7 files changed, 302 insertions, 0 deletions
diff --git a/debian/patches/CVE-2023-22809.patch b/debian/patches/CVE-2023-22809.patch
new file mode 100644
index 0000000..d297ff4
--- /dev/null
+++ b/debian/patches/CVE-2023-22809.patch
@@ -0,0 +1,124 @@
+Description: sudoedit: do not permit editor arguments to include "--"
+Origin: upstream
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-22809
+
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+
+--- a/plugins/sudoers/editor.c
++++ b/plugins/sudoers/editor.c
+@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed
+     const char *tmp, *cp, *ep = NULL;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
++    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
+ 
+     /*
+@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed
+     /* If we can't find the editor in the user's PATH, give up. */
+     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 	    0, allowlist) != FOUND) {
+-	free(editor);
+-	errno = ENOENT;
+-	debug_return_str(NULL);
++	goto bad;
+     }
+ 
+     /* Count rest of arguments and allocate editor argv. */
+@@ -166,6 +164,17 @@ resolve_editor(const char *ed, size_t ed
+ 	nargv[nargc] = copy_arg(cp, ep - cp);
+ 	if (nargv[nargc] == NULL)
+ 	    goto oom;
++
++	/*
++	 * We use "--" to separate the editor and arguments from the files
++	 * to edit.  The editor arguments themselves may not contain "--".
++	 */
++	if (strcmp(nargv[nargc], "--") == 0) {
++	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++	    errno = EINVAL;
++	    goto bad;
++	}
+     }
+     if (nfiles != 0) {
+ 	nargv[nargc++] = "--";
+@@ -179,6 +188,7 @@ resolve_editor(const char *ed, size_t ed
+     debug_return_str(editor_path);
+ oom:
+     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
+     free(editor);
+     free(editor_path);
+     if (nargv != NULL) {
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -724,21 +724,32 @@ sudoers_policy_main(int argc, char * con
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
++	const char *env_editor = NULL;
+ 	char **edit_argv;
+ 	int edit_argc;
+-	const char *env_editor;
+ 
+ 	free(safe_cmnd);
+ 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ 	    &edit_argv, NULL, &env_editor, false);
+ 	if (safe_cmnd == NULL) {
+-	    if (errno != ENOENT)
++	    switch (errno) {
++	    case ENOENT:
++		audit_failure(NewArgv, N_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		sudo_warnx(U_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		goto bad;
++	    case EINVAL:
++		if (def_env_editor && env_editor != NULL) {
++		    /* User tried to do something funny with the editor. */
++		    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
++		        "invalid user-specified editor: %s", env_editor);
++		    goto bad;
++		}
++		FALLTHROUGH;
++	    default:
+ 		goto done;
+-	    audit_failure(NewArgv, N_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    sudo_warnx(U_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    goto bad;
++	    }
+ 	}
+ 	sudoers_gc_add(GC_VECTOR, edit_argv);
+ 	NewArgv = edit_argv;
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -303,7 +303,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **allowlist = NULL;
+-    const char *env_editor;
++    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int allowlist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
+@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi
+     if (editor_path == NULL) {
+ 	if (def_env_editor && env_editor != NULL) {
+ 	    /* We are honoring $EDITOR so this is a fatal error. */
+-	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++	    if (errno == ENOENT) {
++	        sudo_warnx(U_("specified editor (%s) doesn't exist"),
++	            env_editor);
++	    }
++	    exit(EXIT_FAILURE);
+ 	}
+ 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
diff --git a/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff b/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff
new file mode 100644
index 0000000..7b54b46
--- /dev/null
+++ b/debian/patches/Whitelist-DPKG_COLORS-environment-variable.diff
@@ -0,0 +1,19 @@
+From 18087bc16ec20ca2c8f0045a6b0408e94c53075c Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Wed, 4 May 2016 01:53:13 +0200
+Subject: [PATCH] Whitelist DPKG_COLORS environment variable
+
+---
+ plugins/sudoers/env.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/plugins/sudoers/env.c
++++ b/plugins/sudoers/env.c
+@@ -216,6 +216,7 @@ static const char *initial_checkenv_tabl
+ static const char *initial_keepenv_table[] = {
+     "COLORS",
+     "DISPLAY",
++    "DPKG_COLORS",
+     "HOSTNAME",
+     "KRB5CCNAME",
+     "LS_COLORS",
diff --git a/debian/patches/fix-no-root-mailer.diff b/debian/patches/fix-no-root-mailer.diff
new file mode 100644
index 0000000..873464c
--- /dev/null
+++ b/debian/patches/fix-no-root-mailer.diff
@@ -0,0 +1,48 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611924154 25200
+# Node ID e0d4f196ba027604154f79ddd03a0b90f90c9607
+# Parent  cd1c7615e861083e9e9b61d0e0070354e227ea5c
+Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4.
+init_eventlog_config() is called immediately after initializing the
+Defaults settings, which is before struct sudo_user is setup.  This
+adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined
+after the invoking user is determined.  Reported by Roman Fiedler.
+
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -786,11 +786,6 @@ void
+ init_eventlog_config(void)
+ {
+     int logtype = 0;
+-#ifdef NO_ROOT_MAILER
+-    uid_t mailuid = user_uid;
+-#else
+-    uid_t mailuid = ROOT_UID;
+-#endif
+     debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
+ 
+     if (def_syslog)
+@@ -805,7 +800,7 @@ init_eventlog_config(void)
+     eventlog_set_syslog_alertpri(def_syslog_badpri);
+     eventlog_set_syslog_maxlen(def_syslog_maxlen);
+     eventlog_set_file_maxlen(def_loglinelen);
+-    eventlog_set_mailuid(mailuid);
++    eventlog_set_mailuid(ROOT_UID);
+     eventlog_set_omit_hostname(!def_log_host);
+     eventlog_set_logpath(def_logfile);
+     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
+--- a/plugins/sudoers/policy.c
++++ b/plugins/sudoers/policy.c
+@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v)
+     /* Some systems support fexecve() which we use for digest matches. */
+     cmnd_fd = -1;
+ 
++#ifdef NO_ROOT_MAILER
++    eventlog_set_mailuid(user_uid);
++#endif
++
+     /* Dump settings and user info (XXX - plugin args) */
+     for (cur = info->settings; *cur != NULL; cur++)
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
diff --git a/debian/patches/paths-in-samples.diff b/debian/patches/paths-in-samples.diff
new file mode 100644
index 0000000..8785dcd
--- /dev/null
+++ b/debian/patches/paths-in-samples.diff
@@ -0,0 +1,40 @@
+--- a/examples/sudoers
++++ b/examples/sudoers
+@@ -44,10 +44,10 @@ Host_Alias	CDROM = orion, perseus, hercu
+ # Cmnd alias specification
+ ##
+ Cmnd_Alias	DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
+-			/usr/sbin/rrestore, /usr/bin/mt, \
++			/usr/sbin/rrestore, /bin/mt, \
+ 			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+ 			/home/operator/bin/start_backups
+-Cmnd_Alias	KILL = /usr/bin/kill, /usr/bin/top
++Cmnd_Alias	KILL = /bin/kill, /usr/bin/top
+ Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias	HALT = /usr/sbin/halt
+@@ -85,7 +85,7 @@ operator	ALL = DUMPS, KILL, SHUTDOWN, HA
+ 		sudoedit /etc/printcap, /usr/oper/bin/
+ 
+ # joe may su only to operator
+-joe		ALL = /usr/bin/su operator
++joe		ALL = /bin/su operator
+ 
+ # pete may change passwords for anyone but root on the hp snakes
+ pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
+@@ -99,13 +99,13 @@ jim		+biglab = ALL
+ 
+ # users in the secretaries netgroup need to help manage the printers
+ # as well as add and remove users
+-+secretaries	ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+++secretaries	ALL = PRINTING, /usr/sbin/adduser
+ 
+ # fred can run commands as oracle or sybase without a password
+ fred		ALL = (DB) NOPASSWD: ALL
+ 
+ # on the alphas, john may su to anyone but root and flags are not allowed
+-john		ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
++john		ALPHA = /bin/su [!-]*, !/bin/su *root*
+ 
+ # jen can run anything on all machines except the ones
+ # in the "SERVERS" Host_Alias
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..42c675c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,6 @@
+typo-in-classic-insults.diff
+paths-in-samples.diff
+Whitelist-DPKG_COLORS-environment-variable.diff
+fix-no-root-mailer.diff
+sudo-ldap-docs
+CVE-2023-22809.patch
diff --git a/debian/patches/sudo-ldap-docs b/debian/patches/sudo-ldap-docs
new file mode 100644
index 0000000..8d726cf
--- /dev/null
+++ b/debian/patches/sudo-ldap-docs
@@ -0,0 +1,54 @@
+Description: Adapt README.LDAP to the actual state of the sudo-ldap package
+Author: Marc Haber <mh+debian-packages@zugschlus.de>
+
+--- a/README.LDAP
++++ b/README.LDAP
+@@ -35,18 +35,8 @@ They are one and the same.
+ 
+ Build instructions
+ ==================
+-The simplest way to build sudo with LDAP support is to include the
+-'--with-ldap' option.
+-
+-  $ ./configure --with-ldap
+-
+-If your ldap libraries and headers are in a non-standard place, you will need
+-to specify them at configure time.  E.g.
+-
+-  $ ./configure --with-ldap=/usr/local/ldapsdk
+-
+-Sudo is developed using OpenLDAP but Netscape-based LDAP libraries
+-(such as those present in Solaris) are also known to work.
++The Debian package of sudo-ldap is already built with LDAP support
++using the OpenLDAP libs.
+ 
+ Your mileage may vary.  Please let the sudo workers mailing list
+ <sudo-workers@sudo.ws> know if special configuration was required
+@@ -174,13 +164,10 @@ I recommend using any of the following L
+ 
+   There are dozens of others, some Open Source, some free, some not.
+ 
+-Configure your /etc/ldap.conf and /etc/nsswitch.conf
+-====================================================
+-The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
+-and other ldap applications and modules.  IBM Secureway unfortunately uses
+-the same file name but has a different syntax.  If you need to change where
+-this file is stored, re-run configure with the --with-ldap-conf-file=PATH
+-option.
++Configure your /etc/sudo-ldap.conf and /etc/nsswitch.conf
++=========================================================
++The Debian package sudo-ldap uses /etc/sudo-ldap.conf as configuration file
++and is configured to use nsswitch.
+ 
+ See the "Configuring ldap.conf" section in the sudoers.ldap manual
+ for a list of supported ldap.conf parameters and an example ldap.conf
+@@ -192,9 +179,6 @@ After configuring /etc/ldap.conf, you mu
+ to tell sudo to look in LDAP for sudoers.  See the "Configuring nsswitch.conf"
+ section in the sudoers.ldap manual for details.  Note that sudo will use
+ /etc/nsswitch.conf even if the underlying operating system does not support it.
+-To disable nsswitch support, run configure with the --with-nsswitch=no option.
+-This will cause sudo to consult LDAP first and /etc/sudoers second, unless the
+-ignore_sudoers_file flag is set in the global LDAP options.
+ 
+ Debugging your LDAP configuration
+ =================================
diff --git a/debian/patches/typo-in-classic-insults.diff b/debian/patches/typo-in-classic-insults.diff
new file mode 100644
index 0000000..15a30c6
--- /dev/null
+++ b/debian/patches/typo-in-classic-insults.diff
@@ -0,0 +1,11 @@
+--- a/plugins/sudoers/ins_classic.h
++++ b/plugins/sudoers/ins_classic.h
+@@ -32,7 +32,7 @@
+     "Where did you learn to type?",
+     "Are you on drugs?",
+     "My pet ferret can type better than you!",
+-    "You type like i drive.",
++    "You type like I drive.",
+     "Do you think like you type?",
+     "Your mind just hasn't been the same since the electro-shock, has it?",
+