diff --git a/package/sudo/0001-fix-CVE-2017-1000367.patch b/package/sudo/0001-fix-CVE-2017-1000367.patch deleted file mode 100644 index 6e44399c05..0000000000 --- a/package/sudo/0001-fix-CVE-2017-1000367.patch +++ /dev/null @@ -1,264 +0,0 @@ -Downloaded from upstream: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b - -# HG changeset patch -# User Todd C. Miller -# Date 1496089973 21600 -# Node ID b5460cbbb11bbf9d92ffcc6798a686cf4125efd3 -# Parent c303e6eecc7841e2f891d70613e80fcf27fa6e86 -Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when -the process name contains spaces. Since the user has control over -the command name this could be used by a user with sudo access to -overwrite an arbitrary file. -Thanks to Qualys for investigating and reporting this bug. - -Also stop performing a breadth-first traversal of /dev when looking -for the device. Only the directories specified in search_devs[] -are checked. - -Signed-off-by: Peter Korsgaard -diff -r c303e6eecc78 -r b5460cbbb11b src/ttyname.c ---- a/src/ttyname.c Tue May 23 13:26:54 2017 -0600 -+++ b/src/ttyname.c Mon May 29 14:32:53 2017 -0600 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2012-2016 Todd C. Miller -+ * Copyright (c) 2012-2017 Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above -@@ -145,20 +145,22 @@ - } - #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__) - /* -- * Devices to search before doing a breadth-first scan. -+ * Device nodes and directories to search before searching all of /dev - */ - static char *search_devs[] = { - "/dev/console", -- "/dev/wscons", -- "/dev/pts/", -- "/dev/vt/", -- "/dev/term/", -- "/dev/zcons/", -+ "/dev/pts/", /* POSIX pty */ -+ "/dev/vt/", /* Solaris virtual console */ -+ "/dev/term/", /* Solaris serial ports */ -+ "/dev/zcons/", /* Solaris zone console */ -+ "/dev/pty/", /* HP-UX old-style pty */ - NULL - }; - -+/* -+ * Device nodes to ignore when searching all of /dev -+ */ - static char *ignore_devs[] = { -- "/dev/fd/", - "/dev/stdin", - "/dev/stdout", - "/dev/stderr", -@@ -166,16 +168,18 @@ - }; - - /* -- * Do a breadth-first scan of dir looking for the specified device. -+ * Do a scan of a directory looking for the specified device. -+ * Does not descend into subdirectories. - * Returns name on success and NULL on failure, setting errno. - */ - static char * --sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen) -+sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen) - { -- size_t sdlen, num_subdirs = 0, max_subdirs = 0; -- char pathbuf[PATH_MAX], **subdirs = NULL; -+ size_t sdlen; -+ char pathbuf[PATH_MAX]; - char *ret = NULL; - struct dirent *dp; -+ struct stat sb; - unsigned int i; - DIR *d = NULL; - debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL) -@@ -187,6 +191,18 @@ - if ((d = opendir(dir)) == NULL) - goto done; - -+ if (fstat(dirfd(d), &sb) == -1) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "unable to fstat %s", dir); -+ goto done; -+ } -+ if ((sb.st_mode & S_IWOTH) != 0) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "ignoring world-writable directory %s", dir); -+ errno = ENOENT; -+ goto done; -+ } -+ - sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "scanning for dev %u in %s", (unsigned int)rdev, dir); - -@@ -224,18 +240,6 @@ - } - if (ignore_devs[i] != NULL) - continue; -- if (!builtin) { -- /* Skip entries in search_devs; we already checked them. */ -- for (i = 0; search_devs[i] != NULL; i++) { -- len = strlen(search_devs[i]); -- if (search_devs[i][len - 1] == '/') -- len--; -- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0) -- break; -- } -- if (search_devs[i] != NULL) -- continue; -- } - # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF) - /* - * Avoid excessive stat() calls by checking dp->d_type. -@@ -248,39 +252,14 @@ - if (stat(pathbuf, &sb) == -1) - continue; - break; -- case DT_DIR: -- /* Directory, no need to stat() it. */ -- sb.st_mode = DTTOIF(dp->d_type); -- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */ -- break; - default: -- /* Not a character device, link or directory, skip it. */ -+ /* Not a character device or link, skip it. */ - continue; - } - # else - if (stat(pathbuf, &sb) == -1) - continue; - # endif -- if (S_ISDIR(sb.st_mode)) { -- if (!builtin) { -- /* Add to list of subdirs to search. */ -- if (num_subdirs + 1 > max_subdirs) { -- char **new_subdirs; -- -- new_subdirs = reallocarray(subdirs, max_subdirs + 64, -- sizeof(char *)); -- if (new_subdirs == NULL) -- goto done; -- subdirs = new_subdirs; -- max_subdirs += 64; -- } -- subdirs[num_subdirs] = strdup(pathbuf); -- if (subdirs[num_subdirs] == NULL) -- goto done; -- num_subdirs++; -- } -- continue; -- } - if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) { - sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "resolved dev %u as %s", (unsigned int)rdev, pathbuf); -@@ -296,16 +275,9 @@ - } - } - -- /* Search subdirs if we didn't find it in the root level. */ -- for (i = 0; ret == NULL && i < num_subdirs; i++) -- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen); -- - done: - if (d != NULL) - closedir(d); -- for (i = 0; i < num_subdirs; i++) -- free(subdirs[i]); -- free(subdirs); - debug_return_str(ret); - } - -@@ -324,7 +296,7 @@ - debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL) - - /* -- * First check search_devs for common tty devices. -+ * First check search_devs[] for common tty devices. - */ - for (sd = search_devs; (devname = *sd) != NULL; sd++) { - len = strlen(devname); -@@ -349,7 +321,7 @@ - "comparing dev %u to %s: no", (unsigned int)rdev, buf); - } else { - /* Traverse directory */ -- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen); -+ ret = sudo_ttyname_scan(devname, rdev, name, namelen); - if (ret != NULL || errno == ENOMEM) - goto done; - } -@@ -367,9 +339,9 @@ - } - - /* -- * Not found? Do a breadth-first traversal of /dev/. -+ * Not found? Check all device nodes in /dev. - */ -- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen); -+ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen); - - done: - debug_return_str(ret); -@@ -493,28 +465,35 @@ - len = getline(&line, &linesize, fp); - fclose(fp); - if (len != -1) { -- /* Field 7 is the tty dev (0 if no tty) */ -- char *cp = line; -- char *ep = line; -- const char *errstr; -- int field = 0; -- while (*++ep != '\0') { -- if (*ep == ' ') { -- *ep = '\0'; -- if (++field == 7) { -- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); -- if (errstr) { -- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -- "%s: tty device %s: %s", path, cp, errstr); -+ /* -+ * Field 7 is the tty dev (0 if no tty). -+ * Since the process name at field 2 "(comm)" may include spaces, -+ * start at the last ')' found. -+ */ -+ char *cp = strrchr(line, ')'); -+ if (cp != NULL) { -+ char *ep = cp; -+ const char *errstr; -+ int field = 1; -+ -+ while (*++ep != '\0') { -+ if (*ep == ' ') { -+ *ep = '\0'; -+ if (++field == 7) { -+ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); -+ if (errstr) { -+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, -+ "%s: tty device %s: %s", path, cp, errstr); -+ } -+ if (tdev > 0) { -+ errno = serrno; -+ ret = sudo_ttyname_dev(tdev, name, namelen); -+ goto done; -+ } -+ break; - } -- if (tdev > 0) { -- errno = serrno; -- ret = sudo_ttyname_dev(tdev, name, namelen); -- goto done; -- } -- break; -+ cp = ep + 1; - } -- cp = ep + 1; - } - } - } - diff --git a/package/sudo/sudo.hash b/package/sudo/sudo.hash index 63b1dd0d4f..ea0764c157 100644 --- a/package/sudo/sudo.hash +++ b/package/sudo/sudo.hash @@ -1,2 +1,2 @@ # From: http://www.sudo.ws/download.html -sha256 9e97b8da859c6cc1b5b8c31db93002b750eae16af1bbda9140f8dd85b970e0e0 sudo-1.8.20.tar.gz +sha256 bd42ae1059e935f795c69ea97b3de09fe9410a58a74b5d5e6836eb5067a445d9 sudo-1.8.20p2.tar.gz diff --git a/package/sudo/sudo.mk b/package/sudo/sudo.mk index a6ea9acdb1..9cca544b1b 100644 --- a/package/sudo/sudo.mk +++ b/package/sudo/sudo.mk @@ -4,7 +4,7 @@ # ################################################################################ -SUDO_VERSION = 1.8.20 +SUDO_VERSION = 1.8.20p2 SUDO_SITE = http://www.sudo.ws/sudo/dist SUDO_LICENSE = ISC, BSD-3-Clause SUDO_LICENSE_FILES = doc/LICENSE