Merging debian version 1.8.27-1+deb10u4.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

4 files changed, 78 insertions, 0 deletions

diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
new file mode 100644
index 0000000..efd58ac
--- /dev/null
+++ b/debian/.gitlab-ci.yml
@@ -0,0 +1,11 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+  RELEASE: 'buster'
+  SALSA_CI_COMPONENTS: 'main contrib non-free'
+  SALSA_CI_DISABLE_REPROTEST: 1
+  SALSA_CI_DISABLE_LINTIAN: 1
+
+piuparts:
+  allow_failure: true
diff --git a/debian/changelog b/debian/changelog
index 19b72c6..5f3831c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+sudo (1.8.27-1+deb10u4) buster-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS team.
+  * CVE-2021-23239: Prevent an issue where a local unprivileged user may have
+    been able to perform arbitrary directory-existence tests by exploiting a
+    race condition in sudoedit by replacing a user-controlled directory by a
+    symlink to an arbitrary path.
+
+ -- Chris Lamb <lamby@debian.org>  Mon, 07 Nov 2022 11:58:17 +0000
+
 sudo (1.8.27-1+deb10u3progress5u1) engywuck; urgency=high
 
   * Initial reupload to engywuck.
diff --git a/debian/patches/CVE-2021-23239.patch b/debian/patches/CVE-2021-23239.patch
new file mode 100644
index 0000000..b54c9f3
--- /dev/null
+++ b/debian/patches/CVE-2021-23239.patch
@@ -0,0 +1,56 @@
+From: Todd C. Miller <Todd.Miller@sudo.ws>
+
+Fix potential directory existing info leak in sudoedit.
+When creating a new file, sudoedit checks to make sure the parent
+directory exists so it can provide the user with a sensible error
+message.  However, this could be used to test for the existence of
+directories not normally accessible to the user by pointing to them
+with a symbolic link when the parent directory is controlled by the
+user.  Problem reported by Matthias Gerstner of SUSE.
+---
+ src/sudo_edit.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/src/sudo_edit.c b/src/sudo_edit.c
+index 44b4fb3..888b277 100644
+--- a/src/sudo_edit.c
++++ b/src/sudo_edit.c
+@@ -567,14 +567,33 @@ sudo_edit_create_tfiles(struct command_details *command_details,
+ 	    S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
+ 	if (ofd != -1 || errno == ENOENT) {
+ 	    if (ofd == -1) {
+-		/* New file, verify parent dir exists unless in cwd. */
++		/*
++		 * New file, verify parent dir exists unless in cwd.
++		 * This fails early so the user knows ahead of time if the
++		 * edit won't succeed.  Additional checks are performed
++		 * when copying the temporary file back to the origin.
++		 */
+ 		char *slash = strrchr(files[i], '/');
+ 		if (slash != NULL && slash != files[i]) {
+-		    int serrno = errno;
++		    const int sflags = command_details->flags;
++		    const int serrno = errno;
++		    int dfd;
++
++		    /*
++		     * The parent directory is allowed to be a symbolic
++		     * link as long as *its* parent is not writable.
++		     */
+ 		    *slash = '\0';
+-		    if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) {
+-			memset(&sb, 0, sizeof(sb));
+-			rc = 0;
++		    SET(command_details->flags, CD_SUDOEDIT_FOLLOW);
++		    dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS,
++			S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details);
++		    command_details->flags = sflags;
++		    if (dfd != -1) {
++			if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) {
++			    memset(&sb, 0, sizeof(sb));
++			    rc = 0;
++			}
++			close(dfd);
+ 		    }
+ 		    *slash = '/';
+ 		    errno = serrno;
diff --git a/debian/patches/series b/debian/patches/series
index fe0bf5a..ec23687 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ Add-sudoedit-flag-checks-in-plugin-that-are-consiste.patch
 Fix-potential-buffer-overflow-when-unescaping-backsl.patch
 Fix-the-memset-offset-when-converting-a-v1-timestamp.patch
 Don-t-assume-that-argv-is-allocated-as-a-single-flat.patch
+CVE-2021-23239.patch