diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 12:52:13 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 12:52:13 +0000 |
commit | af28b3fc7bdc38f942b8b641e7a95223443e0eab (patch) | |
tree | 9134309de0bda5a19b41aec8e1ef27272f79d958 /debian/patches | |
parent | Adding upstream version 1.9.5p2. (diff) | |
download | sudo-debian.tar.xz sudo-debian.zip |
Adding debian version 1.9.5p2-3+deb11u1.debian/1.9.5p2-3+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/CVE-2023-22809.patch | 124 | ||||
-rw-r--r-- | debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff | 19 | ||||
-rw-r--r-- | debian/patches/fix-no-root-mailer.diff | 48 | ||||
-rw-r--r-- | debian/patches/paths-in-samples.diff | 40 | ||||
-rw-r--r-- | debian/patches/series | 6 | ||||
-rw-r--r-- | debian/patches/sudo-ldap-docs | 54 | ||||
-rw-r--r-- | debian/patches/typo-in-classic-insults.diff | 11 |
7 files changed, 302 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-22809.patch b/debian/patches/CVE-2023-22809.patch new file mode 100644 index 0000000..d297ff4 --- /dev/null +++ b/debian/patches/CVE-2023-22809.patch @@ -0,0 +1,124 @@ +Description: sudoedit: do not permit editor arguments to include "--" +Origin: upstream +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-22809 + +We use "--" to separate the editor and arguments from the files to edit. +If the editor arguments include "--", sudo can be tricked into allowing +the user to edit a file not permitted by the security policy. +Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv +(https://synacktiv.com) for finding this bug. + +--- a/plugins/sudoers/editor.c ++++ b/plugins/sudoers/editor.c +@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed + const char *tmp, *cp, *ep = NULL; + const char *edend = ed + edlen; + struct stat user_editor_sb; +- int nargc; ++ int nargc = 0; + debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL); + + /* +@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed + /* If we can't find the editor in the user's PATH, give up. */ + if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL, + 0, allowlist) != FOUND) { +- free(editor); +- errno = ENOENT; +- debug_return_str(NULL); ++ goto bad; + } + + /* Count rest of arguments and allocate editor argv. */ +@@ -166,6 +164,17 @@ resolve_editor(const char *ed, size_t ed + nargv[nargc] = copy_arg(cp, ep - cp); + if (nargv[nargc] == NULL) + goto oom; ++ ++ /* ++ * We use "--" to separate the editor and arguments from the files ++ * to edit. The editor arguments themselves may not contain "--". ++ */ ++ if (strcmp(nargv[nargc], "--") == 0) { ++ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); ++ sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); ++ errno = EINVAL; ++ goto bad; ++ } + } + if (nfiles != 0) { + nargv[nargc++] = "--"; +@@ -179,6 +188,7 @@ resolve_editor(const char *ed, size_t ed + debug_return_str(editor_path); + oom: + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++bad: + free(editor); + free(editor_path); + if (nargv != NULL) { +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -724,21 +724,32 @@ sudoers_policy_main(int argc, char * con + + /* Note: must call audit before uid change. */ + if (ISSET(sudo_mode, MODE_EDIT)) { ++ const char *env_editor = NULL; + char **edit_argv; + int edit_argc; +- const char *env_editor; + + free(safe_cmnd); + safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, + &edit_argv, NULL, &env_editor, false); + if (safe_cmnd == NULL) { +- if (errno != ENOENT) ++ switch (errno) { ++ case ENOENT: ++ audit_failure(NewArgv, N_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ sudo_warnx(U_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ goto bad; ++ case EINVAL: ++ if (def_env_editor && env_editor != NULL) { ++ /* User tried to do something funny with the editor. */ ++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL, ++ "invalid user-specified editor: %s", env_editor); ++ goto bad; ++ } ++ FALLTHROUGH; ++ default: + goto done; +- audit_failure(NewArgv, N_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- sudo_warnx(U_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- goto bad; ++ } + } + sudoers_gc_add(GC_VECTOR, edit_argv); + NewArgv = edit_argv; +--- a/plugins/sudoers/visudo.c ++++ b/plugins/sudoers/visudo.c +@@ -303,7 +303,7 @@ static char * + get_editor(int *editor_argc, char ***editor_argv) + { + char *editor_path = NULL, **allowlist = NULL; +- const char *env_editor; ++ const char *env_editor = NULL; + static char *files[] = { "+1", "sudoers" }; + unsigned int allowlist_len = 0; + debug_decl(get_editor, SUDOERS_DEBUG_UTIL); +@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi + if (editor_path == NULL) { + if (def_env_editor && env_editor != NULL) { + /* We are honoring $EDITOR so this is a fatal error. */ +- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); ++ if (errno == ENOENT) { ++ sudo_warnx(U_("specified editor (%s) doesn't exist"), ++ env_editor); ++ } ++ exit(EXIT_FAILURE); + } + sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); + } diff --git a/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff b/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff new file mode 100644 index 0000000..7b54b46 --- /dev/null +++ b/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff @@ -0,0 +1,19 @@ +From 18087bc16ec20ca2c8f0045a6b0408e94c53075c Mon Sep 17 00:00:00 2001 +From: Guillem Jover <guillem@hadrons.org> +Date: Wed, 4 May 2016 01:53:13 +0200 +Subject: [PATCH] Whitelist DPKG_COLORS environment variable + +--- + plugins/sudoers/env.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/plugins/sudoers/env.c ++++ b/plugins/sudoers/env.c +@@ -216,6 +216,7 @@ static const char *initial_checkenv_tabl + static const char *initial_keepenv_table[] = { + "COLORS", + "DISPLAY", ++ "DPKG_COLORS", + "HOSTNAME", + "KRB5CCNAME", + "LS_COLORS", diff --git a/debian/patches/fix-no-root-mailer.diff b/debian/patches/fix-no-root-mailer.diff new file mode 100644 index 0000000..873464c --- /dev/null +++ b/debian/patches/fix-no-root-mailer.diff @@ -0,0 +1,48 @@ + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611924154 25200 +# Node ID e0d4f196ba027604154f79ddd03a0b90f90c9607 +# Parent cd1c7615e861083e9e9b61d0e0070354e227ea5c +Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4. +init_eventlog_config() is called immediately after initializing the +Defaults settings, which is before struct sudo_user is setup. This +adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined +after the invoking user is determined. Reported by Roman Fiedler. + +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -786,11 +786,6 @@ void + init_eventlog_config(void) + { + int logtype = 0; +-#ifdef NO_ROOT_MAILER +- uid_t mailuid = user_uid; +-#else +- uid_t mailuid = ROOT_UID; +-#endif + debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING); + + if (def_syslog) +@@ -805,7 +800,7 @@ init_eventlog_config(void) + eventlog_set_syslog_alertpri(def_syslog_badpri); + eventlog_set_syslog_maxlen(def_syslog_maxlen); + eventlog_set_file_maxlen(def_loglinelen); +- eventlog_set_mailuid(mailuid); ++ eventlog_set_mailuid(ROOT_UID); + eventlog_set_omit_hostname(!def_log_host); + eventlog_set_logpath(def_logfile); + eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v) + /* Some systems support fexecve() which we use for digest matches. */ + cmnd_fd = -1; + ++#ifdef NO_ROOT_MAILER ++ eventlog_set_mailuid(user_uid); ++#endif ++ + /* Dump settings and user info (XXX - plugin args) */ + for (cur = info->settings; *cur != NULL; cur++) + sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur); diff --git a/debian/patches/paths-in-samples.diff b/debian/patches/paths-in-samples.diff new file mode 100644 index 0000000..8785dcd --- /dev/null +++ b/debian/patches/paths-in-samples.diff @@ -0,0 +1,40 @@ +--- a/examples/sudoers ++++ b/examples/sudoers +@@ -44,10 +44,10 @@ Host_Alias CDROM = orion, perseus, hercu + # Cmnd alias specification + ## + Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ +- /usr/sbin/rrestore, /usr/bin/mt, \ ++ /usr/sbin/rrestore, /bin/mt, \ + sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ + /home/operator/bin/start_backups +-Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top ++Cmnd_Alias KILL = /bin/kill, /usr/bin/top + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm + Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown + Cmnd_Alias HALT = /usr/sbin/halt +@@ -85,7 +85,7 @@ operator ALL = DUMPS, KILL, SHUTDOWN, HA + sudoedit /etc/printcap, /usr/oper/bin/ + + # joe may su only to operator +-joe ALL = /usr/bin/su operator ++joe ALL = /bin/su operator + + # pete may change passwords for anyone but root on the hp snakes + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* +@@ -99,13 +99,13 @@ jim +biglab = ALL + + # users in the secretaries netgroup need to help manage the printers + # as well as add and remove users +-+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +++secretaries ALL = PRINTING, /usr/sbin/adduser + + # fred can run commands as oracle or sybase without a password + fred ALL = (DB) NOPASSWD: ALL + + # on the alphas, john may su to anyone but root and flags are not allowed +-john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* ++john ALPHA = /bin/su [!-]*, !/bin/su *root* + + # jen can run anything on all machines except the ones + # in the "SERVERS" Host_Alias diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..42c675c --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,6 @@ +typo-in-classic-insults.diff +paths-in-samples.diff +Whitelist-DPKG_COLORS-environment-variable.diff +fix-no-root-mailer.diff +sudo-ldap-docs +CVE-2023-22809.patch diff --git a/debian/patches/sudo-ldap-docs b/debian/patches/sudo-ldap-docs new file mode 100644 index 0000000..8d726cf --- /dev/null +++ b/debian/patches/sudo-ldap-docs @@ -0,0 +1,54 @@ +Description: Adapt README.LDAP to the actual state of the sudo-ldap package +Author: Marc Haber <mh+debian-packages@zugschlus.de> + +--- a/README.LDAP ++++ b/README.LDAP +@@ -35,18 +35,8 @@ They are one and the same. + + Build instructions + ================== +-The simplest way to build sudo with LDAP support is to include the +-'--with-ldap' option. +- +- $ ./configure --with-ldap +- +-If your ldap libraries and headers are in a non-standard place, you will need +-to specify them at configure time. E.g. +- +- $ ./configure --with-ldap=/usr/local/ldapsdk +- +-Sudo is developed using OpenLDAP but Netscape-based LDAP libraries +-(such as those present in Solaris) are also known to work. ++The Debian package of sudo-ldap is already built with LDAP support ++using the OpenLDAP libs. + + Your mileage may vary. Please let the sudo workers mailing list + <sudo-workers@sudo.ws> know if special configuration was required +@@ -174,13 +164,10 @@ I recommend using any of the following L + + There are dozens of others, some Open Source, some free, some not. + +-Configure your /etc/ldap.conf and /etc/nsswitch.conf +-==================================================== +-The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap +-and other ldap applications and modules. IBM Secureway unfortunately uses +-the same file name but has a different syntax. If you need to change where +-this file is stored, re-run configure with the --with-ldap-conf-file=PATH +-option. ++Configure your /etc/sudo-ldap.conf and /etc/nsswitch.conf ++========================================================= ++The Debian package sudo-ldap uses /etc/sudo-ldap.conf as configuration file ++and is configured to use nsswitch. + + See the "Configuring ldap.conf" section in the sudoers.ldap manual + for a list of supported ldap.conf parameters and an example ldap.conf +@@ -192,9 +179,6 @@ After configuring /etc/ldap.conf, you mu + to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf" + section in the sudoers.ldap manual for details. Note that sudo will use + /etc/nsswitch.conf even if the underlying operating system does not support it. +-To disable nsswitch support, run configure with the --with-nsswitch=no option. +-This will cause sudo to consult LDAP first and /etc/sudoers second, unless the +-ignore_sudoers_file flag is set in the global LDAP options. + + Debugging your LDAP configuration + ================================= diff --git a/debian/patches/typo-in-classic-insults.diff b/debian/patches/typo-in-classic-insults.diff new file mode 100644 index 0000000..15a30c6 --- /dev/null +++ b/debian/patches/typo-in-classic-insults.diff @@ -0,0 +1,11 @@ +--- a/plugins/sudoers/ins_classic.h ++++ b/plugins/sudoers/ins_classic.h +@@ -32,7 +32,7 @@ + "Where did you learn to type?", + "Are you on drugs?", + "My pet ferret can type better than you!", +- "You type like i drive.", ++ "You type like I drive.", + "Do you think like you type?", + "Your mind just hasn't been the same since the electro-shock, has it?", + |