From bf303dd92f83cfdc0a8f2ba936ec08043ed4a3ad Mon Sep 17 00:00:00 2001 From: modric Date: Wed, 1 Feb 2023 10:10:35 +0800 Subject: [PATCH] For 'sudo ALL' a non-existent command is not an error (cherry picked from commit 5dce535ae8a82b3a1f011b3647cdbaba89786a8f) --- ...ssue-with-a-non-existent-command-whe.patch | 43 +++++++++++++++++++ sudo.spec | 6 ++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch diff --git a/backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch b/backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch new file mode 100644 index 0000000..23e1233 --- /dev/null +++ b/backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch @@ -0,0 +1,43 @@ +From 5a59ce159e0c17fb35474c9c516d97703b338027 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 7 Jul 2022 20:11:44 -0600 +Subject: [PATCH] Fix a NOPASSWD issue with a non-existent command when + fdexec=always In command_matches_all(), if the command is fully-qualified and + open_cmnd() return false, only treat it as an error if we are able to stat(2) + the command. For "sudo ALL" a non-existent command is not an error. + +Reference: https://github.com/sudo-project/sudo/commit/5a59ce159e0c17fb35474c9c516d97703b338027 +Conflict: match_command.c +--- + plugins/sudoers/match_command.c | 4 +++++-- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c +index 6d8b3a6..e020e81 100644 +--- a/plugins/sudoers/match_command.c ++++ b/plugins/sudoers/match_command.c +@@ -353,11 +353,15 @@ command_matches_all(const char *runchroot, + + if (user_cmnd[0] == '/') { + /* Open the file for fdexec or for digest matching. */ +- if (!open_cmnd(user_cmnd, runchroot, digests, &fd)) +- goto bad; ++ bool open_error = !open_cmnd(user_cmnd, runchroot, digests, &fd); + #ifndef SUDOERS_NAME_MATCH +- if (!do_stat(fd, user_cmnd, runchroot, intercepted, NULL)) +- goto bad; ++ /* A non-existent file is not an error for "sudo ALL". */ ++ if (do_stat(fd, user_cmnd, runchroot, intercepted, NULL)) { ++ if (open_error) { ++ /* File exists but we couldn't open it above? */ ++ goto bad; ++ } ++ } + #endif + } + +-- +2.33.0 + + + diff --git a/sudo.spec b/sudo.spec index 2d21e2c..58022d9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 8 +Release: 9 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -28,6 +28,7 @@ Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch Patch17: backport-CVE-2023-22809.patch +Patch18: backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -178,6 +179,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Wed Feb 01 2023 wangyu - 1.9.8p2-9 +- For "sudo ALL" a non-existent command is not an error. + * Thu Jan 19 2023 houmingyong - 1.9.8p2-8 - Fix CVE-2023-22809 -- Gitee