diff --git a/0001-Fix-CVE-2025-32462.patch b/0001-Fix-CVE-2025-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..86a57fb84ddeaa7fa3593522be8c5314bbe60ec7 --- /dev/null +++ b/0001-Fix-CVE-2025-32462.patch @@ -0,0 +1,38 @@ +From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 1 Apr 2025 09:24:51 -0600 +Subject: [PATCH] Only allow a remote host to be specified when listing + privileges. + +This fixes a bug where a user with sudoers privileges on a different +host could execute a command on the local host, even if the sudoers +file would not otherwise allow this. CVE-2025-32462 + +Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU). +--- + plugins/sudoers/sudoers.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 70a0c1a528..ad2fa2f61c 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag) + time_t now; + debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN); + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(ctx->runas.host, ctx->user.host) != 0) { ++ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; diff --git a/sudo.spec b/sudo.spec index 5254daa5acfc1a30a93b9294b877f81d10db8a9d..04666215980de02e70b9cac218c4b9096d2e0c4a 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Summary: Grants restricted root access for specified users Name: sudo Version: 1.9.15p5 @@ -9,6 +9,9 @@ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam +#https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff +Patch1: 0001-Fix-CVE-2025-32462.patch + BuildRequires: make libtool BuildRequires: pam-devel audit-libs-devel openldap-devel libselinux-devel libcap-devel BuildRequires: flex bison groff sendmail gettext zlib-devel @@ -48,7 +51,7 @@ BuildRequires: python3-devel %{name}-python-plugin enables using sudo plugins written in Python. %prep -%setup -q -n %{name}-%{version} +%autosetup -n %{name}-%{version} -p1 %build rm -rf zlib/ @@ -192,6 +195,9 @@ EOF %{abidir}/python_plugin.dump %changelog +* Wed Jul 02 2025 Yang cheng - 1.9.15p5-2 +- add patch to fix CVE-2025-32462 + * Thu Feb 01 2024 Funda Wang - 1.9.15p5-1 - New version 1.9.15p5