1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001
From: Anuj Mittal <anuj.mittal@intel.com>
Date: Sat, 6 Feb 2021 15:57:55 +0800
Subject: [PATCH] sudo: fix CVE-2021-3156
Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
CVE: CVE-2021-3156
# HG changeset patch
# User Todd C. Miller <Todd.Miller@sudo.ws>
# Date 1611416639 25200
# Node ID a97dc92eae6b60ae285055441341d493c17262ff
# Parent 9b97f1787804aedccaec63c379053b1a91a0e409
Add sudoedit flag checks in plugin that are consistent with front-end.
Don't assume the sudo front-end is sending reasonable mode flags.
These checks need to be kept consistent between the sudo front-end
and the sudoers plugin.
---
plugins/sudoers/policy.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
index c4749a6..2f18fe1 100644
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
int
sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
{
+ const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE;
struct sudoers_open_info *info = v;
- char * const *cur;
const char *p, *errstr, *groups = NULL;
const char *remhost = NULL;
+ char * const *cur;
int flags = 0;
debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN);
@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
#endif
}
+ /* Sudo front-end should restrict mode flags for sudoedit. */
+ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) {
+ sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags);
+ goto bad;
+ }
+
user_gid = (gid_t)-1;
user_sid = (pid_t)-1;
user_uid = (gid_t)-1;
|
