summaryrefslogtreecommitdiffstats
path: root/debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 02:23:57 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 02:23:57 +0000
commit55c1e35c59b51018319d65f62b054c7682d95dd0 (patch)
tree6c5833e0b794bf046bd392b0544ce960753f4fd9 /debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch
parentAdding upstream version 1.8.27. (diff)
downloadsudo-55c1e35c59b51018319d65f62b054c7682d95dd0.tar.xz
sudo-55c1e35c59b51018319d65f62b054c7682d95dd0.zip
Adding debian version 1.8.27-1+deb10u3.debian/1.8.27-1+deb10u3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch')
-rw-r--r--debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch71
1 files changed, 71 insertions, 0 deletions
diff --git a/debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch b/debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch
new file mode 100644
index 0000000..414c0d9
--- /dev/null
+++ b/debian/patches/Fix-potential-buffer-overflow-when-unescaping-backsl.patch
@@ -0,0 +1,71 @@
+From 1e94630a10326635ea5cdd8dc575f43e40a80469 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 20 Jan 2021 09:03:43 +0100
+Subject: [PATCH 3/5] Fix potential buffer overflow when unescaping backslashes
+ in user_args.
+
+Do not try to unescaping backslashes unless in run mode *and* we are
+running the command via a shell.
+Found by Qualys.
+
+[Salvatore Bonaccorso: Backport to 1.8.27: Context changes]
+---
+ plugins/sudoers/sudoers.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -404,7 +404,7 @@ sudoers_policy_main(int argc, char * con
+
+ /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
+ /* XXX - causes confusion when root is not listed in sudoers */
+- if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
+ if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
+ struct passwd *pw;
+
+@@ -784,8 +784,8 @@ set_cmnd(void)
+ if (user_cmnd == NULL)
+ user_cmnd = NewArgv[0];
+
+- if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
+- if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
++ if (!ISSET(sudo_mode, MODE_EDIT)) {
+ if (def_secure_path && !user_is_exempt())
+ path = def_secure_path;
+ if (!set_perms(PERM_RUNAS))
+@@ -823,7 +823,8 @@ set_cmnd(void)
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_int(-1);
+ }
+- if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
++ if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
++ ISSET(sudo_mode, MODE_RUN)) {
+ /*
+ * When running a command via a shell, the sudo front-end
+ * escapes potential meta chars. We unescape non-spaces
+@@ -831,10 +832,22 @@ set_cmnd(void)
+ */
+ for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
+ while (*from) {
+- if (from[0] == '\\' && !isspace((unsigned char)from[1]))
++ if (from[0] == '\\' && from[1] != '\0' &&
++ !isspace((unsigned char)from[1])) {
+ from++;
++ }
++ if (size - (to - user_args) < 1) {
++ sudo_warnx(U_("internal error, %s overflow"),
++ __func__);
++ debug_return_int(NOT_FOUND_ERROR);
++ }
+ *to++ = *from++;
+ }
++ if (size - (to - user_args) < 1) {
++ sudo_warnx(U_("internal error, %s overflow"),
++ __func__);
++ debug_return_int(NOT_FOUND_ERROR);
++ }
+ *to++ = ' ';
+ }
+ *--to = '\0';