Blame SOURCES/sudo-1.9.12-CVE-2023-22809-backports.patch

f864d0
diff -up ./plugins/sudoers/editor.c.other ./plugins/sudoers/editor.c
f864d0
--- ./plugins/sudoers/editor.c.other	2023-01-16 17:37:04.659967300 +0100
f864d0
+++ ./plugins/sudoers/editor.c	2023-01-16 17:40:35.944400376 +0100
f864d0
@@ -39,6 +39,82 @@
f864d0
 #include "sudoers.h"
f864d0
 
f864d0
 /*
f864d0
+ * Non-destructive word-split that handles single and double quotes and
f864d0
+ * escaped white space.  Quotes are only recognized at the start of a word.
f864d0
+ * They are treated as normal characters inside a word.
f864d0
+ */
f864d0
+static const char *
f864d0
+wordsplit(const char *str, const char *endstr, const char **last)
f864d0
+{
f864d0
+    const char *cp;
f864d0
+    debug_decl(wordsplit, SUDO_DEBUG_UTIL);
f864d0
+
f864d0
+    /* If no str specified, use last ptr (if any). */
f864d0
+    if (str == NULL) {
f864d0
+	str = *last;
f864d0
+	/* Consume end quote if present. */
f864d0
+	if (*str == '"' || *str == '\'')
f864d0
+	    str++;
f864d0
+    }
f864d0
+
f864d0
+    /* Skip leading white space characters. */
f864d0
+    while (str < endstr && (*str == ' ' || *str == '\t'))
f864d0
+	str++;
f864d0
+
f864d0
+    /* Empty string? */
f864d0
+    if (str >= endstr) {
f864d0
+	*last = endstr;
f864d0
+	debug_return_ptr(NULL);
f864d0
+    }
f864d0
+
f864d0
+    /* If word is quoted, skip to end quote and return. */
f864d0
+    if (*str == '"' || *str == '\'') {
f864d0
+	const char *endquote = memchr(str + 1, *str, endstr - str);
f864d0
+	if (endquote != NULL) {
f864d0
+	    *last = endquote;
f864d0
+	    debug_return_const_ptr(str + 1);
f864d0
+	}
f864d0
+    }
f864d0
+
f864d0
+    /* Scan str until we encounter white space. */
f864d0
+    for (cp = str; cp < endstr; cp++) {
f864d0
+	if (*cp == '\\') {
f864d0
+	    /* quoted char, do not interpret */
f864d0
+	    cp++;
f864d0
+	    continue;
f864d0
+	}
f864d0
+	if (*cp == ' ' || *cp == '\t') {
f864d0
+	    /* end of word */
f864d0
+	    break;
f864d0
+	}
f864d0
+    }
f864d0
+    *last = cp;
f864d0
+    debug_return_const_ptr(str);
f864d0
+}
f864d0
+
f864d0
+/* Copy len chars from string, collapsing chars escaped with a backslash. */
f864d0
+static char *
f864d0
+copy_arg(const char *src, size_t len)
f864d0
+{
f864d0
+    const char *src_end = src + len;
f864d0
+    char *copy, *dst;
f864d0
+    debug_decl(copy_arg, SUDOERS_DEBUG_UTIL);
f864d0
+
f864d0
+    if ((copy = malloc(len + 1)) != NULL) {
f864d0
+	for (dst = copy; src < src_end; ) {
f864d0
+	    if (*src == '\\') {
f864d0
+		src++;
f864d0
+		continue;
f864d0
+	    }
f864d0
+	    *dst++ = *src++;
f864d0
+	}
f864d0
+	*dst = '\0';
f864d0
+    }
f864d0
+
f864d0
+    debug_return_ptr(copy);
f864d0
+}
f864d0
+
f864d0
+/*
f864d0
  * Search for the specified editor in the user's PATH, checking
f864d0
  * the result against allowlist if non-NULL.  An argument vector
f864d0
  * suitable for execve() is allocated and stored in argv_out.
f864d0
@@ -52,7 +128,7 @@ static char *
f864d0
 resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
f864d0
     int *argc_out, char ***argv_out, char * const *allowlist)
f864d0
 {
f864d0
-    char **nargv, *editor, *editor_path = NULL;
f864d0
+    char **nargv = NULL, *editor = NULL, *editor_path = NULL;
f864d0
     const char *cp, *ep, *tmp;
f864d0
     const char *edend = ed + edlen;
f864d0
     struct stat user_editor_sb;
f864d0
@@ -64,14 +140,12 @@ resolve_editor(const char *ed, size_t ed
f864d0
      * The EDITOR and VISUAL environment variables may contain command
f864d0
      * line args so look for those and alloc space for them too.
f864d0
      */
f864d0
-    cp = sudo_strsplit(ed, edend, " \t", &ep);
f864d0
+    cp = wordsplit(ed, edend, &ep);
f864d0
     if (cp == NULL)
f864d0
 	debug_return_str(NULL);
f864d0
-    editor = strndup(cp, (size_t)(ep - cp));
f864d0
-    if (editor == NULL) {
f864d0
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
f864d0
-	debug_return_str(NULL);
f864d0
-    }
f864d0
+    editor = copy_arg(cp, ep - cp);
f864d0
+    if (editor == NULL)
f864d0
+        goto oom;
f864d0
 
f864d0
     /* If we can't find the editor in the user's PATH, give up. */
f864d0
     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, allowlist) != FOUND) {
f864d0
@@ -81,30 +155,22 @@ resolve_editor(const char *ed, size_t ed
f864d0
     }
f864d0
 
f864d0
     /* Count rest of arguments and allocate editor argv. */
f864d0
-    for (nargc = 1, tmp = ep; sudo_strsplit(NULL, edend, " \t", &tmp) != NULL; )
f864d0
+    for (nargc = 1, tmp = ep; wordsplit(NULL, edend, &tmp) != NULL; )
f864d0
 	nargc++;
f864d0
     if (nfiles != 0)
f864d0
 	nargc += nfiles + 1;
f864d0
     nargv = reallocarray(NULL, nargc + 1, sizeof(char *));
f864d0
-    if (nargv == NULL) {
f864d0
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
f864d0
-	free(editor);
f864d0
-	free(editor_path);
f864d0
-	debug_return_str(NULL);
f864d0
-    }
f864d0
+    if (nargv == NULL)
f864d0
+	goto oom;
f864d0
 
f864d0
     /* Fill in editor argv (assumes files[] is NULL-terminated). */
f864d0
     nargv[0] = editor;
f864d0
-    for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) {
f864d0
-	nargv[nargc] = strndup(cp, (size_t)(ep - cp));
f864d0
-	if (nargv[nargc] == NULL) {
f864d0
-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
f864d0
-	    free(editor_path);
f864d0
-	    while (nargc--)
f864d0
-		free(nargv[nargc]);
f864d0
-	    free(nargv);
f864d0
-	    debug_return_str(NULL);
f864d0
-	}
f864d0
+    editor = NULL;
f864d0
+    for (nargc = 1; (cp = wordsplit(NULL, edend, &ep)) != NULL; nargc++) {
f864d0
+	/* Copy string, collapsing chars escaped with a backslash. */
f864d0
+	nargv[nargc] = copy_arg(cp, ep - cp);
f864d0
+	if (nargv[nargc] == NULL)
f864d0
+	    goto oom;
f864d0
     }
f864d0
     if (nfiles != 0) {
f864d0
 	nargv[nargc++] = "--";
f864d0
@@ -116,6 +182,16 @@ resolve_editor(const char *ed, size_t ed
f864d0
     *argc_out = nargc;
f864d0
     *argv_out = nargv;
f864d0
     debug_return_str(editor_path);
f864d0
+oom:
f864d0
+    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
f864d0
+    free(editor);
f864d0
+    free(editor_path);
f864d0
+    if (nargv != NULL) {
f864d0
+	while (nargc--)
f864d0
+	    free(nargv[nargc]);
f864d0
+	free(nargv);
f864d0
+    }
f864d0
+    debug_return_str(NULL);
f864d0
 }
f864d0
 
f864d0
 /*