summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2023-22809.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2023-22809.patch')
-rw-r--r--debian/patches/CVE-2023-22809.patch124
1 files changed, 124 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-22809.patch b/debian/patches/CVE-2023-22809.patch
new file mode 100644
index 0000000..d297ff4
--- /dev/null
+++ b/debian/patches/CVE-2023-22809.patch
@@ -0,0 +1,124 @@
+Description: sudoedit: do not permit editor arguments to include "--"
+Origin: upstream
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-22809
+
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+
+--- a/plugins/sudoers/editor.c
++++ b/plugins/sudoers/editor.c
+@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed
+ const char *tmp, *cp, *ep = NULL;
+ const char *edend = ed + edlen;
+ struct stat user_editor_sb;
+- int nargc;
++ int nargc = 0;
+ debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
+
+ /*
+@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed
+ /* If we can't find the editor in the user's PATH, give up. */
+ if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 0, allowlist) != FOUND) {
+- free(editor);
+- errno = ENOENT;
+- debug_return_str(NULL);
++ goto bad;
+ }
+
+ /* Count rest of arguments and allocate editor argv. */
+@@ -166,6 +164,17 @@ resolve_editor(const char *ed, size_t ed
+ nargv[nargc] = copy_arg(cp, ep - cp);
+ if (nargv[nargc] == NULL)
+ goto oom;
++
++ /*
++ * We use "--" to separate the editor and arguments from the files
++ * to edit. The editor arguments themselves may not contain "--".
++ */
++ if (strcmp(nargv[nargc], "--") == 0) {
++ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++ errno = EINVAL;
++ goto bad;
++ }
+ }
+ if (nfiles != 0) {
+ nargv[nargc++] = "--";
+@@ -179,6 +188,7 @@ resolve_editor(const char *ed, size_t ed
+ debug_return_str(editor_path);
+ oom:
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
+ free(editor);
+ free(editor_path);
+ if (nargv != NULL) {
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -724,21 +724,32 @@ sudoers_policy_main(int argc, char * con
+
+ /* Note: must call audit before uid change. */
+ if (ISSET(sudo_mode, MODE_EDIT)) {
++ const char *env_editor = NULL;
+ char **edit_argv;
+ int edit_argc;
+- const char *env_editor;
+
+ free(safe_cmnd);
+ safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ &edit_argv, NULL, &env_editor, false);
+ if (safe_cmnd == NULL) {
+- if (errno != ENOENT)
++ switch (errno) {
++ case ENOENT:
++ audit_failure(NewArgv, N_("%s: command not found"),
++ env_editor ? env_editor : def_editor);
++ sudo_warnx(U_("%s: command not found"),
++ env_editor ? env_editor : def_editor);
++ goto bad;
++ case EINVAL:
++ if (def_env_editor && env_editor != NULL) {
++ /* User tried to do something funny with the editor. */
++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
++ "invalid user-specified editor: %s", env_editor);
++ goto bad;
++ }
++ FALLTHROUGH;
++ default:
+ goto done;
+- audit_failure(NewArgv, N_("%s: command not found"),
+- env_editor ? env_editor : def_editor);
+- sudo_warnx(U_("%s: command not found"),
+- env_editor ? env_editor : def_editor);
+- goto bad;
++ }
+ }
+ sudoers_gc_add(GC_VECTOR, edit_argv);
+ NewArgv = edit_argv;
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -303,7 +303,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+ char *editor_path = NULL, **allowlist = NULL;
+- const char *env_editor;
++ const char *env_editor = NULL;
+ static char *files[] = { "+1", "sudoers" };
+ unsigned int allowlist_len = 0;
+ debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
+@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi
+ if (editor_path == NULL) {
+ if (def_env_editor && env_editor != NULL) {
+ /* We are honoring $EDITOR so this is a fatal error. */
+- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++ if (errno == ENOENT) {
++ sudo_warnx(U_("specified editor (%s) doesn't exist"),
++ env_editor);
++ }
++ exit(EXIT_FAILURE);
+ }
+ sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+ }