diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch new file mode 100644 index 0000000000..83c277575e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch @@ -0,0 +1,100 @@ +Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416639 25200 +# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409 +# Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d +Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. +This is consistent with how the -e option is handled. +Also reject -H and -P flags for sudoedit as was done in sudo 1.7. +Found by Qualys, this is part of the fix for CVE-2021-3156. + +diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c +--- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100 ++++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700 +@@ -117,7 +117,10 @@ + /* + * Default flags allowed when running a command. + */ +-#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) ++#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL) ++#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE ++#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST) ++#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE + + /* Option number for the --host long option due to ambiguity of the -h flag. */ + #define OPT_HOSTNAME 256 +@@ -262,6 +265,7 @@ + progname = "sudoedit"; + mode = MODE_EDIT; + sudo_settings[ARG_SUDOEDIT].value = "true"; ++ valid_flags = EDIT_VALID_FLAGS; + } + + /* Load local IP addresses and masks. */ +@@ -365,7 +369,7 @@ + usage_excl(); + mode = MODE_EDIT; + sudo_settings[ARG_SUDOEDIT].value = "true"; +- valid_flags = MODE_NONINTERACTIVE; ++ valid_flags = EDIT_VALID_FLAGS; + break; + case 'g': + assert(optarg != NULL); +@@ -377,6 +381,7 @@ + break; + case 'H': + sudo_settings[ARG_SET_HOME].value = "true"; ++ SET(flags, MODE_RESET_HOME); + break; + case 'h': + if (optarg == NULL) { +@@ -431,7 +436,7 @@ + usage_excl(); + } + mode = MODE_LIST; +- valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST; ++ valid_flags = LIST_VALID_FLAGS; + break; + case 'n': + SET(flags, MODE_NONINTERACTIVE); +@@ -439,6 +444,7 @@ + break; + case 'P': + sudo_settings[ARG_PRESERVE_GROUPS].value = "true"; ++ SET(flags, MODE_PRESERVE_GROUPS); + break; + case 'p': + /* An empty prompt is allowed. */ +@@ -505,7 +511,7 @@ + if (mode && mode != MODE_VALIDATE) + usage_excl(); + mode = MODE_VALIDATE; +- valid_flags = MODE_NONINTERACTIVE; ++ valid_flags = VALIDATE_VALID_FLAGS; + break; + case 'V': + if (mode && mode != MODE_VERSION) +@@ -533,7 +539,7 @@ + if (!mode) { + /* Defer -k mode setting until we know whether it is a flag or not */ + if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) { +- if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) { ++ if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) { + mode = MODE_INVALIDATE; /* -k by itself */ + sudo_settings[ARG_IGNORE_TICKET].value = NULL; + valid_flags = 0; +@@ -601,7 +607,7 @@ + /* + * For shell mode we need to rewrite argv + */ +- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { ++ if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) { + char **av, *cmnd = NULL; + int ac = 1; + + + |