This patch will upgrade Sudo version 1.8.20 to Sudo version 1.8.20 patchlevel 1. To apply: $ cd sudo-1.8.20 $ patch -p1 < sudo-1.8.20p1.patch diff -urNa sudo-1.8.20/ChangeLog sudo-1.8.20p1/ChangeLog --- sudo-1.8.20/ChangeLog Wed May 10 09:40:15 2017 +++ sudo-1.8.20p1/ChangeLog Mon May 29 14:38:48 2017 @@ -1,3 +1,27 @@ +2017-05-29 Todd C. Miller + + * NEWS, configure, configure.ac: + Sudo 1.8.20p1 + [94d010e2bb50] [SUDO_1_8_20p1] <1.8> + + * src/ttyname.c: + Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when + the process name contains spaces. Since the user has control over + the command name this could be used by a user with sudo access to + overwrite an arbitrary file. Thanks to Qualys for investigating and + reporting this bug. + + Also stop performing a breadth-first traversal of /dev when looking + for the device. Only the directories specified in search_devs[] are + checked. + [d5dd22356194] <1.8> + +2017-05-11 Todd C. Miller + + * plugins/sudoers/Makefile.in: + Fix "make check" when openssl or gcrypt is used. Bug #787 + [fd76c0bd8b80] <1.8> + 2017-05-10 Todd C. Miller * plugins/sudoers/sudoreplay.c: diff -urNa sudo-1.8.20/NEWS sudo-1.8.20p1/NEWS --- sudo-1.8.20/NEWS Wed May 10 09:38:43 2017 +++ sudo-1.8.20p1/NEWS Mon May 29 14:36:13 2017 @@ -1,3 +1,16 @@ +What's new in Sudo 1.8.20p1 + + * Fixed "make check" when using OpenSSL or GNU crypt. + Bug #787. + + * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux + when the process name contains spaces. Since the user has control + over the command name, this could potentially be used by a user + with sudo access to overwrite an arbitrary file on systems with + SELinux enabled. Also stop performing a breadth-first traversal + of /dev when looking for the device; only a hard-coded list of + directories are checked, + What's new in Sudo 1.8.20 * Added support for SASL_MECH in ldap.conf. Bug #764 diff -urNa sudo-1.8.20/configure sudo-1.8.20p1/configure --- sudo-1.8.20/configure Wed May 10 09:38:43 2017 +++ sudo-1.8.20p1/configure Mon May 29 14:33:06 2017 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.20. +# Generated by GNU Autoconf 2.69 for sudo 1.8.20p1. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.20' -PACKAGE_STRING='sudo 1.8.20' +PACKAGE_VERSION='1.8.20p1' +PACKAGE_STRING='sudo 1.8.20p1' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1534,7 +1534,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.20 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.20p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1599,7 +1599,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.20:";; + short | recursive ) echo "Configuration of sudo 1.8.20p1:";; esac cat <<\_ACEOF @@ -1852,7 +1852,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.20 +sudo configure 1.8.20p1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2561,7 +2561,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.20, which was +It was created by sudo $as_me 1.8.20p1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -26943,7 +26943,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.20, which was +This file was extended by sudo $as_me 1.8.20p1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27009,7 +27009,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.20 +sudo config.status 1.8.20p1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.20/configure.ac sudo-1.8.20p1/configure.ac --- sudo-1.8.20/configure.ac Wed May 10 09:38:43 2017 +++ sudo-1.8.20p1/configure.ac Mon May 29 14:33:06 2017 @@ -4,7 +4,7 @@ dnl Copyright (c) 1994-1996,1998-2017 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.20], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.8.20p1], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl diff -urNa sudo-1.8.20/plugins/sudoers/Makefile.in sudo-1.8.20p1/plugins/sudoers/Makefile.in --- sudo-1.8.20/plugins/sudoers/Makefile.in Wed May 10 09:38:43 2017 +++ sudo-1.8.20p1/plugins/sudoers/Makefile.in Fri May 19 08:42:27 2017 @@ -175,7 +175,7 @@ CHECK_BASE64_OBJS = check_base64.o base64.o sudoers_debug.o -CHECK_DIGEST_OBJS = check_digest.o filedigest.o digestname.o sudoers_debug.o +CHECK_DIGEST_OBJS = check_digest.o @FILEDIGEST@ digestname.o sudoers_debug.o CHECK_FILL_OBJS = check_fill.o hexchar.o toke_util.o sudoers_debug.o diff -urNa sudo-1.8.20/src/ttyname.c sudo-1.8.20p1/src/ttyname.c --- sudo-1.8.20/src/ttyname.c Wed May 10 09:38:44 2017 +++ sudo-1.8.20p1/src/ttyname.c Mon May 29 14:32:53 2017 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2016 Todd C. Miller + * Copyright (c) 2012-2017 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -145,20 +145,22 @@ } #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__) /* - * Devices to search before doing a breadth-first scan. + * Device nodes and directories to search before searching all of /dev */ static char *search_devs[] = { "/dev/console", - "/dev/wscons", - "/dev/pts/", - "/dev/vt/", - "/dev/term/", - "/dev/zcons/", + "/dev/pts/", /* POSIX pty */ + "/dev/vt/", /* Solaris virtual console */ + "/dev/term/", /* Solaris serial ports */ + "/dev/zcons/", /* Solaris zone console */ + "/dev/pty/", /* HP-UX old-style pty */ NULL }; +/* + * Device nodes to ignore when searching all of /dev + */ static char *ignore_devs[] = { - "/dev/fd/", "/dev/stdin", "/dev/stdout", "/dev/stderr", @@ -166,16 +168,18 @@ }; /* - * Do a breadth-first scan of dir looking for the specified device. + * Do a scan of a directory looking for the specified device. + * Does not descend into subdirectories. * Returns name on success and NULL on failure, setting errno. */ static char * -sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen) +sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen) { - size_t sdlen, num_subdirs = 0, max_subdirs = 0; - char pathbuf[PATH_MAX], **subdirs = NULL; + size_t sdlen; + char pathbuf[PATH_MAX]; char *ret = NULL; struct dirent *dp; + struct stat sb; unsigned int i; DIR *d = NULL; debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL) @@ -187,6 +191,18 @@ if ((d = opendir(dir)) == NULL) goto done; + if (fstat(dirfd(d), &sb) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "unable to fstat %s", dir); + goto done; + } + if ((sb.st_mode & S_IWOTH) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "ignoring world-writable directory %s", dir); + errno = ENOENT; + goto done; + } + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "scanning for dev %u in %s", (unsigned int)rdev, dir); @@ -224,18 +240,6 @@ } if (ignore_devs[i] != NULL) continue; - if (!builtin) { - /* Skip entries in search_devs; we already checked them. */ - for (i = 0; search_devs[i] != NULL; i++) { - len = strlen(search_devs[i]); - if (search_devs[i][len - 1] == '/') - len--; - if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0) - break; - } - if (search_devs[i] != NULL) - continue; - } # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF) /* * Avoid excessive stat() calls by checking dp->d_type. @@ -248,39 +252,14 @@ if (stat(pathbuf, &sb) == -1) continue; break; - case DT_DIR: - /* Directory, no need to stat() it. */ - sb.st_mode = DTTOIF(dp->d_type); - sb.st_rdev = 0; /* quiet ccc-analyzer false positive */ - break; default: - /* Not a character device, link or directory, skip it. */ + /* Not a character device or link, skip it. */ continue; } # else if (stat(pathbuf, &sb) == -1) continue; # endif - if (S_ISDIR(sb.st_mode)) { - if (!builtin) { - /* Add to list of subdirs to search. */ - if (num_subdirs + 1 > max_subdirs) { - char **new_subdirs; - - new_subdirs = reallocarray(subdirs, max_subdirs + 64, - sizeof(char *)); - if (new_subdirs == NULL) - goto done; - subdirs = new_subdirs; - max_subdirs += 64; - } - subdirs[num_subdirs] = strdup(pathbuf); - if (subdirs[num_subdirs] == NULL) - goto done; - num_subdirs++; - } - continue; - } if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "resolved dev %u as %s", (unsigned int)rdev, pathbuf); @@ -296,16 +275,9 @@ } } - /* Search subdirs if we didn't find it in the root level. */ - for (i = 0; ret == NULL && i < num_subdirs; i++) - ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen); - done: if (d != NULL) closedir(d); - for (i = 0; i < num_subdirs; i++) - free(subdirs[i]); - free(subdirs); debug_return_str(ret); } @@ -324,7 +296,7 @@ debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL) /* - * First check search_devs for common tty devices. + * First check search_devs[] for common tty devices. */ for (sd = search_devs; (devname = *sd) != NULL; sd++) { len = strlen(devname); @@ -349,7 +321,7 @@ "comparing dev %u to %s: no", (unsigned int)rdev, buf); } else { /* Traverse directory */ - ret = sudo_ttyname_scan(devname, rdev, true, name, namelen); + ret = sudo_ttyname_scan(devname, rdev, name, namelen); if (ret != NULL || errno == ENOMEM) goto done; } @@ -367,9 +339,9 @@ } /* - * Not found? Do a breadth-first traversal of /dev/. + * Not found? Check all device nodes in /dev. */ - ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen); + ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen); done: debug_return_str(ret); @@ -493,28 +465,35 @@ len = getline(&line, &linesize, fp); fclose(fp); if (len != -1) { - /* Field 7 is the tty dev (0 if no tty) */ - char *cp = line; - char *ep = line; - const char *errstr; - int field = 0; - while (*++ep != '\0') { - if (*ep == ' ') { - *ep = '\0'; - if (++field == 7) { - dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); - if (errstr) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "%s: tty device %s: %s", path, cp, errstr); + /* + * Field 7 is the tty dev (0 if no tty). + * Since the process name at field 2 "(comm)" may include spaces, + * start at the last ')' found. + */ + char *cp = strrchr(line, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; + int field = 1; + + while (*++ep != '\0') { + if (*ep == ' ') { + *ep = '\0'; + if (++field == 7) { + dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); + if (errstr) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, + "%s: tty device %s: %s", path, cp, errstr); + } + if (tdev > 0) { + errno = serrno; + ret = sudo_ttyname_dev(tdev, name, namelen); + goto done; + } + break; } - if (tdev > 0) { - errno = serrno; - ret = sudo_ttyname_dev(tdev, name, namelen); - goto done; - } - break; + cp = ep + 1; } - cp = ep + 1; } } }