diff --git a/backport-CVE-2025-32462.patch b/backport-CVE-2025-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..af176ab78609338a42475dc27c0536543db33e6b --- /dev/null +++ b/backport-CVE-2025-32462.patch @@ -0,0 +1,42 @@ +From 85d4e4a8a162fcb0b16d78e3f8c2a7d6a051a57d Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 1 Apr 2025 09:24:51 -0600 +Subject: [PATCH] Only allow a remote host to be specified when listing + privileges. + +This fixes a bug where a user with sudoers privileges on a different +host could execute a command on the local host, even if the sudoers +file would not otherwise allow this. CVE-2025-32462 + +Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU). + +Signed-off-by: xuce +--- + plugins/sudoers/sudoers.c | 11 +++++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 17e0d1f..3bbafcb 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -441,6 +441,17 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], + sudoers_gc_add(GC_PTR, NewArgv[0]); + } + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(user_runhost, user_host) != 0) { ++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ goto bad; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; +-- +2.33.0 + diff --git a/sudo.spec b/sudo.spec index 0fef9cdfe1b7eb8f171b51a88be40fa27d89cef9..7c76c3409c8fa93b59ca8eb7799c8d23c357b2d9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 18 +Release: 19 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -46,6 +46,7 @@ Patch32: backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch Patch33: backport-Move-updating-of-the-window-size-back-to-the-main-su.patch Patch34: backport-If-user-s-tty-goes-away-tell-monitor-to-revoke-the-t.patch Patch35: backport-Avoid-using-ioctl-TIOCNOTTY-in-the-monitor.patch +Patch36: backport-CVE-2025-32462.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -196,6 +197,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Wed Jul 2 2025 xuce - 1.9.8p2-19 +- fix cve-2025-32462 + * Fri Apr 18 2025 fuanan - 1.9.8p2-18 - Backport patch from upstream community