From 0d02d0a40d289eb0ebda5f9991964afe9744f3e5 Mon Sep 17 00:00:00 2001 From: modric Date: Tue, 7 Mar 2023 11:39:44 +0000 Subject: [PATCH] Fix CVE-2023-27320 (cherry picked from commit ccbe8687f7b9bad06da4d4d4eb65887f7d8828f7) --- backport-CVE-2023-27320.patch | 38 +++++++++++++++++++++++++++++++++++ sudo.spec | 6 +++++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-27320.patch diff --git a/backport-CVE-2023-27320.patch b/backport-CVE-2023-27320.patch new file mode 100644 index 0000000..6bdd174 --- /dev/null +++ b/backport-CVE-2023-27320.patch @@ -0,0 +1,38 @@ +diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c +index ad9db1e..f1c09bd 100644 +--- a/plugins/sudoers/match_command.c ++++ b/plugins/sudoers/match_command.c +@@ -712,12 +712,16 @@ command_matches(const char *sudoers_cmnd, const char *sudoers_args, + /* Rule-specific runchroot, reset user_cmnd and user_stat. */ + int status; + ++ /* Save old user_cmnd first, set_cmnd_path() will free it. */ + saved_user_cmnd = user_cmnd; ++ user_cmnd = NULL; + if (user_stat != NULL) + saved_user_stat = *user_stat; + status = set_cmnd_path(runchroot); +- if (status != FOUND) ++ if (status != FOUND) { ++ user_cmnd = saved_user_cmnd; + saved_user_cmnd = NULL; ++ } + if (info != NULL) + info->status = status; + } +diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c +index 55f44d6..b8b2bc5 100644 +--- a/plugins/sudoers/visudo.c ++++ b/plugins/sudoers/visudo.c +@@ -230,7 +230,9 @@ main(int argc, char *argv[]) + } + + /* Mock up a fake sudo_user struct. */ +- user_cmnd = user_base = ""; ++ user_cmnd = user_base = strdup("true"); ++ if (user_cmnd == NULL) ++ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + if (geteuid() == 0) { + const char *user = getenv("SUDO_USER"); + if (user != NULL && *user != '\0') + diff --git a/sudo.spec b/sudo.spec index 58022d9..52409a3 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 9 +Release: 10 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -29,6 +29,7 @@ Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch Patch17: backport-CVE-2023-22809.patch Patch18: backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch +Patch19: backport-CVE-2023-27320.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -179,6 +180,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Tue Mar 07 2023 wangyu - 1.9.8p2-10 +- Fix CVE-2023-27320. + * Wed Feb 01 2023 wangyu - 1.9.8p2-9 - For "sudo ALL" a non-existent command is not an error. -- Gitee