From 362228d8bb8d4fafd4d7d08100667c74a06e3dc3 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 7 May 2024 07:55:36 +0200 Subject: Merging debian version 1.8.27-1+deb10u5. Signed-off-by: Daniel Baumann --- debian/changelog | 8 ++ debian/patches/CVE-2023-22809.patch | 156 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 2 + 3 files changed, 166 insertions(+) create mode 100644 debian/patches/CVE-2023-22809.patch diff --git a/debian/changelog b/debian/changelog index 2b9d1d0..770d48c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +sudo (1.8.27-1+deb10u5) buster-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-22809 + sudoedit: do not permit editor arguments to include "--" + + -- Thorsten Alteholz Mon, 16 Jan 2023 21:03:02 +0100 + sudo (1.8.27-1+deb10u4progress5u1) engywuck-security; urgency=high * Uploading to engywuck-security, remaining changes: diff --git a/debian/patches/CVE-2023-22809.patch b/debian/patches/CVE-2023-22809.patch new file mode 100644 index 0000000..454a13b --- /dev/null +++ b/debian/patches/CVE-2023-22809.patch @@ -0,0 +1,156 @@ +Description: sudoedit: do not permit editor arguments to include "--" +Origin: upstream +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-22809 + +We use "--" to separate the editor and arguments from the files to edit. +If the editor arguments include "--", sudo can be tricked into allowing +the user to edit a file not permitted by the security policy. +Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv +(https://synacktiv.com) for finding this bug. + +Index: sudo-1.8.27/plugins/sudoers/editor.c +=================================================================== +--- sudo-1.8.27.orig/plugins/sudoers/editor.c 2023-01-16 23:27:07.662719271 +0100 ++++ sudo-1.8.27/plugins/sudoers/editor.c 2023-01-18 09:30:21.597115094 +0100 +@@ -50,11 +50,11 @@ + resolve_editor(const char *ed, size_t edlen, int nfiles, char **files, + int *argc_out, char ***argv_out, char * const *whitelist) + { +- char **nargv, *editor, *editor_path = NULL; ++ char **nargv = NULL, *editor, *editor_path = NULL; + const char *cp, *ep, *tmp; + const char *edend = ed + edlen; + struct stat user_editor_sb; +- int nargc; ++ int nargc = 0; + debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL) + + /* +@@ -73,9 +73,8 @@ + + /* If we can't find the editor in the user's PATH, give up. */ + if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, whitelist) != FOUND) { +- free(editor); + errno = ENOENT; +- debug_return_str(NULL); ++ goto bad; + } + + /* Count rest of arguments and allocate editor argv. */ +@@ -96,13 +95,19 @@ + for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) { + nargv[nargc] = strndup(cp, (size_t)(ep - cp)); + if (nargv[nargc] == NULL) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- free(editor_path); +- while (nargc--) +- free(nargv[nargc]); +- free(nargv); +- debug_return_str(NULL); ++ goto oom; + } ++ ++ /* ++ * We use "--" to separate the editor and arguments from the files ++ * to edit. The editor arguments themselves may not contain "--". ++ */ ++ if (strcmp(nargv[nargc], "--") == 0) { ++ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); ++ sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); ++ errno = EINVAL; ++ goto bad; ++ } + } + if (nfiles != 0) { + nargv[nargc++] = "--"; +@@ -114,6 +119,21 @@ + *argc_out = nargc; + *argv_out = nargv; + debug_return_str(editor_path); ++ ++oom: ++ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++bad: ++ if (editor) {free(editor); editor=NULL; } ++ if (editor_path) {free(editor_path); editor_path=NULL; } ++ if (nargv != NULL) { ++ while (nargc--) { ++ /* nargv[0] is editor that was already freed above */ ++ if (nargc && nargv[nargc]) free(nargv[nargc]); ++ } ++ if (nargv) free(nargv); ++ } ++ debug_return_str(NULL); ++ + } + + /* +Index: sudo-1.8.27/plugins/sudoers/sudoers.c +=================================================================== +--- sudo-1.8.27.orig/plugins/sudoers/sudoers.c 2023-01-16 23:27:07.662719271 +0100 ++++ sudo-1.8.27/plugins/sudoers/sudoers.c 2023-01-17 00:15:22.859656116 +0100 +@@ -587,20 +587,31 @@ + + /* Note: must call audit before uid change. */ + if (ISSET(sudo_mode, MODE_EDIT)) { ++ const char *env_editor = NULL; + int edit_argc; +- const char *env_editor; + + free(safe_cmnd); + safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, + &edit_argv, NULL, &env_editor, false); + if (safe_cmnd == NULL) { +- if (errno != ENOENT) ++ switch (errno) { ++ case ENOENT: ++ audit_failure(NewArgc, NewArgv, N_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ sudo_warnx(U_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ goto bad; ++ case EINVAL: ++ if (def_env_editor && env_editor != NULL) { ++ /* User tried to do something funny with the editor. */ ++ log_warningx(SLOG_NO_STDERR|SLOG_SEND_MAIL, ++ "invalid user-specified editor: %s", env_editor); ++ goto bad; ++ } ++ /* FALLTHROUGH */ ++ default: + goto done; +- audit_failure(NewArgc, NewArgv, N_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- sudo_warnx(U_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- goto bad; ++ } + } + if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors) + goto done; +Index: sudo-1.8.27/plugins/sudoers/visudo.c +=================================================================== +--- sudo-1.8.27.orig/plugins/sudoers/visudo.c 2023-01-16 23:27:07.662719271 +0100 ++++ sudo-1.8.27/plugins/sudoers/visudo.c 2023-01-17 16:24:09.283442400 +0100 +@@ -306,7 +306,7 @@ + get_editor(int *editor_argc, char ***editor_argv) + { + char *editor_path = NULL, **whitelist = NULL; +- const char *env_editor; ++ const char *env_editor = NULL; + static char *files[] = { "+1", "sudoers" }; + unsigned int whitelist_len = 0; + debug_decl(get_editor, SUDOERS_DEBUG_UTIL) +@@ -340,7 +340,11 @@ + if (editor_path == NULL) { + if (def_env_editor && env_editor != NULL) { + /* We are honoring $EDITOR so this is a fatal error. */ +- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); ++ if (errno == ENOENT) { ++ sudo_warnx(U_("specified editor (%s) doesn't exist"), ++ env_editor); ++ } ++ exit(EXIT_FAILURE); + } + sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); + } diff --git a/debian/patches/series b/debian/patches/series index ec23687..286e759 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,5 @@ Fix-potential-buffer-overflow-when-unescaping-backsl.patch Fix-the-memset-offset-when-converting-a-v1-timestamp.patch Don-t-assume-that-argv-is-allocated-as-a-single-flat.patch CVE-2021-23239.patch + +CVE-2023-22809.patch -- cgit v1.2.3