diff options
Diffstat (limited to 'meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch')
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch new file mode 100644 index 0000000000..30a574d05c --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch @@ -0,0 +1,73 @@ +Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416639 25200 +# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86 +# Parent a97dc92eae6b60ae285055441341d493c17262ff +Fix potential buffer overflow when unescaping backslashes in user_args. +Also, do not try to unescaping backslashes unless in run mode *and* +we are running the command via a shell. +Found by Qualys, this fixes CVE-2021-3156. + +diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c +--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 ++++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 +@@ -547,7 +547,7 @@ + + /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ + /* XXX - causes confusion when root is not listed in sudoers */ +- if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) { ++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) { + if (user_uid == 0 && strcmp(prev_user, "root") != 0) { + struct passwd *pw; + +@@ -932,8 +932,8 @@ + if (user_cmnd == NULL) + user_cmnd = NewArgv[0]; + +- if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { +- if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { ++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) { ++ if (!ISSET(sudo_mode, MODE_EDIT)) { + const char *runchroot = user_runchroot; + if (runchroot == NULL && def_runchroot != NULL && + strcmp(def_runchroot, "*") != 0) +@@ -961,7 +961,8 @@ + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_int(NOT_FOUND_ERROR); + } +- if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { ++ if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) && ++ ISSET(sudo_mode, MODE_RUN)) { + /* + * When running a command via a shell, the sudo front-end + * escapes potential meta chars. We unescape non-spaces +@@ -969,10 +970,22 @@ + */ + for (to = user_args, av = NewArgv + 1; (from = *av); av++) { + while (*from) { +- if (from[0] == '\\' && !isspace((unsigned char)from[1])) ++ if (from[0] == '\\' && from[1] != '\0' && ++ !isspace((unsigned char)from[1])) { + from++; ++ } ++ if (size - (to - user_args) < 1) { ++ sudo_warnx(U_("internal error, %s overflow"), ++ __func__); ++ debug_return_int(NOT_FOUND_ERROR); ++ } + *to++ = *from++; + } ++ if (size - (to - user_args) < 1) { ++ sudo_warnx(U_("internal error, %s overflow"), ++ __func__); ++ debug_return_int(NOT_FOUND_ERROR); ++ } + *to++ = ' '; + } + *--to = '\0'; + + |