Blame SOURCES/sudo-1.8.28-CVE-strtouid.patch

28a657
Treat an ID of -1 as invalid since that means "no change".
28a657
Fixes CVE-2019-14287.
28a657
Found by Joe Vennix from Apple Information Security.
28a657
28a657
diff -r fcd7a6d8330e lib/util/strtoid.c
28a657
--- a/lib/util/strtoid.c	Fri Jan 11 13:31:15 2019 -0700
28a657
+++ b/lib/util/strtoid.c	Thu Oct 10 09:52:12 2019 -0600
28a657
@@ -1,5 +1,5 @@
28a657
 /*
28a657
- * Copyright (c) 2013-2016 Todd C. Miller <Todd.Miller@sudo.ws>
28a657
+ * Copyright (c) 2013-2019 Todd C. Miller <Todd.Miller@sudo.ws>
28a657
  *
28a657
  * Permission to use, copy, modify, and distribute this software for any
28a657
  * purpose with or without fee is hereby granted, provided that the above
28a657
@@ -47,6 +47,27 @@
28a657
 #include "sudo_util.h"
28a657
 
28a657
 /*
28a657
+ * Make sure that the ID ends with a valid separator char.
28a657
+ */
28a657
+static bool
28a657
+valid_separator(const char *p, const char *ep, const char *sep)
28a657
+{
28a657
+    bool valid = false;
28a657
+    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
28a657
+
28a657
+    if (ep != p) {
28a657
+	/* check for valid separator (including '\0') */
28a657
+	if (sep == NULL)
28a657
+	    sep = "";
28a657
+	do {
28a657
+	    if (*ep == *sep)
28a657
+		valid = true;
28a657
+	} while (*sep++ != '\0');
28a657
+    }
28a657
+    debug_return_bool(valid);
28a657
+}
28a657
+
28a657
+/*
28a657
  * Parse a uid/gid in string form.
28a657
  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
28a657
  * If endp is non-NULL it is set to the next char after the ID.
28a657
@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha
28a657
     char *ep;
28a657
     id_t ret = 0;
28a657
     long long llval;
28a657
-    bool valid = false;
28a657
     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
28a657
 
28a657
     /* skip leading space so we can pick up the sign, if any */
28a657
     while (isspace((unsigned char)*p))
28a657
 	p++;
28a657
-    if (sep == NULL)
28a657
-	sep = "";
28a657
+
28a657
+    /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
28a657
     errno = 0;
28a657
     llval = strtoll(p, &ep, 10);
28a657
-    if (ep != p) {
28a657
-	/* check for valid separator (including '\0') */
28a657
-	do {
28a657
-	    if (*ep == *sep)
28a657
-		valid = true;
28a657
-	} while (*sep++ != '\0');
28a657
+    if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
28a657
+	errno = ERANGE;
28a657
+	if (errstr != NULL)
28a657
+	    *errstr = N_("value too large");
28a657
+	goto done;
28a657
     }
28a657
-    if (!valid) {
28a657
+    if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
28a657
+	errno = ERANGE;
28a657
+	if (errstr != NULL)
28a657
+	    *errstr = N_("value too small");
28a657
+	goto done;
28a657
+    }
28a657
+
28a657
+    /* Disallow id -1, which means "no change". */
28a657
+    if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
28a657
 	if (errstr != NULL)
28a657
 	    *errstr = N_("invalid value");
28a657
 	errno = EINVAL;
28a657
 	goto done;
28a657
     }
28a657
-    if (errno == ERANGE) {
28a657
-	if (errstr != NULL) {
28a657
-	    if (llval == LLONG_MAX)
28a657
-		*errstr = N_("value too large");
28a657
-	    else
28a657
-		*errstr = N_("value too small");
28a657
-	}
28a657
-	goto done;
28a657
-    }
28a657
     ret = (id_t)llval;
28a657
     if (errstr != NULL)
28a657
 	*errstr = NULL;
28a657
@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha
28a657
 {
28a657
     char *ep;
28a657
     id_t ret = 0;
28a657
-    bool valid = false;
28a657
     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
28a657
 
28a657
     /* skip leading space so we can pick up the sign, if any */
28a657
     while (isspace((unsigned char)*p))
28a657
 	p++;
28a657
-    if (sep == NULL)
28a657
-	sep = "";
28a657
+
28a657
     errno = 0;
28a657
     if (*p == '-') {
28a657
 	long lval = strtol(p, &ep, 10);
28a657
-	if (ep != p) {
28a657
-	    /* check for valid separator (including '\0') */
28a657
-	    do {
28a657
-		if (*ep == *sep)
28a657
-		    valid = true;
28a657
-	    } while (*sep++ != '\0');
28a657
-	}
28a657
-	if (!valid) {
28a657
-	    if (errstr != NULL)
28a657
-		*errstr = N_("invalid value");
28a657
-	    errno = EINVAL;
28a657
-	    goto done;
28a657
-	}
28a657
 	if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
28a657
 	    errno = ERANGE;
28a657
 	    if (errstr != NULL)
28a657
@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha
28a657
 		*errstr = N_("value too small");
28a657
 	    goto done;
28a657
 	}
28a657
-	ret = (id_t)lval;
28a657
-    } else {
28a657
-	unsigned long ulval = strtoul(p, &ep, 10);
28a657
-	if (ep != p) {
28a657
-	    /* check for valid separator (including '\0') */
28a657
-	    do {
28a657
-		if (*ep == *sep)
28a657
-		    valid = true;
28a657
-	    } while (*sep++ != '\0');
28a657
-	}
28a657
-	if (!valid) {
28a657
+
28a657
+	/* Disallow id -1, which means "no change". */
28a657
+	if (!valid_separator(p, ep, sep) || lval == -1) {
28a657
 	    if (errstr != NULL)
28a657
 		*errstr = N_("invalid value");
28a657
 	    errno = EINVAL;
28a657
 	    goto done;
28a657
 	}
28a657
+	ret = (id_t)lval;
28a657
+    } else {
28a657
+	unsigned long ulval = strtoul(p, &ep, 10);
28a657
 	if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
28a657
 	    errno = ERANGE;
28a657
 	    if (errstr != NULL)
28a657
 		*errstr = N_("value too large");
28a657
 	    goto done;
28a657
 	}
28a657
+
28a657
+	/* Disallow id -1, which means "no change". */
28a657
+	if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
28a657
+	    if (errstr != NULL)
28a657
+		*errstr = N_("invalid value");
28a657
+	    errno = EINVAL;
28a657
+	    goto done;
28a657
+	}
28a657
 	ret = (id_t)ulval;
28a657
     }
28a657
     if (errstr != NULL)