diff -up sudo-1.8.6p7/aclocal.m4.CVE-2014-9680 sudo-1.8.6p7/aclocal.m4
--- sudo-1.8.6p7/aclocal.m4.CVE-2014-9680 2013-02-25 20:42:44.000000000 +0100
+++ sudo-1.8.6p7/aclocal.m4 2015-07-05 13:44:11.610596042 +0200
@@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [
AC_MSG_RESULT($iolog_dir)
])dnl
+dnl Detect time zone file directory, if any.
+dnl
+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
+tzdir="$with_tzdir"
+if test -z "$tzdir"; then
+ tzdir=no
+ for d in /usr/share /usr/share/lib /usr/lib /etc; do
+ if test -d "$d/zoneinfo"; then
+ tzdir="$d/zoneinfo"
+ break
+ fi
+ done
+fi
+AC_MSG_RESULT([$tzdir])
+if test "${tzdir}" != "no"; then
+ SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
+fi
+])dnl
+
dnl
dnl check for working fnmatch(3)
dnl
diff -up sudo-1.8.6p7/configure.in.CVE-2014-9680 sudo-1.8.6p7/configure.in
--- sudo-1.8.6p7/configure.in.CVE-2014-9680 2015-07-05 13:44:11.598596222 +0200
+++ sudo-1.8.6p7/configure.in 2015-07-05 13:44:11.610596042 +0200
@@ -776,6 +776,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
;;
esac])
+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])],
+[case $with_tzdir in
+ yes) AC_MSG_ERROR(["must give --with-tzdir an argument."])
+ ;;
+esac])
+
AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail])
AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
[case $with_sendmail in
@@ -3250,6 +3256,7 @@ fi
SUDO_LOGFILE
SUDO_TIMEDIR
SUDO_IO_LOGDIR
+SUDO_TZDIR
dnl
dnl Turn warnings into errors.
diff -up sudo-1.8.6p7/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p7/doc/sudoers.cat
--- sudo-1.8.6p7/doc/sudoers.cat.CVE-2014-9680 2015-07-05 13:44:11.586596402 +0200
+++ sudo-1.8.6p7/doc/sudoers.cat 2015-07-05 13:44:11.610596042 +0200
@@ -1421,20 +1421,36 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
- env_check Environment variables to be removed from the user's
- environment if the variable's value contains `%' or `/'
+ env_check Environment variables to be removed from the user's
+ environment if unless they are considered ``safe''.
+ For all variables except TZ, ``safe'' means that the
+ variable's value does not contain any `%' or `/'
characters. This can be used to guard against printf-
style format vulnerabilities in poorly-written
- programs. The argument may be a double-quoted, space-
- separated list or a single value without double-quotes.
- The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
- env_check will be preserved in the environment if they
- pass the aforementioned check. The default list of
- environment variables to check is displayed when s�su�ud�do�o
- is run by root with the -�-V�V option.
+ programs. The TZ variable is considerd unsafe if any
+ of the following are true:
+
+ +�+�o�o It consists of a fully-qualified path name,
+ optionally prefixed with a colon (`:'), that does
+ not match the location of the _�z_�o_�n_�e_�i_�n_�f_�o directory.
+
+ +�+�o�o It contains a _�._�. path element.
+
+ +�+�o�o It contains white space or non-printable
+ characters.
+
+ +�+�o�o It is longer than the value of PATH_MAX.
+
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively.
+ Regardless of whether the env_reset option is enabled
+ or disabled, variables specified by env_check will be
+ preserved in the environment if they pass the
+ aforementioned check. The default list of environment
+ variables to check is displayed when s�su�ud�do�o is run by
+ root with the -�-V�V option.
env_delete Environment variables to be removed from the user's
environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect.
diff -up sudo-1.8.6p7/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p7/doc/sudoers.man.in
--- sudo-1.8.6p7/doc/sudoers.man.in.CVE-2014-9680 2015-07-05 13:44:11.586596402 +0200
+++ sudo-1.8.6p7/doc/sudoers.man.in 2015-07-05 13:44:11.611596027 +0200
@@ -3002,14 +3002,47 @@ The default value is
\fBLists that can be used in a boolean context\fR:
.TP 18n
env_check
-Environment variables to be removed from the user's environment if
-the variable's value contains
-`%'
+ Environment variables to be removed from the user's environment if
+unless they are considered
+\(lqsafe\(rq.
+For all variables except
+\fRTZ\fR,
+\(lqsafe\(rq
+means that the variable's value does not contain any
+\(oq%\(cq
or
-`/'
+\(oq/\(cq
characters.
This can be used to guard against printf-style format vulnerabilities
in poorly-written programs.
+The
+\fRTZ\fR
+variable is considerd unsafe if any of the following are true:
+.PP
+.RS 18n
+.PD 0
+.TP 4n
+\fB\(bu\fR
+It consists of a fully-qualified path name,
+optionally prefixed with a colon
+(\(oq:\&\(cq),
+that does not match the location of the
+\fIzoneinfo\fR
+directory.
+.PD
+.TP 4n
+\fB\(bu\fR
+It contains a
+\fI..\fR
+path element.
+.TP 4n
+\fB\(bu\fR
+It contains white space or non-printable characters.
+.TP 4n
+\fB\(bu\fR
+It is longer than the value of
+\fRPATH_MAX\fR.
+.PP
The argument may be a double-quoted, space-separated list or a
single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using
@@ -3031,6 +3064,7 @@ is run by root with
the
\fB\-V\fR
option.
+.RE
.TP 18n
env_delete
Environment variables to be removed from the user's environment when the
diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p7/doc/sudoers.mdoc.in
--- sudo-1.8.6p7/doc/sudoers.mdoc.in.CVE-2014-9680 2015-07-05 13:44:11.586596402 +0200
+++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2015-07-05 13:44:11.611596027 +0200
@@ -2791,13 +2791,40 @@ The default value is
.Bl -tag -width 16n
.It env_check
Environment variables to be removed from the user's environment if
-the variable's value contains
+unless they are considered
+.Dq safe .
+For all variables except
+.Li TZ ,
+.Dq safe
+means that the variable's value does not contain any
.Ql %
or
.Ql /
characters.
This can be used to guard against printf-style format vulnerabilities
in poorly-written programs.
+The
+.Li TZ
+variable is considerd unsafe if any of the following are true:
+.Bl -bullet
+.It
+It consists of a fully-qualified path name,
+optionally prefixed with a colon
+.Pq Ql :\& ,
+that does not match the location of the
+.Pa zoneinfo
+directory.
+.It
+It contains a
+.Pa ..
+path element.
+.It
+It contains white space or non-printable characters.
+.It
+It is longer than the value of
+.Li PATH_MAX .
+.El
+.Pp
The argument may be a double-quoted, space-separated list or a
single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using
diff -up sudo-1.8.6p7/INSTALL.CVE-2014-9680 sudo-1.8.6p7/INSTALL
--- sudo-1.8.6p7/INSTALL.CVE-2014-9680 2013-02-25 20:42:43.000000000 +0100
+++ sudo-1.8.6p7/INSTALL 2015-07-05 13:44:11.611596027 +0200
@@ -461,6 +461,16 @@ The following options are also configura
Override the default location of the sudo timestamp directory and
use "path" instead.
+ --with-tzdir=DIR
+ Set the directory to the system's time zone data files. This
+ is only used when sanitizing the TZ environment variable to
+ allow for fully-qualified paths in TZ.
+ By default, configure will look for an existing "zoneinfo"
+ directory in the following locations:
+ /usr/share /usr/share/lib /usr/lib /etc
+ If no zoneinfo directory is found, the TZ variable may not
+ contain a fully-qualified path.
+
--with-sendmail=PATH
Override configure's guess as to the location of sendmail.
diff -up sudo-1.8.6p7/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p7/pathnames.h.in
--- sudo-1.8.6p7/pathnames.h.in.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200
+++ sudo-1.8.6p7/pathnames.h.in 2015-07-05 13:44:11.612596011 +0200
@@ -168,3 +168,7 @@
#ifndef _PATH_NETSVC_CONF
#undef _PATH_NETSVC_CONF
#endif /* _PATH_NETSVC_CONF */
+
+#ifndef _PATH_ZONEINFO
+# undef _PATH_ZONEINFO
+#endif /* _PATH_ZONEINFO */
diff -up sudo-1.8.6p7/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p7/plugins/sudoers/env.c
--- sudo-1.8.6p7/plugins/sudoers/env.c.CVE-2014-9680 2013-02-25 20:42:44.000000000 +0100
+++ sudo-1.8.6p7/plugins/sudoers/env.c 2015-07-05 13:44:11.612596011 +0200
@@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl
"LC_*",
"LINGUAS",
"TERM",
+ "TZ",
NULL
};
@@ -213,7 +214,6 @@ static const char *initial_keepenv_table
"PATH",
"PS1",
"PS2",
- "TZ",
"XAUTHORITY",
"XAUTHORIZATION",
NULL
@@ -584,6 +584,54 @@ matches_env_delete(const char *var)
}
/*
+ * Sanity-check the TZ environment variable.
+ * On many systems it is possible to set this to a pathname.
+ */
+static bool
+tz_is_sane(const char *tzval)
+{
+ const char *cp;
+ char lastch;
+ debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
+
+ /* tzcode treats a value beginning with a ':' as a path. */
+ if (tzval[0] == ':')
+ tzval++;
+
+ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
+ if (tzval[0] == '/') {
+#ifdef _PATH_ZONEINFO
+ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
+ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
+ debug_return_bool(false);
+#else
+ /* Assume the worst. */
+ debug_return_bool(false);
+#endif
+ }
+
+ /*
+ * Make sure TZ only contains printable non-space characters
+ * and does not contain a '..' path element.
+ */
+ lastch = '/';
+ for (cp = tzval; *cp != '\0'; cp++) {
+ if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
+ debug_return_bool(false);
+ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
+ (cp[2] == '/' || cp[2] == '\0'))
+ debug_return_bool(false);
+ lastch = *cp;
+ }
+
+ /* Reject extra long TZ values (even if not a path). */
+ if ((size_t)(cp - tzval) >= PATH_MAX)
+ debug_return_bool(false);
+
+ debug_return_bool(true);
+}
+
+/*
* Apply the env_check list.
* Returns true if the variable is allowed, false if denied
* or -1 if no match.
@@ -607,8 +655,13 @@ matches_env_check(const char *var)
iswild = false;
if (strncmp(cur->value, var, len) == 0 &&
(iswild || var[len] == '=')) {
+ if (strncmp(var, "TZ=", 3) == 0 ) {
+ /* Sperial case for TZ */
+ keepit = tz_is_sane(var + 3);
+ } else {
keepit = !strpbrk(var, "/%");
- break;
+ }
+ break;
}
}
debug_return_bool(keepit);