diff --git a/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch deleted file mode 100644 index 0ae387a..0000000 --- a/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch +++ /dev/null @@ -1,96 +0,0 @@ -diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c ---- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 -+++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2014 Todd C. Miller -+ * Copyright (c) 2014-2019 Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -24,6 +24,7 @@ - #else - # include "compat/stdbool.h" - #endif -+#include - - #include "sudo_compat.h" - #include "sudo_util.h" -@@ -78,15 +79,20 @@ static struct strtoid_data { - id_t id; - const char *sep; - const char *ep; -+ int errnum; - } strtoid_data[] = { -- { "0,1", 0, ",", "," }, -- { "10", 10, NULL, NULL }, -- { "-2", -2, NULL, NULL }, -+ { "0,1", 0, ",", ",", 0 }, -+ { "10", 10, NULL, NULL, 0 }, -+ { "-1", 0, NULL, NULL, EINVAL }, -+ { "4294967295", 0, NULL, NULL, EINVAL }, -+ { "4294967296", 0, NULL, NULL, ERANGE }, -+ { "-2147483649", 0, NULL, NULL, ERANGE }, -+ { "-2", -2, NULL, NULL, 0 }, - #if SIZEOF_ID_T != SIZEOF_LONG_LONG -- { "-2", (id_t)4294967294U, NULL, NULL }, -+ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, - #endif -- { "4294967294", (id_t)4294967294U, NULL, NULL }, -- { NULL, 0, NULL, NULL } -+ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, -+ { NULL, 0, NULL, NULL, 0 } - }; - - static int -@@ -102,11 +108,23 @@ test_strtoid(int *ntests) - (*ntests)++; - errstr = "some error"; - value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); -- if (errstr != NULL) { -- if (d->id != (id_t)-1) { -- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); -+ if (d->errnum != 0) { -+ if (errstr == NULL) { -+ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", -+ d->idstr, d->errnum); -+ errors++; -+ } else if (value != 0) { -+ sudo_warnx_nodebug("FAIL: %s should return 0 on error", -+ d->idstr); -+ errors++; -+ } else if (errno != d->errnum) { -+ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", -+ d->idstr, errno, d->errnum); - errors++; - } -+ } else if (errstr != NULL) { -+ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); -+ errors++; - } else if (value != d->id) { - sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); - errors++; -diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok ---- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 -+++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200 -@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. - Entries for user root: - - Command unmatched --testsudoers: test5.inc should be owned by gid 4294967295 -+testsudoers: test5.inc should be owned by gid 4294967294 - Parse error in sudoers near line 1. - - Entries for user root: -diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh ---- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 -+++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200 -@@ -24,7 +24,7 @@ EOF - - # Test group writable - chmod 664 $TESTFILE --./testsudoers -U $MYUID -G -1 root id < -+ * Copyright (c) 2013-2019 Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -47,6 +47,27 @@ - #include "sudo_util.h" - - /* -+ * Make sure that the ID ends with a valid separator char. -+ */ -+static bool -+valid_separator(const char *p, const char *ep, const char *sep) -+{ -+ bool valid = false; -+ debug_decl(valid_separator, SUDO_DEBUG_UTIL) -+ -+ if (ep != p) { -+ /* check for valid separator (including '\0') */ -+ if (sep == NULL) -+ sep = ""; -+ do { -+ if (*ep == *sep) -+ valid = true; -+ } while (*sep++ != '\0'); -+ } -+ debug_return_bool(valid); -+} -+ -+/* - * Parse a uid/gid in string form. - * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) - * If endp is non-NULL it is set to the next char after the ID. -@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha - char *ep; - id_t ret = 0; - long long llval; -- bool valid = false; - debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) - - /* skip leading space so we can pick up the sign, if any */ - while (isspace((unsigned char)*p)) - p++; -- if (sep == NULL) -- sep = ""; -+ -+ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ - errno = 0; - llval = strtoll(p, &ep, 10); -- if (ep != p) { -- /* check for valid separator (including '\0') */ -- do { -- if (*ep == *sep) -- valid = true; -- } while (*sep++ != '\0'); -+ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { -+ errno = ERANGE; -+ if (errstr != NULL) -+ *errstr = N_("value too large"); -+ goto done; - } -- if (!valid) { -+ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { -+ errno = ERANGE; -+ if (errstr != NULL) -+ *errstr = N_("value too small"); -+ goto done; -+ } -+ -+ /* Disallow id -1, which means "no change". */ -+ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { - if (errstr != NULL) - *errstr = N_("invalid value"); - errno = EINVAL; - goto done; - } -- if (errno == ERANGE) { -- if (errstr != NULL) { -- if (llval == LLONG_MAX) -- *errstr = N_("value too large"); -- else -- *errstr = N_("value too small"); -- } -- goto done; -- } - ret = (id_t)llval; - if (errstr != NULL) - *errstr = NULL; -@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha - { - char *ep; - id_t ret = 0; -- bool valid = false; - debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) - - /* skip leading space so we can pick up the sign, if any */ - while (isspace((unsigned char)*p)) - p++; -- if (sep == NULL) -- sep = ""; -+ - errno = 0; - if (*p == '-') { - long lval = strtol(p, &ep, 10); -- if (ep != p) { -- /* check for valid separator (including '\0') */ -- do { -- if (*ep == *sep) -- valid = true; -- } while (*sep++ != '\0'); -- } -- if (!valid) { -- if (errstr != NULL) -- *errstr = N_("invalid value"); -- errno = EINVAL; -- goto done; -- } - if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { - errno = ERANGE; - if (errstr != NULL) -@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha - *errstr = N_("value too small"); - goto done; - } -- ret = (id_t)lval; -- } else { -- unsigned long ulval = strtoul(p, &ep, 10); -- if (ep != p) { -- /* check for valid separator (including '\0') */ -- do { -- if (*ep == *sep) -- valid = true; -- } while (*sep++ != '\0'); -- } -- if (!valid) { -+ -+ /* Disallow id -1, which means "no change". */ -+ if (!valid_separator(p, ep, sep) || lval == -1) { - if (errstr != NULL) - *errstr = N_("invalid value"); - errno = EINVAL; - goto done; - } -+ ret = (id_t)lval; -+ } else { -+ unsigned long ulval = strtoul(p, &ep, 10); - if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { - errno = ERANGE; - if (errstr != NULL) - *errstr = N_("value too large"); - goto done; - } -+ -+ /* Disallow id -1, which means "no change". */ -+ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { -+ if (errstr != NULL) -+ *errstr = N_("invalid value"); -+ errno = EINVAL; -+ goto done; -+ } - ret = (id_t)ulval; - } - if (errstr != NULL) diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index e550d0d..1059bdd 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.25p1 -Release: 8%{?dist} +Release: 7%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -70,10 +70,6 @@ Patch15: sudo-1.8.25-ldap-backend-parsing-2.patch # Fix special handling of ipa_hostname that was lost in sudo Patch16: sudo-1.8.25-ipa-hostname.patch -# 1760696 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] -Patch17: sudo-1.8.28-CVE-strtouid.patch -Patch18: sudo-1.8.28-CVE-strtouid-test.patch - %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -116,9 +112,6 @@ plugins that use %{name}. %patch15 -p1 -b .ldap-backend2 %patch16 -p1 -b .ipa-hostname -%patch17 -p1 -b .cve-strtouid -%patch18 -p1 -b .cve-strtouid-test - %build # Remove bundled copy of zlib rm -rf zlib/ @@ -277,12 +270,6 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Fri Oct 18 2019 Marek Tamaskovic - 1.8.25p1-8 -- RHEL-8.1.0 -- fixed CVE-2019-14287 - Resolves: rhbz#1760696 - - * Fri Aug 16 2019 Radovan Sroka - 1.8.25-7 - RHEL 8.1 ERRATUM - sudo ipa_hostname not honored