diff --git a/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch new file mode 100644 index 0000000..0ae387a --- /dev/null +++ b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch @@ -0,0 +1,96 @@ +diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c +--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2014 Todd C. Miller ++ * Copyright (c) 2014-2019 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -24,6 +24,7 @@ + #else + # include "compat/stdbool.h" + #endif ++#include + + #include "sudo_compat.h" + #include "sudo_util.h" +@@ -78,15 +79,20 @@ static struct strtoid_data { + id_t id; + const char *sep; + const char *ep; ++ int errnum; + } strtoid_data[] = { +- { "0,1", 0, ",", "," }, +- { "10", 10, NULL, NULL }, +- { "-2", -2, NULL, NULL }, ++ { "0,1", 0, ",", ",", 0 }, ++ { "10", 10, NULL, NULL, 0 }, ++ { "-1", 0, NULL, NULL, EINVAL }, ++ { "4294967295", 0, NULL, NULL, EINVAL }, ++ { "4294967296", 0, NULL, NULL, ERANGE }, ++ { "-2147483649", 0, NULL, NULL, ERANGE }, ++ { "-2", -2, NULL, NULL, 0 }, + #if SIZEOF_ID_T != SIZEOF_LONG_LONG +- { "-2", (id_t)4294967294U, NULL, NULL }, ++ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, + #endif +- { "4294967294", (id_t)4294967294U, NULL, NULL }, +- { NULL, 0, NULL, NULL } ++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, ++ { NULL, 0, NULL, NULL, 0 } + }; + + static int +@@ -102,11 +108,23 @@ test_strtoid(int *ntests) + (*ntests)++; + errstr = "some error"; + value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); +- if (errstr != NULL) { +- if (d->id != (id_t)-1) { +- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ if (d->errnum != 0) { ++ if (errstr == NULL) { ++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", ++ d->idstr, d->errnum); ++ errors++; ++ } else if (value != 0) { ++ sudo_warnx_nodebug("FAIL: %s should return 0 on error", ++ d->idstr); ++ errors++; ++ } else if (errno != d->errnum) { ++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", ++ d->idstr, errno, d->errnum); + errors++; + } ++ } else if (errstr != NULL) { ++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ errors++; + } else if (value != d->id) { + sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); + errors++; +diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok +--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200 +@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. + Entries for user root: + + Command unmatched +-testsudoers: test5.inc should be owned by gid 4294967295 ++testsudoers: test5.inc should be owned by gid 4294967294 + Parse error in sudoers near line 1. + + Entries for user root: +diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh +--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200 +@@ -24,7 +24,7 @@ EOF + + # Test group writable + chmod 664 $TESTFILE +-./testsudoers -U $MYUID -G -1 root id < ++ * Copyright (c) 2013-2019 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -47,6 +47,27 @@ + #include "sudo_util.h" + + /* ++ * Make sure that the ID ends with a valid separator char. ++ */ ++static bool ++valid_separator(const char *p, const char *ep, const char *sep) ++{ ++ bool valid = false; ++ debug_decl(valid_separator, SUDO_DEBUG_UTIL) ++ ++ if (ep != p) { ++ /* check for valid separator (including '\0') */ ++ if (sep == NULL) ++ sep = ""; ++ do { ++ if (*ep == *sep) ++ valid = true; ++ } while (*sep++ != '\0'); ++ } ++ debug_return_bool(valid); ++} ++ ++/* + * Parse a uid/gid in string form. + * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) + * If endp is non-NULL it is set to the next char after the ID. +@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha + char *ep; + id_t ret = 0; + long long llval; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ ++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ + errno = 0; + llval = strtoll(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); ++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too large"); ++ goto done; + } +- if (!valid) { ++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too small"); ++ goto done; ++ } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } +- if (errno == ERANGE) { +- if (errstr != NULL) { +- if (llval == LLONG_MAX) +- *errstr = N_("value too large"); +- else +- *errstr = N_("value too small"); +- } +- goto done; +- } + ret = (id_t)llval; + if (errstr != NULL) + *errstr = NULL; +@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha + { + char *ep; + id_t ret = 0; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ + errno = 0; + if (*p == '-') { + long lval = strtol(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { +- if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; +- goto done; +- } + if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { + errno = ERANGE; + if (errstr != NULL) +@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha + *errstr = N_("value too small"); + goto done; + } +- ret = (id_t)lval; +- } else { +- unsigned long ulval = strtoul(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || lval == -1) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } ++ ret = (id_t)lval; ++ } else { ++ unsigned long ulval = strtoul(p, &ep, 10); + if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { + errno = ERANGE; + if (errstr != NULL) + *errstr = N_("value too large"); + goto done; + } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; ++ goto done; ++ } + ret = (id_t)ulval; + } + if (errstr != NULL) diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch new file mode 100644 index 0000000..5b71919 --- /dev/null +++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch @@ -0,0 +1,158 @@ +diff -up ./src/tgetpass.c.bla ./src/tgetpass.c +--- ./src/tgetpass.c.bla 2018-08-18 16:10:15.000000000 +0200 ++++ ./src/tgetpass.c 2020-02-05 17:15:16.216904891 +0100 +@@ -44,11 +44,18 @@ + #include "sudo.h" + #include "sudo_plugin.h" + ++enum tgetpass_errval { ++ TGP_ERRVAL_NOERROR, ++ TGP_ERRVAL_TIMEOUT, ++ TGP_ERRVAL_NOPASSWORD, ++ TGP_ERRVAL_READERROR ++}; ++ + static volatile sig_atomic_t signo[NSIG]; + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int); ++static char *getln(int, char *, size_t, int, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call + debug_return_int(ret); + } + ++static void ++tgetpass_display_error(enum tgetpass_errval errval) ++{ ++ debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV) ++ ++ switch (errval) { ++ case TGP_ERRVAL_NOERROR: ++ break; ++ case TGP_ERRVAL_TIMEOUT: ++ sudo_warnx(U_("timed out reading password")); ++ break; ++ case TGP_ERRVAL_NOPASSWORD: ++ sudo_warnx(U_("no password was provided")); ++ break; ++ case TGP_ERRVAL_READERROR: ++ sudo_warn(U_("unable to read password")); ++ break; ++ } ++ debug_return; ++} ++ + /* + * Like getpass(3) but with timeout and echo flags. + */ +@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + + (void) fflush(stdout); +@@ -175,7 +204,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK)); ++ pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); + alarm(0); + save_errno = errno; + +@@ -183,6 +212,7 @@ restart: + if (write(output, "\n", 1) == -1) + goto restore; + } ++ tgetpass_display_error(errval); + + restore: + /* Restore old signal handlers. */ +@@ -210,6 +240,8 @@ restore: + for (i = 0; i < NSIG; i++) { + if (signo[i]) { + switch (i) { ++ case SIGALRM: ++ break; + case SIGTSTP: + case SIGTTIN: + case SIGTTOU: +@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const + { + static char buf[SUDO_CONV_REPL_MAX + 1], *pass; + struct sigaction sa, savechld; ++ enum tgetpass_errval errval; + int pfd[2], status; + pid_t child; + debug_decl(sudo_askpass, SUDO_DEBUG_CONV) +@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const + + /* Get response from child (askpass). */ + (void) close(pfd[1]); +- pass = getln(pfd[0], buf, sizeof(buf), 0); ++ pass = getln(pfd[0], buf, sizeof(buf), 0, &errval); + (void) close(pfd[0]); + ++ tgetpass_display_error(errval); ++ + /* Wait for child to exit. */ + for (;;) { + pid_t rv = waitpid(child, &status, 0); +@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback) ++getln(int fd, char *buf, size_t bufsiz, int feedback, ++ enum tgetpass_errval *errval) + { + size_t left = bufsiz; + ssize_t nr = -1; +@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz, + char c = '\0'; + debug_decl(getln, SUDO_DEBUG_CONV) + ++ *errval = TGP_ERRVAL_NOERROR; ++ + if (left == 0) { ++ *errval = TGP_ERRVAL_READERROR; + errno = EINVAL; + debug_return_str(NULL); /* sanity */ + } +@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz, + } + } + +- debug_return_str_masked(nr == 1 ? buf : NULL); ++ if (nr != 1) { ++ if (nr == 0) { ++ *errval = TGP_ERRVAL_NOPASSWORD; ++ } else if (nr == -1) { ++ if (errno == EINTR) { ++ if (signo[SIGALRM] == 1) ++ *errval = TGP_ERRVAL_TIMEOUT; ++ } else { ++ *errval = TGP_ERRVAL_READERROR; ++ } ++ } ++ debug_return_str(NULL); ++ } ++ ++ debug_return_str_masked(buf); + } + + static void + tgetpass_handler(int s) + { +- if (s != SIGALRM) +- signo[s] = 1; ++ signo[s] = 1; + } + + static bool diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch new file mode 100644 index 0000000..86743ba --- /dev/null +++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch @@ -0,0 +1,77 @@ +diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c +--- ./src/tgetpass.c.CVE-2019-18634 2020-02-05 17:16:07.601420697 +0100 ++++ ./src/tgetpass.c 2020-02-05 17:22:34.206301510 +0100 +@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG] + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int, enum tgetpass_errval *); ++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ bool feedback = ISSET(flags, TGP_MASK); + enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + +@@ -165,7 +166,7 @@ restart: + */ + if (!ISSET(flags, TGP_ECHO)) { + for (;;) { +- if (ISSET(flags, TGP_MASK)) ++ if (feedback) + neednl = sudo_term_cbreak(input); + else + neednl = sudo_term_noecho(input); +@@ -179,6 +180,9 @@ restart: + } + } + } ++ /* Only use feedback mode when we can disable echo. */ ++ if (!neednl) ++ feedback = false; + + /* + * Catch signals that would otherwise cause the user to end +@@ -204,7 +208,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); ++ pass = getln(input, buf, sizeof(buf), feedback, &errval); + alarm(0); + save_errno = errno; + +@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback, ++getln(int fd, char *buf, size_t bufsiz, bool feedback, + enum tgetpass_errval *errval) + { + size_t left = bufsiz; +@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz, + while (cp > buf) { + if (write(fd, "\b \b", 3) == -1) + break; +- --cp; ++ cp--; + } ++ cp = buf; + left = bufsiz; + continue; + } else if (c == sudo_term_erase) { + if (cp > buf) { +- if (write(fd, "\b \b", 3) == -1) +- break; +- --cp; ++ ignore_result(write(fd, "\b \b", 3)); ++ cp--; + left++; + } + continue; diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 1059bdd..6cf7ccd 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.25p1 -Release: 7%{?dist} +Release: 8%{?dist}.1 License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -70,6 +70,14 @@ Patch15: sudo-1.8.25-ldap-backend-parsing-2.patch # Fix special handling of ipa_hostname that was lost in sudo Patch16: sudo-1.8.25-ipa-hostname.patch +# 1760696 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] +Patch17: sudo-1.8.28-CVE-strtouid.patch +Patch18: sudo-1.8.28-CVE-strtouid-test.patch + +# 1798092 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-8.1.0.z] +Patch19: sudo-1.8.29-CVE-2019-18634-part1.patch +Patch20: sudo-1.8.29-CVE-2019-18634-part2.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -112,6 +120,12 @@ plugins that use %{name}. %patch15 -p1 -b .ldap-backend2 %patch16 -p1 -b .ipa-hostname +%patch17 -p1 -b .cve-strtouid +%patch18 -p1 -b .cve-strtouid-test + +%patch19 -p1 -b .CVE-2019-18634-part1 +%patch20 -p1 -b .CVE-2019-18634-part2 + %build # Remove bundled copy of zlib rm -rf zlib/ @@ -270,6 +284,16 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Feb 05 2020 Radovan Sroka - 1.8.25p1-8.1 +- RHEL 8.1.0.Z ERRATUM +- CVE-2019-18634 +Resolves: rhbz#1798092 + +* Fri Oct 18 2019 Marek Tamaskovic - 1.8.25p1-8 +- RHEL-8.1.0 +- fixed CVE-2019-14287 + Resolves: rhbz#1760696 + * Fri Aug 16 2019 Radovan Sroka - 1.8.25-7 - RHEL 8.1 ERRATUM - sudo ipa_hostname not honored