From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001 From: Anuj Mittal Date: Sat, 6 Feb 2021 15:57:55 +0800 Subject: [PATCH] sudo: fix CVE-2021-3156 Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b] Signed-off-by: Anuj Mittal CVE: CVE-2021-3156 # HG changeset patch # User Todd C. Miller # Date 1611416639 25200 # Node ID a97dc92eae6b60ae285055441341d493c17262ff # Parent 9b97f1787804aedccaec63c379053b1a91a0e409 Add sudoedit flag checks in plugin that are consistent with front-end. Don't assume the sudo front-end is sending reasonable mode flags. These checks need to be kept consistent between the sudo front-end and the sudoers plugin. --- plugins/sudoers/policy.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index c4749a6..2f18fe1 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval) int sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) { + const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE; struct sudoers_open_info *info = v; - char * const *cur; const char *p, *errstr, *groups = NULL; const char *remhost = NULL; + char * const *cur; int flags = 0; debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN); @@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) #endif } + /* Sudo front-end should restrict mode flags for sudoedit. */ + if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) { + sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags); + goto bad; + } + user_gid = (gid_t)-1; user_sid = (pid_t)-1; user_uid = (gid_t)-1;