66 lines
2.2 KiB
Diff
66 lines
2.2 KiB
Diff
Backport of:
|
|
|
|
# HG changeset patch
|
|
# Parent 9b29e05ea310e187e41d8bcb58eddef8bd8b70d3
|
|
Fix potential buffer overflow when unescaping backslashes in user_args.
|
|
Do not try to unescaping backslashes unless in run mode *and* we are
|
|
running the command via a shell.
|
|
Found by Qualys.
|
|
|
|
--- a/plugins/sudoers/sudoers.c
|
|
+++ b/plugins/sudoers/sudoers.c
|
|
@@ -478,7 +478,7 @@ sudoers_policy_main(int argc, char * con
|
|
|
|
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
|
|
/* XXX - causes confusion when root is not listed in sudoers */
|
|
- if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
|
|
+ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
|
|
if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
|
|
struct passwd *pw;
|
|
|
|
@@ -854,8 +854,8 @@ set_cmnd(void)
|
|
if (user_cmnd == NULL)
|
|
user_cmnd = NewArgv[0];
|
|
|
|
- if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
|
|
- if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
|
|
+ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
|
|
+ if (!ISSET(sudo_mode, MODE_EDIT)) {
|
|
if (def_secure_path && !user_is_exempt())
|
|
path = def_secure_path;
|
|
if (!set_perms(PERM_RUNAS))
|
|
@@ -894,7 +894,8 @@ set_cmnd(void)
|
|
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
|
debug_return_int(-1);
|
|
}
|
|
- if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
|
|
+ if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
|
|
+ ISSET(sudo_mode, MODE_RUN)) {
|
|
/*
|
|
* When running a command via a shell, the sudo front-end
|
|
* escapes potential meta chars. We unescape non-spaces
|
|
@@ -902,10 +903,22 @@ set_cmnd(void)
|
|
*/
|
|
for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
|
|
while (*from) {
|
|
- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
|
|
+ if (from[0] == '\\' && from[1] != '\0' &&
|
|
+ !isspace((unsigned char)from[1])) {
|
|
from++;
|
|
+ }
|
|
+ if (size - (to - user_args) < 1) {
|
|
+ sudo_warnx(U_("internal error, %s overflow"),
|
|
+ __func__);
|
|
+ debug_return_int(NOT_FOUND_ERROR);
|
|
+ }
|
|
*to++ = *from++;
|
|
}
|
|
+ if (size - (to - user_args) < 1) {
|
|
+ sudo_warnx(U_("internal error, %s overflow"),
|
|
+ __func__);
|
|
+ debug_return_int(NOT_FOUND_ERROR);
|
|
+ }
|
|
*to++ = ' ';
|
|
}
|
|
*--to = '\0';
|