packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-22809

Browse Source 
(cherry picked from commit 7ceacf43ea78b0d0370b7da2ac9040daad45db6d)
This commit is contained in:
houmingyong 2023-01-19 21:09:08 +08:00 committed by openeuler-sync-bot
parent f32ca49d67
commit 51bfe4f961
2 changed files with 148 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
backport-CVE-2023-22809.patch Normal file
View File

@ -0,0 +1,143 @@
From 0274a4f3b403162a37a10f199c989f3727ed3ad4 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 12 Jan 2023 15:55:27 -0700
Subject: [PATCH] sudoedit: do not permit editor arguments to include "--"
(CVE-2023-22809) We use "--" to separate the editor and arguments from the
files to edit. If the editor arguments include "--", sudo can be tricked into
allowing the user to edit a file not permitted by the security policy. Thanks
to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com)
for finding this bug.
Reference:https://github.com/sudo-project/sudo/commit/0274a4f3b403162a37a10f199c989f3727ed3ad4
Conflict:NA
---
plugins/sudoers/editor.c | 19 ++++++++++++++-----
plugins/sudoers/sudoers.c | 25 ++++++++++++++++++-------
plugins/sudoers/visudo.c | 8 ++++++--
3 files changed, 38 insertions(+), 14 deletions(-)
diff --git a/plugins/sudoers/editor.c b/plugins/sudoers/editor.c
index 5ca4eb0af..6d988ff68 100644
--- a/plugins/sudoers/editor.c
+++ b/plugins/sudoers/editor.c
@@ -133,7 +133,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
const char *tmp, *cp, *ep = NULL;
const char *edend = ed + edlen;
struct stat user_editor_sb;
- int nargc;
+ int nargc = 0;
debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
/*
@@ -151,10 +151,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
/* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
0, allowlist) != FOUND) {
- sudoers_gc_remove(GC_PTR, editor);
- free(editor);
- errno = ENOENT;
- debug_return_str(NULL);
+ goto bad;
}
/* Count rest of arguments and allocate editor argv. */
@@ -175,6 +172,17 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
nargv[nargc] = copy_arg(cp, ep - cp);
if (nargv[nargc] == NULL)
goto oom;
+
+ /*
+ * We use "--" to separate the editor and arguments from the files
+ * to edit. The editor arguments themselves may not contain "--".
+ */
+ if (strcmp(nargv[nargc], "--") == 0) {
+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
+ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
+ errno = EINVAL;
+ goto bad;
+ }
}
if (nfiles != 0) {
nargv[nargc++] = "--";
@@ -188,6 +196,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
debug_return_str(editor_path);
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+bad:
sudoers_gc_remove(GC_PTR, editor);
free(editor);
free(editor_path);
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 7b97340ac..1f22853ff 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -759,21 +759,32 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Note: must call audit before uid change. */
if (ISSET(sudo_mode, MODE_EDIT)) {
+ const char *env_editor = NULL;
char **edit_argv;
int edit_argc;
- const char *env_editor;
free(safe_cmnd);
safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
&edit_argv, NULL, &env_editor, false);
if (safe_cmnd == NULL) {
- if (errno != ENOENT)
+ switch (errno) {
+ case ENOENT:
+ audit_failure(NewArgv, N_("%s: command not found"),
+ env_editor ? env_editor : def_editor);
+ sudo_warnx(U_("%s: command not found"),
+ env_editor ? env_editor : def_editor);
+ goto bad;
+ case EINVAL:
+ if (def_env_editor && env_editor != NULL) {
+ /* User tried to do something funny with the editor. */
+ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
+ "invalid user-specified editor: %s", env_editor);
+ goto bad;
+ }
+ FALLTHROUGH;
+ default:
goto done;
- audit_failure(NewArgv, N_("%s: command not found"),
- env_editor ? env_editor : def_editor);
- sudo_warnx(U_("%s: command not found"),
- env_editor ? env_editor : def_editor);
- goto bad;
+ }
}
/* find_editor() already g/c'd edit_argv[] */
sudoers_gc_remove(GC_PTR, NewArgv);
diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
index 82f7f9e56..425071afd 100644
--- a/plugins/sudoers/visudo.c
+++ b/plugins/sudoers/visudo.c
@@ -301,7 +301,7 @@ static char *
get_editor(int *editor_argc, char ***editor_argv)
{
char *editor_path = NULL, **allowlist = NULL;
- const char *env_editor;
+ const char *env_editor = NULL;
static char *files[] = { "+1", "sudoers" };
unsigned int allowlist_len = 0;
debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
@@ -335,7 +335,11 @@ get_editor(int *editor_argc, char ***editor_argv)
if (editor_path == NULL) {
if (def_env_editor && env_editor != NULL) {
/* We are honoring $EDITOR so this is a fatal error. */
- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
+ if (errno == ENOENT) {
+ sudo_warnx(U_("specified editor (%s) doesn't exist"),
+ env_editor);
+ }
+ exit(EXIT_FAILURE);
}
sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
}
--
2.27.0

6
sudo.spec
View File

@ -1,6 +1,6 @@
Name: sudo Name: sudo
Version: 1.9.8p2 Version: 1.9.8p2
Release: 7 Release: 8
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
License: ISC License: ISC
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -27,6 +27,7 @@ Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
Patch17: backport-CVE-2023-22809.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam Requires: pam
@ -168,6 +169,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%exclude %{_pkgdocdir}/ChangeLog %exclude %{_pkgdocdir}/ChangeLog
%changelog %changelog
* Thu Jan 19 2023 houmingyong<houmingyong@huawei.com> - 1.9.8p2-8
- Fix CVE-2023-22809
* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-7 * Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-7
- Backport patches from upstream community - Backport patches from upstream community