Merging debian version 1.8.27-1+deb10u5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 166 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 2b9d1d0..770d48c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+sudo (1.8.27-1+deb10u5) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-22809
+    sudoedit: do not permit editor arguments to include "--"
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Mon, 16 Jan 2023 21:03:02 +0100
+
 sudo (1.8.27-1+deb10u4progress5u1) engywuck-security; urgency=high
 
   * Uploading to engywuck-security, remaining changes:
diff --git a/debian/patches/CVE-2023-22809.patch b/debian/patches/CVE-2023-22809.patch
new file mode 100644
index 0000000..454a13b
--- /dev/null
+++ b/debian/patches/CVE-2023-22809.patch
@@ -0,0 +1,156 @@
+Description: sudoedit: do not permit editor arguments to include "--"
+Origin: upstream
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-22809
+
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+
+Index: sudo-1.8.27/plugins/sudoers/editor.c
+===================================================================
+--- sudo-1.8.27.orig/plugins/sudoers/editor.c	2023-01-16 23:27:07.662719271 +0100
++++ sudo-1.8.27/plugins/sudoers/editor.c	2023-01-18 09:30:21.597115094 +0100
+@@ -50,11 +50,11 @@
+ resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
+     int *argc_out, char ***argv_out, char * const *whitelist)
+ {
+-    char **nargv, *editor, *editor_path = NULL;
++    char **nargv = NULL, *editor, *editor_path = NULL;
+     const char *cp, *ep, *tmp;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
++    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
+ 
+     /*
+@@ -73,9 +73,8 @@
+ 
+     /* If we can't find the editor in the user's PATH, give up. */
+     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, whitelist) != FOUND) {
+-	free(editor);
+ 	errno = ENOENT;
+-	debug_return_str(NULL);
++	goto bad;
+     }
+ 
+     /* Count rest of arguments and allocate editor argv. */
+@@ -96,13 +95,19 @@
+     for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) {
+ 	nargv[nargc] = strndup(cp, (size_t)(ep - cp));
+ 	if (nargv[nargc] == NULL) {
+-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	    free(editor_path);
+-	    while (nargc--)
+-		free(nargv[nargc]);
+-	    free(nargv);
+-	    debug_return_str(NULL);
++	    goto oom;
+ 	}
++ 
++        /*
++         * We use "--" to separate the editor and arguments from the files
++         * to edit.  The editor arguments themselves may not contain "--".
++         */
++        if (strcmp(nargv[nargc], "--") == 0) {
++            sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++            sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++            errno = EINVAL;
++            goto bad;
++        }
+     }
+     if (nfiles != 0) {
+ 	nargv[nargc++] = "--";
+@@ -114,6 +119,21 @@
+     *argc_out = nargc;
+     *argv_out = nargv;
+     debug_return_str(editor_path);
++
++oom:
++    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
++    if (editor) {free(editor); editor=NULL; }
++    if (editor_path) {free(editor_path); editor_path=NULL; }
++    if (nargv != NULL) {
++        while (nargc--) {
++            /* nargv[0] is editor that was already freed above */
++            if (nargc && nargv[nargc]) free(nargv[nargc]); 
++        }
++        if (nargv) free(nargv);
++    }
++    debug_return_str(NULL);
++
+ }
+ 
+ /*
+Index: sudo-1.8.27/plugins/sudoers/sudoers.c
+===================================================================
+--- sudo-1.8.27.orig/plugins/sudoers/sudoers.c	2023-01-16 23:27:07.662719271 +0100
++++ sudo-1.8.27/plugins/sudoers/sudoers.c	2023-01-17 00:15:22.859656116 +0100
+@@ -587,20 +587,31 @@
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
++	const char *env_editor = NULL;
+ 	int edit_argc;
+-	const char *env_editor;
+ 
+ 	free(safe_cmnd);
+ 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ 	    &edit_argv, NULL, &env_editor, false);
+ 	if (safe_cmnd == NULL) {
+-	    if (errno != ENOENT)
++            switch (errno) {
++            case ENOENT:
++                audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
++                    env_editor ? env_editor : def_editor);
++                sudo_warnx(U_("%s: command not found"),
++                    env_editor ? env_editor : def_editor);
++                goto bad;
++            case EINVAL:
++                if (def_env_editor && env_editor != NULL) {
++                    /* User tried to do something funny with the editor. */
++                    log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL,
++                        "invalid user-specified editor: %s", env_editor);
++                    goto bad;
++                }
++                /* FALLTHROUGH */
++            default:
+ 		goto done;
+-	    audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    sudo_warnx(U_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    goto bad;
++            }
+ 	}
+ 	if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
+ 	    goto done;
+Index: sudo-1.8.27/plugins/sudoers/visudo.c
+===================================================================
+--- sudo-1.8.27.orig/plugins/sudoers/visudo.c	2023-01-16 23:27:07.662719271 +0100
++++ sudo-1.8.27/plugins/sudoers/visudo.c	2023-01-17 16:24:09.283442400 +0100
+@@ -306,7 +306,7 @@
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **whitelist = NULL;
+-    const char *env_editor;
++    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int whitelist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
+@@ -340,7 +340,11 @@
+     if (editor_path == NULL) {
+ 	if (def_env_editor && env_editor != NULL) {
+ 	    /* We are honoring $EDITOR so this is a fatal error. */
+-	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++	    if (errno == ENOENT) {
++	        sudo_warnx(U_("specified editor (%s) doesn't exist"),
++	            env_editor);
++	    }
++	    exit(EXIT_FAILURE);
+ 	}
+ 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
diff --git a/debian/patches/series b/debian/patches/series
index ec23687..286e759 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,5 @@ Fix-potential-buffer-overflow-when-unescaping-backsl.patch
 Fix-the-memset-offset-when-converting-a-v1-timestamp.patch
 Don-t-assume-that-argv-is-allocated-as-a-single-flat.patch
 CVE-2021-23239.patch
+
+CVE-2023-22809.patch