From 63ace7c21200794709176bfefb05f0c37fee5a37 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 30 2017 15:56:16 +0000 Subject: import sudo-1.8.6p7-22.el7_3 --- diff --git a/SOURCES/sudo-1.8.6p7-tty-name-parsing.patch b/SOURCES/sudo-1.8.6p7-tty-name-parsing.patch new file mode 100644 index 0000000..fb852a4 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-tty-name-parsing.patch @@ -0,0 +1,29 @@ +diff -up sudo-1.8.6p7/src/ttyname.c.get_process_ttyname sudo-1.8.6p7/src/ttyname.c +--- sudo-1.8.6p7/src/ttyname.c.get_process_ttyname 2013-02-25 20:46:09.000000000 +0100 ++++ sudo-1.8.6p7/src/ttyname.c 2017-05-25 10:23:28.720850944 +0200 +@@ -171,6 +171,8 @@ static char *search_devs[] = { + + static char *ignore_devs[] = { + "/dev/fd/", ++ "/dev/mqueue/", ++ "/dev/shm/", + "/dev/stdin", + "/dev/stdout", + "/dev/stderr", +@@ -437,9 +439,13 @@ get_process_ttyname(void) + len = getline(&line, &linesize, fp); + fclose(fp); + if (len != -1) { +- /* Field 7 is the tty dev (0 if no tty) */ +- char *cp = line; +- int field = 1; ++ /* ++ * Field 7 is the tty dev (0 if no tty). ++ * Since the process name at field 2 "(comm)" may include spaces, ++ * start at the last ')' found. ++ */ ++ char *cp = strrchr(line, ')'); ++ int field = 2; + while (*cp != '\0') { + if (*cp++ == ' ') { + if (++field == 7) { diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index b78c293..eb01223 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.6p7 -Release: 21%{?dist} +Release: 22%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -146,6 +146,9 @@ Patch56: sudo-1.8.6p7-digest_race_doc.patch Patch57: sudo-1.8.6p3-visudo-quiet-flag.patch # 1391939 - CVE-2016-7032 CVE-2016-7076 sudo: various flaws [rhel-7.4] Patch58: sudo-1.8.6p7-noexec-update.patch +# 1455401 - CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing [rhel-7.3.z] +Patch59: sudo-1.8.6p7-tty-name-parsing.patch + %description Sudo (superuser do) allows a system administrator to give certain @@ -228,6 +231,7 @@ plugins that use %{name}. %patch56 -p1 -b .digest_race_doc %patch57 -p1 -b .visudo-quiet-flag %patch58 -p1 -b .noexec-update +%patch59 -p1 -b .tty-parsing %build autoreconf -I m4 -fv --install @@ -349,6 +353,10 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon May 29 2017 Radovan Sroka - 1.8.6p7-22 +- Fixes CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing [rhel-7.3.z] + Resolves: rhbz#1455401 + * Wed Nov 23 2016 Daniel Kopecek - 1.8.6p7-21 - Update noexec syscall blacklist - Fixes CVE-2016-7032 and CVE-2016-7076