diff --git a/backport-CVE-2025-32462.patch b/backport-CVE-2025-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..cf29edc56bc0f0d1fc083e99247d4644c7483d7f --- /dev/null +++ b/backport-CVE-2025-32462.patch @@ -0,0 +1,42 @@ +From 263e8078c9f640a506f5847af2cd46e1b1139790 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 1 Apr 2025 09:24:51 -0600 +Subject: [PATCH] Only allow a remote host to be specified when listing + privileges. + +This fixes a bug where a user with sudoers privileges on a different +host could execute a command on the local host, even if the sudoers +file would not otherwise allow this. CVE-2025-32462 + +Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU). + +Signed-off-by: xuce +--- + plugins/sudoers/sudoers.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 14205cb..6fdce0e 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -342,6 +342,17 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], + } + } + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(user_runhost, user_host) != 0) { ++ log_warningx(SLOG_NO_STDERR, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ goto bad; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; +-- +2.33.0 + diff --git a/sudo.spec b/sudo.spec index 45d36435a21bc0de0e5583860712c93bdccd3aa7..75d220cc8e6e647206269572d2877b89ff6e8546 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.2 -Release: 17 +Release: 18 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -44,6 +44,7 @@ Patch30: backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch Patch31: backport-Move-updating-of-the-window-size-back-to-the-main-su.patch Patch32: backport-If-user-s-tty-goes-away-tell-monitor-to-revoke-the-t.patch Patch33: backport-Avoid-using-ioctl-TIOCNOTTY-in-the-monitor.patch +Patch34: backport-CVE-2025-32462.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -184,6 +185,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Wed Jul 2 2025 xuce - 1.9.2-18 +- fix CVE-2025-32462 + * Fri Apr 18 2025 fuanan - 1.9.2-17 - Backport patches from upstream community