From: Peter Korsgaard Date: Wed, 31 May 2017 06:47:18 +0000 (+0200) Subject: sudo: add upstream security patch for CVE-2017-1000367 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=fddb760946a4f4ca366528a673989793be65a678;p=buildroot.git sudo: add upstream security patch for CVE-2017-1000367 CVE-2017-1000367 - Potential overwrite of arbitrary files on Linux On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number. If SELinux is enabled on the system and sudo was built with SELinux support, a user with sudo privileges may be able to to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers. For more details, see: https://www.sudo.ws/alerts/linux_tty.html Signed-off-by: Peter Korsgaard --- diff --git a/package/sudo/0001-fix-CVE-2017-1000367.patch b/package/sudo/0001-fix-CVE-2017-1000367.patch new file mode 100644 index 0000000000..6e44399c05 --- /dev/null +++ b/package/sudo/0001-fix-CVE-2017-1000367.patch @@ -0,0 +1,264 @@ +Downloaded from upstream: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b + +# HG changeset patch +# User Todd C. Miller +# Date 1496089973 21600 +# Node ID b5460cbbb11bbf9d92ffcc6798a686cf4125efd3 +# Parent c303e6eecc7841e2f891d70613e80fcf27fa6e86 +Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when +the process name contains spaces. Since the user has control over +the command name this could be used by a user with sudo access to +overwrite an arbitrary file. +Thanks to Qualys for investigating and reporting this bug. + +Also stop performing a breadth-first traversal of /dev when looking +for the device. Only the directories specified in search_devs[] +are checked. + +Signed-off-by: Peter Korsgaard +diff -r c303e6eecc78 -r b5460cbbb11b src/ttyname.c +--- a/src/ttyname.c Tue May 23 13:26:54 2017 -0600 ++++ b/src/ttyname.c Mon May 29 14:32:53 2017 -0600 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012-2016 Todd C. Miller ++ * Copyright (c) 2012-2017 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -145,20 +145,22 @@ + } + #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__) + /* +- * Devices to search before doing a breadth-first scan. ++ * Device nodes and directories to search before searching all of /dev + */ + static char *search_devs[] = { + "/dev/console", +- "/dev/wscons", +- "/dev/pts/", +- "/dev/vt/", +- "/dev/term/", +- "/dev/zcons/", ++ "/dev/pts/", /* POSIX pty */ ++ "/dev/vt/", /* Solaris virtual console */ ++ "/dev/term/", /* Solaris serial ports */ ++ "/dev/zcons/", /* Solaris zone console */ ++ "/dev/pty/", /* HP-UX old-style pty */ + NULL + }; + ++/* ++ * Device nodes to ignore when searching all of /dev ++ */ + static char *ignore_devs[] = { +- "/dev/fd/", + "/dev/stdin", + "/dev/stdout", + "/dev/stderr", +@@ -166,16 +168,18 @@ + }; + + /* +- * Do a breadth-first scan of dir looking for the specified device. ++ * Do a scan of a directory looking for the specified device. ++ * Does not descend into subdirectories. + * Returns name on success and NULL on failure, setting errno. + */ + static char * +-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen) ++sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen) + { +- size_t sdlen, num_subdirs = 0, max_subdirs = 0; +- char pathbuf[PATH_MAX], **subdirs = NULL; ++ size_t sdlen; ++ char pathbuf[PATH_MAX]; + char *ret = NULL; + struct dirent *dp; ++ struct stat sb; + unsigned int i; + DIR *d = NULL; + debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL) +@@ -187,6 +191,18 @@ + if ((d = opendir(dir)) == NULL) + goto done; + ++ if (fstat(dirfd(d), &sb) == -1) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, ++ "unable to fstat %s", dir); ++ goto done; ++ } ++ if ((sb.st_mode & S_IWOTH) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, ++ "ignoring world-writable directory %s", dir); ++ errno = ENOENT; ++ goto done; ++ } ++ + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "scanning for dev %u in %s", (unsigned int)rdev, dir); + +@@ -224,18 +240,6 @@ + } + if (ignore_devs[i] != NULL) + continue; +- if (!builtin) { +- /* Skip entries in search_devs; we already checked them. */ +- for (i = 0; search_devs[i] != NULL; i++) { +- len = strlen(search_devs[i]); +- if (search_devs[i][len - 1] == '/') +- len--; +- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0) +- break; +- } +- if (search_devs[i] != NULL) +- continue; +- } + # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF) + /* + * Avoid excessive stat() calls by checking dp->d_type. +@@ -248,39 +252,14 @@ + if (stat(pathbuf, &sb) == -1) + continue; + break; +- case DT_DIR: +- /* Directory, no need to stat() it. */ +- sb.st_mode = DTTOIF(dp->d_type); +- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */ +- break; + default: +- /* Not a character device, link or directory, skip it. */ ++ /* Not a character device or link, skip it. */ + continue; + } + # else + if (stat(pathbuf, &sb) == -1) + continue; + # endif +- if (S_ISDIR(sb.st_mode)) { +- if (!builtin) { +- /* Add to list of subdirs to search. */ +- if (num_subdirs + 1 > max_subdirs) { +- char **new_subdirs; +- +- new_subdirs = reallocarray(subdirs, max_subdirs + 64, +- sizeof(char *)); +- if (new_subdirs == NULL) +- goto done; +- subdirs = new_subdirs; +- max_subdirs += 64; +- } +- subdirs[num_subdirs] = strdup(pathbuf); +- if (subdirs[num_subdirs] == NULL) +- goto done; +- num_subdirs++; +- } +- continue; +- } + if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) { + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "resolved dev %u as %s", (unsigned int)rdev, pathbuf); +@@ -296,16 +275,9 @@ + } + } + +- /* Search subdirs if we didn't find it in the root level. */ +- for (i = 0; ret == NULL && i < num_subdirs; i++) +- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen); +- + done: + if (d != NULL) + closedir(d); +- for (i = 0; i < num_subdirs; i++) +- free(subdirs[i]); +- free(subdirs); + debug_return_str(ret); + } + +@@ -324,7 +296,7 @@ + debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL) + + /* +- * First check search_devs for common tty devices. ++ * First check search_devs[] for common tty devices. + */ + for (sd = search_devs; (devname = *sd) != NULL; sd++) { + len = strlen(devname); +@@ -349,7 +321,7 @@ + "comparing dev %u to %s: no", (unsigned int)rdev, buf); + } else { + /* Traverse directory */ +- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen); ++ ret = sudo_ttyname_scan(devname, rdev, name, namelen); + if (ret != NULL || errno == ENOMEM) + goto done; + } +@@ -367,9 +339,9 @@ + } + + /* +- * Not found? Do a breadth-first traversal of /dev/. ++ * Not found? Check all device nodes in /dev. + */ +- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen); ++ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen); + + done: + debug_return_str(ret); +@@ -493,28 +465,35 @@ + len = getline(&line, &linesize, fp); + fclose(fp); + if (len != -1) { +- /* Field 7 is the tty dev (0 if no tty) */ +- char *cp = line; +- char *ep = line; +- const char *errstr; +- int field = 0; +- while (*++ep != '\0') { +- if (*ep == ' ') { +- *ep = '\0'; +- if (++field == 7) { +- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); +- if (errstr) { +- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, +- "%s: tty device %s: %s", path, cp, errstr); ++ /* ++ * Field 7 is the tty dev (0 if no tty). ++ * Since the process name at field 2 "(comm)" may include spaces, ++ * start at the last ')' found. ++ */ ++ char *cp = strrchr(line, ')'); ++ if (cp != NULL) { ++ char *ep = cp; ++ const char *errstr; ++ int field = 1; ++ ++ while (*++ep != '\0') { ++ if (*ep == ' ') { ++ *ep = '\0'; ++ if (++field == 7) { ++ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr); ++ if (errstr) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, ++ "%s: tty device %s: %s", path, cp, errstr); ++ } ++ if (tdev > 0) { ++ errno = serrno; ++ ret = sudo_ttyname_dev(tdev, name, namelen); ++ goto done; ++ } ++ break; + } +- if (tdev > 0) { +- errno = serrno; +- ret = sudo_ttyname_dev(tdev, name, namelen); +- goto done; +- } +- break; ++ cp = ep + 1; + } +- cp = ep + 1; + } + } + } +