = NewArgv[0];
 
-    if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
-       if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
+    if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
+       if (!ISSET(sudo_mode, MODE_EDIT)) {
            if (def_secure_path && !user_is_exempt())
                path = def_secure_path;
            set_perms(PERM_RUNAS);
@@ -953,7 +953,8 @@
            for (size = 0, av = NewArgv + 1; *av; av++)
                size += strlen(*av) + 1;
            user_args = emalloc(size);
-           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
+           if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
+             ISSET(sudo_mode, MODE_RUN)) {
                /*
                 * When running a command via a shell, the sudo front-end
                 * escapes potential meta chars.  We unescape non-spaces
@@ -961,10 +962,18 @@
                 */
                for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
                    while (*from) {
-                       if (from[0] == '\\' && !isspace((unsigned char)from[1]))
+                       if (from[0] == '\\' && from[1] != '\0' &&
+                               !isspace((unsigned char)from[1])) {
                            from++;
+                       }
+                       if (size - (to - user_args) < 1) {
+                           errorx(1, _("internal error, %s overflow"), __func__); /*debug_return_int(3);NOT_FOUND_ERROR*/
+                       }
                        *to++ = *from++;
                    }
+                   if (size - (to - user_args) < 1) {
+                       errorx(1, _("internal error, %s overflow"), __func__); /*debug_return_int(3);NOT_FOUND_ERROR*/
+                   }
                    *to++ = ' ';
                }
                *--to = '\0';
1	diff -Nur ./src/parse_args.c.heap-buffer ./src/parse_args.c
2	--- ./src/parse_args.c.heap-buffer 2012-09-18 09:57:43.000000000 -0400
3	+++ ./src/parse_args.c 2021-02-05 15:19:50.450000000 -0500
4	@@ -113,6 +113,13 @@
5	};
6
7	/*
8	+* Default flags allowed when running a command.
9	+*/
10	+#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND\|MODE_PRESERVE_ENV\|MODE_RESET_HOME\|MODE_LOGIN_SHELL\|MODE_NONINTERACTIVE\|MODE_PRESERVE_GROUPS\|MODE_SHELL)
11	+#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE
12	+#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE\|MODE_LONG_LIST)
13	+#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE
14	+/*
15	* Command line argument parsing.
16	* Sets nargc and nargv which corresponds to the argc/argv we'll use
17	* for the command to be run (if we are running one).
18	@@ -140,6 +147,7 @@
19	if (strcmp(getprogname(), "sudoedit") == 0) {
20	mode = MODE_EDIT;
21	sudo_settings[ARG_SUDOEDIT].value = "true";
22	+ valid_flags = EDIT_VALID_FLAGS;
23	}
24
25	/* Load local IP addresses and masks. */
26	@@ -205,7 +213,7 @@
27	usage_excl(1);
28	mode = MODE_EDIT;
29	sudo_settings[ARG_SUDOEDIT].value = "true";
30	- valid_flags = MODE_NONINTERACTIVE;
31	+ valid_flags = EDIT_VALID_FLAGS;
32	break;
33	case 'g':
34	runas_group = optarg;
35	@@ -213,6 +221,7 @@
36	break;
37	case 'H':
38	sudo_settings[ARG_SET_HOME].value = "true";
39	+ SET(flags, MODE_RESET_HOME);
40	break;
41	case 'h':
42	if (mode && mode != MODE_HELP) {
43	@@ -244,7 +253,7 @@
44	usage_excl(1);
45	}
46	mode = MODE_LIST;
47	- valid_flags = MODE_NONINTERACTIVE\|MODE_LONG_LIST;
48	+ valid_flags = LIST_VALID_FLAGS;
49	break;
50	case 'n':
51	SET(flags, MODE_NONINTERACTIVE);
52	@@ -252,6 +261,7 @@
53	break;
54	case 'P':
55	sudo_settings[ARG_PRESERVE_GROUPS].value = "true";
56	+ SET(flags, MODE_PRESERVE_GROUPS);
57	break;
58	case 'p':
59	sudo_settings[ARG_PROMPT].value = optarg;
60	@@ -284,7 +294,7 @@
61	if (mode && mode != MODE_VALIDATE)
62	usage_excl(1);
63	mode = MODE_VALIDATE;
64	- valid_flags = MODE_NONINTERACTIVE;
65	+ valid_flags = VALIDATE_VALID_FLAGS;
66	break;
67	case 'V':
68	if (mode && mode != MODE_VERSION)
69	@@ -317,7 +327,7 @@
70	if (!mode) {
71	/* Defer -k mode setting until we know whether it is a flag or not */
72	if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) {
73	- if (argc == 0 && !(flags & (MODE_SHELL\|MODE_LOGIN_SHELL))) {
74	+ if (argc == 0 && !ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL)) {
75	mode = MODE_INVALIDATE; /* -k by itself */
76	sudo_settings[ARG_IGNORE_TICKET].value = NULL;
77	valid_flags = 0;
78	@@ -377,18 +387,22 @@
79	/*
80	* For shell mode we need to rewrite argv
81	*/
82	- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
83	+ if (ISSET(flags, MODE_SHELL\|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) {
84	char *av, cmnd = NULL;
85	int ac = 1;
86
87	if (argc != 0) {
88	/* shell -c "command" */
89	char src, dst;
90	- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
91	- strlen(argv[argc - 1]) + 1;
92	+ size_t size = 0;
93	+
94	+ for (av = argv; *av != NULL; av++)
95	+ size += strlen(*av) + 1;
96	+
97	+ if (size == 0 \|\| (cmnd = emalloc2(size, 2)) == NULL)
98	+ exit(1);
99
100	- cmnd = dst = emalloc2(cmnd_size, 2);
101	- for (av = argv; *av != NULL; av++) {
102	+ for (dst = cmnd, av = argv; *av != NULL; av++) {
103	for (src = av; src != '\0'; src++) {
104	/* quote potential meta characters */
105	if (!isalnum((unsigned char)src) && src != '_' && *src != '-')
106	diff -Nur ./plugins/sudoers/sudoers.c.heap-buffer ./plugins/sudoers/sudoers.c
107	--- ./plugins/sudoers/sudoers.c.heap-buffer 2021-02-04 14:45:39.357000000 -0500
108	+++ ./plugins/sudoers/sudoers.c 2021-02-04 16:48:14.670000000 -0500
109	@@ -492,7 +492,7 @@
110
111	/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
112	/* XXX - causes confusion when root is not listed in sudoers */
113	- if (sudo_mode & (MODE_RUN \| MODE_EDIT) && prev_user != NULL) {
114	+ if (ISSET(sudo_mode, MODE_RUN\|MODE_EDIT) && prev_user != NULL) {
115	if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
116	struct passwd *pw;
117
118	@@ -927,8 +927,8 @@
119	if (user_cmnd == NULL)
120	user_cmnd = NewArgv[0];
121
122	- if (sudo_mode & (MODE_RUN \| MODE_EDIT \| MODE_CHECK)) {
123	- if (ISSET(sudo_mode, MODE_RUN \| MODE_CHECK)) {
124	+ if (ISSET(sudo_mode, MODE_RUN\|MODE_EDIT\|MODE_CHECK)) {
125	+ if (!ISSET(sudo_mode, MODE_EDIT)) {
126	if (def_secure_path && !user_is_exempt())
127	path = def_secure_path;
128	set_perms(PERM_RUNAS);
129	@@ -953,7 +953,8 @@
130	for (size = 0, av = NewArgv + 1; *av; av++)
131	size += strlen(*av) + 1;
132	user_args = emalloc(size);
133	- if (ISSET(sudo_mode, MODE_SHELL\|MODE_LOGIN_SHELL)) {
134	+ if (ISSET(sudo_mode, MODE_SHELL\|MODE_LOGIN_SHELL) &&
135	+ ISSET(sudo_mode, MODE_RUN)) {
136	/*
137	* When running a command via a shell, the sudo front-end
138	* escapes potential meta chars. We unescape non-spaces
139	@@ -961,10 +962,18 @@
140	*/
141	for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
142	while (*from) {
143	- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
144	+ if (from[0] == '\\' && from[1] != '\0' &&
145	+ !isspace((unsigned char)from[1])) {
146	from++;
147	+ }
148	+ if (size - (to - user_args) < 1) {
149	+ errorx(1, _("internal error, %s overflow"), __func__); /debug_return_int(3);NOT_FOUND_ERROR/
150	+ }
151	to++ = from++;
152	}
153	+ if (size - (to - user_args) < 1) {
154	+ errorx(1, _("internal error, %s overflow"), __func__); /debug_return_int(3);NOT_FOUND_ERROR/
155	+ }
156	*to++ = ' ';
157	}
158	*--to = '\0';