diff --git a/backport-CVE-2025-32462.patch b/backport-CVE-2025-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..224164e5084febdc5948182654be11244bca8348 --- /dev/null +++ b/backport-CVE-2025-32462.patch @@ -0,0 +1,38 @@ +From f8ff956e17c36d44b9465688995821c8d890b451 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 1 Apr 2025 09:24:51 -0600 +Subject: [PATCH] Only allow a remote host to be specified when listing + privileges. + +This fixes a bug where a user with sudoers privileges on a different +host could execute a command on the local host, even if the sudoers +file would not otherwise allow this. CVE-2025-32462 + +Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU). +--- + plugins/sudoers/sudoers.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 70a0c1a528..ad2fa2f61c 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag) + time_t now; + debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN); + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(ctx->runas.host, ctx->user.host) != 0) { ++ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; diff --git a/sudo.spec b/sudo.spec index 1524740c7a09691fbb55f553902cc01ae6fbfa84..2a81e18541cb4b67ab906b7c790ee2b1fb039456 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.15p5 -Release: 2 +Release: 3 Summary: Allows restricted root access for specified users License: ISC URL: https://www.sudo.ws @@ -13,6 +13,7 @@ Source3: sudo-i Patch0: Fix-compilation-error-on-sw64-arch.patch Patch1: backport-If-user-s-tty-goes-away-tell-monitor-to-revoke-the-t.patch Patch2: backport-Avoid-using-ioctl-TIOCNOTTY-in-the-monitor.patch +Patch3: backport-CVE-2025-32462.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -157,6 +158,9 @@ chrpath -d $RPM_BUILD_ROOT/usr/libexec/sudo/* %exclude %{_pkgdocdir}/ChangeLog %changelog +* Tue Jul 1 2025 Deyuan Fan - 1.9.15p5-3 +- Fix CVE-2025-32462 + * Fri Apr 18 2025 fuanan - 1.9.15p5-2 - Backport patches from upstream community