summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/CVE-2023-22809.patch124
-rw-r--r--debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff19
-rw-r--r--debian/patches/fix-no-root-mailer.diff48
-rw-r--r--debian/patches/paths-in-samples.diff40
-rw-r--r--debian/patches/series6
-rw-r--r--debian/patches/sudo-ldap-docs54
-rw-r--r--debian/patches/typo-in-classic-insults.diff11
7 files changed, 302 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-22809.patch b/debian/patches/CVE-2023-22809.patch
new file mode 100644
index 0000000..d297ff4
--- /dev/null
+++ b/debian/patches/CVE-2023-22809.patch
@@ -0,0 +1,124 @@
+Description: sudoedit: do not permit editor arguments to include "--"
+Origin: upstream
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-22809
+
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+
+--- a/plugins/sudoers/editor.c
++++ b/plugins/sudoers/editor.c
+@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed
+ const char *tmp, *cp, *ep = NULL;
+ const char *edend = ed + edlen;
+ struct stat user_editor_sb;
+- int nargc;
++ int nargc = 0;
+ debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
+
+ /*
+@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed
+ /* If we can't find the editor in the user's PATH, give up. */
+ if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 0, allowlist) != FOUND) {
+- free(editor);
+- errno = ENOENT;
+- debug_return_str(NULL);
++ goto bad;
+ }
+
+ /* Count rest of arguments and allocate editor argv. */
+@@ -166,6 +164,17 @@ resolve_editor(const char *ed, size_t ed
+ nargv[nargc] = copy_arg(cp, ep - cp);
+ if (nargv[nargc] == NULL)
+ goto oom;
++
++ /*
++ * We use "--" to separate the editor and arguments from the files
++ * to edit. The editor arguments themselves may not contain "--".
++ */
++ if (strcmp(nargv[nargc], "--") == 0) {
++ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++ errno = EINVAL;
++ goto bad;
++ }
+ }
+ if (nfiles != 0) {
+ nargv[nargc++] = "--";
+@@ -179,6 +188,7 @@ resolve_editor(const char *ed, size_t ed
+ debug_return_str(editor_path);
+ oom:
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
+ free(editor);
+ free(editor_path);
+ if (nargv != NULL) {
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -724,21 +724,32 @@ sudoers_policy_main(int argc, char * con
+
+ /* Note: must call audit before uid change. */
+ if (ISSET(sudo_mode, MODE_EDIT)) {
++ const char *env_editor = NULL;
+ char **edit_argv;
+ int edit_argc;
+- const char *env_editor;
+
+ free(safe_cmnd);
+ safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ &edit_argv, NULL, &env_editor, false);
+ if (safe_cmnd == NULL) {
+- if (errno != ENOENT)
++ switch (errno) {
++ case ENOENT:
++ audit_failure(NewArgv, N_("%s: command not found"),
++ env_editor ? env_editor : def_editor);
++ sudo_warnx(U_("%s: command not found"),
++ env_editor ? env_editor : def_editor);
++ goto bad;
++ case EINVAL:
++ if (def_env_editor && env_editor != NULL) {
++ /* User tried to do something funny with the editor. */
++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
++ "invalid user-specified editor: %s", env_editor);
++ goto bad;
++ }
++ FALLTHROUGH;
++ default:
+ goto done;
+- audit_failure(NewArgv, N_("%s: command not found"),
+- env_editor ? env_editor : def_editor);
+- sudo_warnx(U_("%s: command not found"),
+- env_editor ? env_editor : def_editor);
+- goto bad;
++ }
+ }
+ sudoers_gc_add(GC_VECTOR, edit_argv);
+ NewArgv = edit_argv;
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -303,7 +303,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+ char *editor_path = NULL, **allowlist = NULL;
+- const char *env_editor;
++ const char *env_editor = NULL;
+ static char *files[] = { "+1", "sudoers" };
+ unsigned int allowlist_len = 0;
+ debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
+@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi
+ if (editor_path == NULL) {
+ if (def_env_editor && env_editor != NULL) {
+ /* We are honoring $EDITOR so this is a fatal error. */
+- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++ if (errno == ENOENT) {
++ sudo_warnx(U_("specified editor (%s) doesn't exist"),
++ env_editor);
++ }
++ exit(EXIT_FAILURE);
+ }
+ sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+ }
diff --git a/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff b/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff
new file mode 100644
index 0000000..7b54b46
--- /dev/null
+++ b/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff
@@ -0,0 +1,19 @@
+From 18087bc16ec20ca2c8f0045a6b0408e94c53075c Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Wed, 4 May 2016 01:53:13 +0200
+Subject: [PATCH] Whitelist DPKG_COLORS environment variable
+
+---
+ plugins/sudoers/env.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/plugins/sudoers/env.c
++++ b/plugins/sudoers/env.c
+@@ -216,6 +216,7 @@ static const char *initial_checkenv_tabl
+ static const char *initial_keepenv_table[] = {
+ "COLORS",
+ "DISPLAY",
++ "DPKG_COLORS",
+ "HOSTNAME",
+ "KRB5CCNAME",
+ "LS_COLORS",
diff --git a/debian/patches/fix-no-root-mailer.diff b/debian/patches/fix-no-root-mailer.diff
new file mode 100644
index 0000000..873464c
--- /dev/null
+++ b/debian/patches/fix-no-root-mailer.diff
@@ -0,0 +1,48 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611924154 25200
+# Node ID e0d4f196ba027604154f79ddd03a0b90f90c9607
+# Parent cd1c7615e861083e9e9b61d0e0070354e227ea5c
+Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4.
+init_eventlog_config() is called immediately after initializing the
+Defaults settings, which is before struct sudo_user is setup. This
+adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined
+after the invoking user is determined. Reported by Roman Fiedler.
+
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -786,11 +786,6 @@ void
+ init_eventlog_config(void)
+ {
+ int logtype = 0;
+-#ifdef NO_ROOT_MAILER
+- uid_t mailuid = user_uid;
+-#else
+- uid_t mailuid = ROOT_UID;
+-#endif
+ debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
+
+ if (def_syslog)
+@@ -805,7 +800,7 @@ init_eventlog_config(void)
+ eventlog_set_syslog_alertpri(def_syslog_badpri);
+ eventlog_set_syslog_maxlen(def_syslog_maxlen);
+ eventlog_set_file_maxlen(def_loglinelen);
+- eventlog_set_mailuid(mailuid);
++ eventlog_set_mailuid(ROOT_UID);
+ eventlog_set_omit_hostname(!def_log_host);
+ eventlog_set_logpath(def_logfile);
+ eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
+--- a/plugins/sudoers/policy.c
++++ b/plugins/sudoers/policy.c
+@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v)
+ /* Some systems support fexecve() which we use for digest matches. */
+ cmnd_fd = -1;
+
++#ifdef NO_ROOT_MAILER
++ eventlog_set_mailuid(user_uid);
++#endif
++
+ /* Dump settings and user info (XXX - plugin args) */
+ for (cur = info->settings; *cur != NULL; cur++)
+ sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
diff --git a/debian/patches/paths-in-samples.diff b/debian/patches/paths-in-samples.diff
new file mode 100644
index 0000000..8785dcd
--- /dev/null
+++ b/debian/patches/paths-in-samples.diff
@@ -0,0 +1,40 @@
+--- a/examples/sudoers
++++ b/examples/sudoers
+@@ -44,10 +44,10 @@ Host_Alias CDROM = orion, perseus, hercu
+ # Cmnd alias specification
+ ##
+ Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
+- /usr/sbin/rrestore, /usr/bin/mt, \
++ /usr/sbin/rrestore, /bin/mt, \
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+ /home/operator/bin/start_backups
+-Cmnd_Alias KILL = /usr/bin/kill, /usr/bin/top
++Cmnd_Alias KILL = /bin/kill, /usr/bin/top
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+@@ -85,7 +85,7 @@ operator ALL = DUMPS, KILL, SHUTDOWN, HA
+ sudoedit /etc/printcap, /usr/oper/bin/
+
+ # joe may su only to operator
+-joe ALL = /usr/bin/su operator
++joe ALL = /bin/su operator
+
+ # pete may change passwords for anyone but root on the hp snakes
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
+@@ -99,13 +99,13 @@ jim +biglab = ALL
+
+ # users in the secretaries netgroup need to help manage the printers
+ # as well as add and remove users
+-+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+++secretaries ALL = PRINTING, /usr/sbin/adduser
+
+ # fred can run commands as oracle or sybase without a password
+ fred ALL = (DB) NOPASSWD: ALL
+
+ # on the alphas, john may su to anyone but root and flags are not allowed
+-john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
++john ALPHA = /bin/su [!-]*, !/bin/su *root*
+
+ # jen can run anything on all machines except the ones
+ # in the "SERVERS" Host_Alias
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..42c675c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,6 @@
+typo-in-classic-insults.diff
+paths-in-samples.diff
+Whitelist-DPKG_COLORS-environment-variable.diff
+fix-no-root-mailer.diff
+sudo-ldap-docs
+CVE-2023-22809.patch
diff --git a/debian/patches/sudo-ldap-docs b/debian/patches/sudo-ldap-docs
new file mode 100644
index 0000000..8d726cf
--- /dev/null
+++ b/debian/patches/sudo-ldap-docs
@@ -0,0 +1,54 @@
+Description: Adapt README.LDAP to the actual state of the sudo-ldap package
+Author: Marc Haber <mh+debian-packages@zugschlus.de>
+
+--- a/README.LDAP
++++ b/README.LDAP
+@@ -35,18 +35,8 @@ They are one and the same.
+
+ Build instructions
+ ==================
+-The simplest way to build sudo with LDAP support is to include the
+-'--with-ldap' option.
+-
+- $ ./configure --with-ldap
+-
+-If your ldap libraries and headers are in a non-standard place, you will need
+-to specify them at configure time. E.g.
+-
+- $ ./configure --with-ldap=/usr/local/ldapsdk
+-
+-Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
+-(such as those present in Solaris) are also known to work.
++The Debian package of sudo-ldap is already built with LDAP support
++using the OpenLDAP libs.
+
+ Your mileage may vary. Please let the sudo workers mailing list
+ <sudo-workers@sudo.ws> know if special configuration was required
+@@ -174,13 +164,10 @@ I recommend using any of the following L
+
+ There are dozens of others, some Open Source, some free, some not.
+
+-Configure your /etc/ldap.conf and /etc/nsswitch.conf
+-====================================================
+-The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
+-and other ldap applications and modules. IBM Secureway unfortunately uses
+-the same file name but has a different syntax. If you need to change where
+-this file is stored, re-run configure with the --with-ldap-conf-file=PATH
+-option.
++Configure your /etc/sudo-ldap.conf and /etc/nsswitch.conf
++=========================================================
++The Debian package sudo-ldap uses /etc/sudo-ldap.conf as configuration file
++and is configured to use nsswitch.
+
+ See the "Configuring ldap.conf" section in the sudoers.ldap manual
+ for a list of supported ldap.conf parameters and an example ldap.conf
+@@ -192,9 +179,6 @@ After configuring /etc/ldap.conf, you mu
+ to tell sudo to look in LDAP for sudoers. See the "Configuring nsswitch.conf"
+ section in the sudoers.ldap manual for details. Note that sudo will use
+ /etc/nsswitch.conf even if the underlying operating system does not support it.
+-To disable nsswitch support, run configure with the --with-nsswitch=no option.
+-This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
+-ignore_sudoers_file flag is set in the global LDAP options.
+
+ Debugging your LDAP configuration
+ =================================
diff --git a/debian/patches/typo-in-classic-insults.diff b/debian/patches/typo-in-classic-insults.diff
new file mode 100644
index 0000000..15a30c6
--- /dev/null
+++ b/debian/patches/typo-in-classic-insults.diff
@@ -0,0 +1,11 @@
+--- a/plugins/sudoers/ins_classic.h
++++ b/plugins/sudoers/ins_classic.h
+@@ -32,7 +32,7 @@
+ "Where did you learn to type?",
+ "Are you on drugs?",
+ "My pet ferret can type better than you!",
+- "You type like i drive.",
++ "You type like I drive.",
+ "Do you think like you type?",
+ "Your mind just hasn't been the same since the electro-shock, has it?",
+