From 2409f512a7e311b7f3d7ca4eaec3aa58bf9a450b Mon Sep 17 00:00:00 2001 From: fandeyuan Date: Tue, 1 Jul 2025 15:18:03 +0800 Subject: [PATCH] Only allow a remote host to be specified when listing privileges --- backport-CVE-2025-32462.patch | 38 +++++++++++++++++++++++++++++++++++ sudo.spec | 6 +++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-32462.patch diff --git a/backport-CVE-2025-32462.patch b/backport-CVE-2025-32462.patch new file mode 100644 index 0000000..224164e --- /dev/null +++ b/backport-CVE-2025-32462.patch @@ -0,0 +1,38 @@ +From f8ff956e17c36d44b9465688995821c8d890b451 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 1 Apr 2025 09:24:51 -0600 +Subject: [PATCH] Only allow a remote host to be specified when listing + privileges. + +This fixes a bug where a user with sudoers privileges on a different +host could execute a command on the local host, even if the sudoers +file would not otherwise allow this. CVE-2025-32462 + +Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU). +--- + plugins/sudoers/sudoers.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 70a0c1a528..ad2fa2f61c 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag) + time_t now; + debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN); + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(ctx->runas.host, ctx->user.host) != 0) { ++ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; diff --git a/sudo.spec b/sudo.spec index 0730a6c..4d439aa 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.16p2 -Release: 1 +Release: 2 Summary: Allows restricted root access for specified users License: ISC URL: https://www.sudo.ws @@ -11,6 +11,7 @@ Source2: sudo Source3: sudo-i Patch0: Fix-compilation-error-on-sw64-arch.patch +Patch1: backport-CVE-2025-32462.patch Requires: pam Recommends: vim-minimal Requires(post): coreutils @@ -151,6 +152,9 @@ rm -f %{buildroot}%{_pkgdocdir}/ChangeLog %doc plugins/sample/sample_plugin.c %changelog +* Tue Jul 1 2025 Deyuan Fan - 1.9.16p2-2 +- Fix CVE-2025-32462 + * Sat Nov 30 2024 Funda Wang - 1.9.16p2-1 - update to 1.9.16p2 -- Gitee