rpms / sudo

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   c8
  2.   SOURCES
  3.   sudo-1.9.12-CVE-2023-22809-backports.patch
Blob Blame History Raw 
diff -up ./plugins/sudoers/editor.c.other ./plugins/sudoers/editor.c
--- ./plugins/sudoers/editor.c.other	2023-01-16 17:37:04.659967300 +0100
+++ ./plugins/sudoers/editor.c	2023-01-16 17:40:35.944400376 +0100
@@ -39,6 +39,82 @@
 #include "sudoers.h"
 
 /*
+ * Non-destructive word-split that handles single and double quotes and
+ * escaped white space.  Quotes are only recognized at the start of a word.
+ * They are treated as normal characters inside a word.
+ */
+static const char *
+wordsplit(const char *str, const char *endstr, const char **last)
+{
+    const char *cp;
+    debug_decl(wordsplit, SUDO_DEBUG_UTIL);
+
+    /* If no str specified, use last ptr (if any). */
+    if (str == NULL) {
+	str = *last;
+	/* Consume end quote if present. */
+	if (*str == '"' || *str == '\'')
+	    str++;
+    }
+
+    /* Skip leading white space characters. */
+    while (str < endstr && (*str == ' ' || *str == '\t'))
+	str++;
+
+    /* Empty string? */
+    if (str >= endstr) {
+	*last = endstr;
+	debug_return_ptr(NULL);
+    }
+
+    /* If word is quoted, skip to end quote and return. */
+    if (*str == '"' || *str == '\'') {
+	const char *endquote = memchr(str + 1, *str, endstr - str);
+	if (endquote != NULL) {
+	    *last = endquote;
+	    debug_return_const_ptr(str + 1);
+	}
+    }
+
+    /* Scan str until we encounter white space. */
+    for (cp = str; cp < endstr; cp++) {
+	if (*cp == '\\') {
+	    /* quoted char, do not interpret */
+	    cp++;
+	    continue;
+	}
+	if (*cp == ' ' || *cp == '\t') {
+	    /* end of word */
+	    break;
+	}
+    }
+    *last = cp;
+    debug_return_const_ptr(str);
+}
+
+/* Copy len chars from string, collapsing chars escaped with a backslash. */
+static char *
+copy_arg(const char *src, size_t len)
+{
+    const char *src_end = src + len;
+    char *copy, *dst;
+    debug_decl(copy_arg, SUDOERS_DEBUG_UTIL);
+
+    if ((copy = malloc(len + 1)) != NULL) {
+	for (dst = copy; src < src_end; ) {
+	    if (*src == '\\') {
+		src++;
+		continue;
+	    }
+	    *dst++ = *src++;
+	}
+	*dst = '\0';
+    }
+
+    debug_return_ptr(copy);
+}
+
+/*
  * Search for the specified editor in the user's PATH, checking
  * the result against allowlist if non-NULL.  An argument vector
  * suitable for execve() is allocated and stored in argv_out.
@@ -52,7 +128,7 @@ static char *
 resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
     int *argc_out, char ***argv_out, char * const *allowlist)
 {
-    char **nargv, *editor, *editor_path = NULL;
+    char **nargv = NULL, *editor = NULL, *editor_path = NULL;
     const char *cp, *ep, *tmp;
     const char *edend = ed + edlen;
     struct stat user_editor_sb;
@@ -64,14 +140,12 @@ resolve_editor(const char *ed, size_t ed
      * The EDITOR and VISUAL environment variables may contain command
      * line args so look for those and alloc space for them too.
      */
-    cp = sudo_strsplit(ed, edend, " \t", &ep);
+    cp = wordsplit(ed, edend, &ep);
     if (cp == NULL)
 	debug_return_str(NULL);
-    editor = strndup(cp, (size_t)(ep - cp));
-    if (editor == NULL) {
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	debug_return_str(NULL);
-    }
+    editor = copy_arg(cp, ep - cp);
+    if (editor == NULL)
+        goto oom;
 
     /* If we can't find the editor in the user's PATH, give up. */
     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, allowlist) != FOUND) {
@@ -81,30 +155,22 @@ resolve_editor(const char *ed, size_t ed
     }
 
     /* Count rest of arguments and allocate editor argv. */
-    for (nargc = 1, tmp = ep; sudo_strsplit(NULL, edend, " \t", &tmp) != NULL; )
+    for (nargc = 1, tmp = ep; wordsplit(NULL, edend, &tmp) != NULL; )
 	nargc++;
     if (nfiles != 0)
 	nargc += nfiles + 1;
     nargv = reallocarray(NULL, nargc + 1, sizeof(char *));
-    if (nargv == NULL) {
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	free(editor);
-	free(editor_path);
-	debug_return_str(NULL);
-    }
+    if (nargv == NULL)
+	goto oom;
 
     /* Fill in editor argv (assumes files[] is NULL-terminated). */
     nargv[0] = editor;
-    for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) {
-	nargv[nargc] = strndup(cp, (size_t)(ep - cp));
-	if (nargv[nargc] == NULL) {
-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	    free(editor_path);
-	    while (nargc--)
-		free(nargv[nargc]);
-	    free(nargv);
-	    debug_return_str(NULL);
-	}
+    editor = NULL;
+    for (nargc = 1; (cp = wordsplit(NULL, edend, &ep)) != NULL; nargc++) {
+	/* Copy string, collapsing chars escaped with a backslash. */
+	nargv[nargc] = copy_arg(cp, ep - cp);
+	if (nargv[nargc] == NULL)
+	    goto oom;
     }
     if (nfiles != 0) {
 	nargv[nargc++] = "--";
@@ -116,6 +182,16 @@ resolve_editor(const char *ed, size_t ed
     *argc_out = nargc;
     *argv_out = nargv;
     debug_return_str(editor_path);
+oom:
+    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+    free(editor);
+    free(editor_path);
+    if (nargv != NULL) {
+	while (nargc--)
+	    free(nargv[nargc]);
+	free(nargv);
+    }
+    debug_return_str(NULL);
 }
 
 /*

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation