From 1e94630a10326635ea5cdd8dc575f43e40a80469 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 20 Jan 2021 09:03:43 +0100 Subject: [PATCH 3/5] Fix potential buffer overflow when unescaping backslashes in user_args. Do not try to unescaping backslashes unless in run mode *and* we are running the command via a shell. Found by Qualys. [Salvatore Bonaccorso: Backport to 1.8.27: Context changes] --- plugins/sudoers/sudoers.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -404,7 +404,7 @@ sudoers_policy_main(int argc, char * con /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ /* XXX - causes confusion when root is not listed in sudoers */ - if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) { + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) { if (user_uid == 0 && strcmp(prev_user, "root") != 0) { struct passwd *pw; @@ -784,8 +784,8 @@ set_cmnd(void) if (user_cmnd == NULL) user_cmnd = NewArgv[0]; - if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { - if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { + if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) { + if (!ISSET(sudo_mode, MODE_EDIT)) { if (def_secure_path && !user_is_exempt()) path = def_secure_path; if (!set_perms(PERM_RUNAS)) @@ -823,7 +823,8 @@ set_cmnd(void) sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); debug_return_int(-1); } - if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { + if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) && + ISSET(sudo_mode, MODE_RUN)) { /* * When running a command via a shell, the sudo front-end * escapes potential meta chars. We unescape non-spaces @@ -831,10 +832,22 @@ set_cmnd(void) */ for (to = user_args, av = NewArgv + 1; (from = *av); av++) { while (*from) { - if (from[0] == '\\' && !isspace((unsigned char)from[1])) + if (from[0] == '\\' && from[1] != '\0' && + !isspace((unsigned char)from[1])) { from++; + } + if (size - (to - user_args) < 1) { + sudo_warnx(U_("internal error, %s overflow"), + __func__); + debug_return_int(NOT_FOUND_ERROR); + } *to++ = *from++; } + if (size - (to - user_args) < 1) { + sudo_warnx(U_("internal error, %s overflow"), + __func__); + debug_return_int(NOT_FOUND_ERROR); + } *to++ = ' '; } *--to = '\0';