diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch')
| -rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch new file mode 100644 index 0000000000..6d051252cb --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch @@ -0,0 +1,53 @@ +From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001 +From: Anuj Mittal <anuj.mittal@intel.com> +Date: Sat, 6 Feb 2021 15:57:55 +0800 +Subject: [PATCH] sudo: fix CVE-2021-3156 + +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416639 25200 +# Node ID a97dc92eae6b60ae285055441341d493c17262ff +# Parent 9b97f1787804aedccaec63c379053b1a91a0e409 +Add sudoedit flag checks in plugin that are consistent with front-end. +Don't assume the sudo front-end is sending reasonable mode flags. +These checks need to be kept consistent between the sudo front-end +and the sudoers plugin. + +--- + plugins/sudoers/policy.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index c4749a6..2f18fe1 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval) + int + sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) + { ++ const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE; + struct sudoers_open_info *info = v; +- char * const *cur; + const char *p, *errstr, *groups = NULL; + const char *remhost = NULL; ++ char * const *cur; + int flags = 0; + debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN); + +@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) + #endif + } + ++ /* Sudo front-end should restrict mode flags for sudoedit. */ ++ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) { ++ sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags); ++ goto bad; ++ } ++ + user_gid = (gid_t)-1; + user_sid = (pid_t)-1; + user_uid = (gid_t)-1; |