!69 [sync] PR-68: fix CVE-2023-22809

From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-CVE-2023-22809.patch

@@ -0,0 +1,143 @@
+From 0274a4f3b403162a37a10f199c989f3727ed3ad4 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 12 Jan 2023 15:55:27 -0700
+Subject: [PATCH] sudoedit: do not permit editor arguments to include "--"
+ (CVE-2023-22809) We use "--" to separate the editor and arguments from the
+ files to edit. If the editor arguments include "--", sudo can be tricked into
+ allowing the user to edit a file not permitted by the security policy. Thanks
+ to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com)
+ for finding this bug.
+
+Reference:https://github.com/sudo-project/sudo/commit/0274a4f3b403162a37a10f199c989f3727ed3ad4
+Conflict:NA
+
+---
+ plugins/sudoers/editor.c  | 19 ++++++++++++++-----
+ plugins/sudoers/sudoers.c | 25 ++++++++++++++++++-------
+ plugins/sudoers/visudo.c  |  8 ++++++--
+ 3 files changed, 38 insertions(+), 14 deletions(-)
+
+diff --git a/plugins/sudoers/editor.c b/plugins/sudoers/editor.c
+index 5ca4eb0af..6d988ff68 100644
+--- a/plugins/sudoers/editor.c
++++ b/plugins/sudoers/editor.c
+@@ -133,7 +133,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
+     const char *tmp, *cp, *ep = NULL;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
++    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
+ 
+     /*
+@@ -151,10 +151,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
+     /* If we can't find the editor in the user's PATH, give up. */
+     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 	    0, allowlist) != FOUND) {
+-	sudoers_gc_remove(GC_PTR, editor);
+-	free(editor);
+-	errno = ENOENT;
+-	debug_return_str(NULL);
++	goto bad;
+     }
+ 
+     /* Count rest of arguments and allocate editor argv. */
+@@ -175,6 +172,17 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
+ 	nargv[nargc] = copy_arg(cp, ep - cp);
+ 	if (nargv[nargc] == NULL)
+ 	    goto oom;
++
++	/*
++	 * We use "--" to separate the editor and arguments from the files
++	 * to edit.  The editor arguments themselves may not contain "--".
++	 */
++	if (strcmp(nargv[nargc], "--") == 0) {
++	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++	    errno = EINVAL;
++	    goto bad;
++	}
+     }
+     if (nfiles != 0) {
+ 	nargv[nargc++] = "--";
+@@ -188,6 +196,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
+     debug_return_str(editor_path);
+ oom:
+     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
+     sudoers_gc_remove(GC_PTR, editor);
+     free(editor);
+     free(editor_path);
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 7b97340ac..1f22853ff 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -759,21 +759,32 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
++	const char *env_editor = NULL;
+ 	char **edit_argv;
+ 	int edit_argc;
+-	const char *env_editor;
+ 
+ 	free(safe_cmnd);
+ 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ 	    &edit_argv, NULL, &env_editor, false);
+ 	if (safe_cmnd == NULL) {
+-	    if (errno != ENOENT)
++	    switch (errno) {
++	    case ENOENT:
++		audit_failure(NewArgv, N_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		sudo_warnx(U_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		goto bad;
++	    case EINVAL:
++		if (def_env_editor && env_editor != NULL) {
++		    /* User tried to do something funny with the editor. */
++		    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
++			"invalid user-specified editor: %s", env_editor);
++		    goto bad;
++		}
++		FALLTHROUGH;
++	    default:
+ 		goto done;
+-	    audit_failure(NewArgv, N_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    sudo_warnx(U_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    goto bad;
++	    }
+ 	}
+ 	/* find_editor() already g/c'd edit_argv[] */
+ 	sudoers_gc_remove(GC_PTR, NewArgv);
+diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
+index 82f7f9e56..425071afd 100644
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -301,7 +301,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **allowlist = NULL;
+-    const char *env_editor;
++    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int allowlist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
+@@ -335,7 +335,11 @@ get_editor(int *editor_argc, char ***editor_argv)
+     if (editor_path == NULL) {
+ 	if (def_env_editor && env_editor != NULL) {
+ 	    /* We are honoring $EDITOR so this is a fatal error. */
+-	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++	    if (errno == ENOENT) {
++		sudo_warnx(U_("specified editor (%s) doesn't exist"),
++		    env_editor);
++	    }
++	    exit(EXIT_FAILURE);
+ 	}
+ 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
+-- 
+2.27.0
+

sudo.spec

@@ -1,6 +1,6 @@
 Name: sudo
 Version: 1.9.8p2
-Release: 7
+Release: 8
 Summary: Allows restricted root access for specified users
 License: ISC
 URL: http://www.courtesan.com/sudo/
@@ -27,6 +27,7 @@ Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
 Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
 Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
 Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
+Patch17: backport-CVE-2023-22809.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: pam
@@ -168,6 +169,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %exclude %{_pkgdocdir}/ChangeLog
 
 %changelog
+* Thu Jan 19 2023 houmingyong<houmingyong@huawei.com> - 1.9.8p2-8
+- Fix CVE-2023-22809
+
 * Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-7
 - Backport patches from upstream community