diff --git a/backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch b/backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch new file mode 100644 index 0000000000000000000000000000000000000000..23e12338790d4511ec6e17a8230d8267947bb5f3 --- /dev/null +++ b/backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch @@ -0,0 +1,43 @@ +From 5a59ce159e0c17fb35474c9c516d97703b338027 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 7 Jul 2022 20:11:44 -0600 +Subject: [PATCH] Fix a NOPASSWD issue with a non-existent command when + fdexec=always In command_matches_all(), if the command is fully-qualified and + open_cmnd() return false, only treat it as an error if we are able to stat(2) + the command. For "sudo ALL" a non-existent command is not an error. + +Reference: https://github.com/sudo-project/sudo/commit/5a59ce159e0c17fb35474c9c516d97703b338027 +Conflict: match_command.c +--- + plugins/sudoers/match_command.c | 4 +++++-- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c +index 6d8b3a6..e020e81 100644 +--- a/plugins/sudoers/match_command.c ++++ b/plugins/sudoers/match_command.c +@@ -353,11 +353,15 @@ command_matches_all(const char *runchroot, + + if (user_cmnd[0] == '/') { + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(user_cmnd, runchroot, digests, &fd)) +- goto bad; ++ bool open_error = !open_cmnd(user_cmnd, runchroot, digests, &fd); + #ifndef SUDOERS_NAME_MATCH +- if (!do_stat(fd, user_cmnd, runchroot, intercepted, NULL)) +- goto bad; ++ /* A non-existent file is not an error for "sudo ALL". */ ++ if (do_stat(fd, user_cmnd, runchroot, intercepted, NULL)) { ++ if (open_error) { ++ /* File exists but we couldn't open it above? */ ++ goto bad; ++ } ++ } + #endif + } + +-- +2.33.0 + + + diff --git a/sudo.spec b/sudo.spec index 2d21e2cc5114a9bedd41be245d975296f20ad3ec..58022d90b6db7f02a201657f76433bb935b97846 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 8 +Release: 9 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -28,6 +28,7 @@ Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch Patch17: backport-CVE-2023-22809.patch +Patch18: backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -178,6 +179,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Wed Feb 01 2023 wangyu - 1.9.8p2-9 +- For "sudo ALL" a non-existent command is not an error. + * Thu Jan 19 2023 houmingyong - 1.9.8p2-8 - Fix CVE-2023-22809