subject:"Bug#1133278\: trixie\-pu\: package sudo\/1.9.16p2\-3\+deb13u2"

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

2026-05-04 Thread Marc Haber


On Sun, May 03, 2026 at 11:56:18AM +0100, Adam D. Barratt wrote:

On Sat, 2026-04-11 at 14:44 +0200, Marc Haber wrote:

This sudo upload fixes CVE-2026-35535.


Please go ahead.


I apologize, I didnt notice that my initial upload in April was 
rejected.


Greetings
Marc

--
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

2026-05-03 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sat, 2026-04-11 at 14:44 +0200, Marc Haber wrote:
> This sudo upload fixes CVE-2026-35535.

Please go ahead.

Regards,

Adam

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

2026-04-11 Thread Marc Haber


On Sat, Apr 11, 2026 at 02:55:49PM +0200, Marc Haber wrote:

On Sat, Apr 11, 2026 at 02:44:01PM +0200, Marc Haber wrote:

  [x] attach debdiff against the package in (old)stable


And _this_ attached debdiff is the correct one. It should not differ in
other places than in version numbers.


This is obviously not a good day for me. Aller guten Dinge sind Drei.

Grüße
Marc

--
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
diff --git a/debian/changelog b/debian/changelog
index 64eb4dc76..c92976b8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+sudo (1.9.16p2-3+deb13u2) trixie; urgency=medium
+
+  * cherry-pick upstream exec_mailer-Set-group-as-well-as-uid.
+This is upstream and fixes CVE-2026-35535:
+https://github.com/sudo-project/sudo/commit/3e474c2 (Closes: #1130593)
+
+ -- Marc Haber   Sat, 11 Apr 2026 14:21:02 
+0200
+
 sudo (1.9.16p2-3+deb13u1) trixie; urgency=medium
 
   [ Marc Haber ]
diff --git 
a/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
 
b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
new file mode 100644
index 0..7022a4463
--- /dev/null
+++ 
b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
@@ -0,0 +1,142 @@
+From: "Todd C. Miller" 
+Date: Sat, 8 Nov 2025 15:34:02 -0700
+Subject: exec_mailer: Set group as well as uid when running the mailer
+
+Also make a setuid(), setgid() or setgroups() failure fatal.
+
+Found by the ZeroPath AI Security Engineer 
+---
+ include/sudo_eventlog.h  |  3 ++-
+ lib/eventlog/eventlog.c  | 21 +
+ lib/eventlog/eventlog_conf.c |  4 +++-
+ plugins/sudoers/logging.c|  2 +-
+ plugins/sudoers/policy.c |  2 +-
+ 5 files changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
+index eb9f4f4..485d259 100644
+--- a/include/sudo_eventlog.h
 b/include/sudo_eventlog.h
+@@ -80,6 +80,7 @@ struct eventlog_config {
+ int syslog_rejectpri;
+ int syslog_alertpri;
+ uid_t mailuid;
++gid_t mailgid;
+ bool omit_hostname;
+ const char *logpath;
+ const char *time_fmt;
+@@ -151,7 +152,7 @@ void eventlog_set_syslog_rejectpri(int pri);
+ void eventlog_set_syslog_alertpri(int pri);
+ void eventlog_set_syslog_maxlen(size_t len);
+ void eventlog_set_file_maxlen(size_t len);
+-void eventlog_set_mailuid(uid_t uid);
++void eventlog_set_mailuser(uid_t uid, gid_t gid);
+ void eventlog_set_omit_hostname(bool omit_hostname);
+ void eventlog_set_logpath(const char *path);
+ void eventlog_set_time_fmt(const char *fmt);
+diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
+index 5a32824..d56c4e4 100644
+--- a/lib/eventlog/eventlog.c
 b/lib/eventlog/eventlog.c
+@@ -304,15 +304,13 @@ exec_mailer(int pipein)
+   syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
+   sudo_debug_printf(SUDO_DEBUG_ERROR,
+   "unable to dup stdin: %s", strerror(errno));
+-  sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+-  _exit(127);
++  goto bad;
+ }
+ 
+ /* Build up an argv based on the mailer path and flags */
+ if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
+   syslog(LOG_ERR, _("unable to allocate memory")); // -V618
+-  sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+-  _exit(127);
++  goto bad;
+ }
+ argv[0] = sudo_basename(mpath);
+ 
+@@ -331,11 +329,23 @@ exec_mailer(int pipein)
+ if (setuid(ROOT_UID) != 0) {
+   sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+   ROOT_UID);
++  goto bad;
++}
++if (setgid(evl_conf->mailgid) != 0) {
++  sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
++  (unsigned int)evl_conf->mailgid);
++  goto bad;
++}
++if (setgroups(1, &evl_conf->mailgid) != 0) {
++  sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
++  (unsigned int)evl_conf->mailgid);
++  goto bad;
+ }
+ if (evl_conf->mailuid != ROOT_UID) {
+   if (setuid(evl_conf->mailuid) != 0) {
+   sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+   (unsigned int)evl_conf->mailuid);
++  goto bad;
+   }
+ }
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+@@ -347,6 +357,9 @@ exec_mailer(int pipein)
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
+   mpath, strerror(errno));
+ _exit(127);
++bad:
++sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
++_exit(127);
+ }
+ 
+ /* Send a message to the mailto user */
+diff --git a/l

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

2026-04-11 Thread Marc Haber

On Sat, Apr 11, 2026 at 02:44:01PM +0200, Marc Haber wrote:
>   [x] attach debdiff against the package in (old)stable

And _this_ attached debdiff is the correct one. It should not differ in 
other places than in version numbers.

Greetings
Marc

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

2026-04-11 Thread Marc Haber

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:sudo
User: [email protected]
Usertags: pu

[ Reason ]
This sudo upload fixes CVE-2026-35535.

[ Impact ]
If this is not approved, trixie's sudo will still be vulnerable 

[ Tests ]
none.

[ Risks ]
This is a backported upstream fix.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fix.
diff --git a/debian/changelog b/debian/changelog
index 2131df824..a7a3d3ed0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+sudo (1.9.13p3-1+deb12u4) bookworm; urgency=medium
+
+  * cherry-pick upstream exec_mailer-Set-group-as-well-as-uid.
+This is adapted from upstream and fixes CVE-2026-35535:
+https://github.com/sudo-project/sudo/commit/3e474c2 (Closes: #1130593)
+
+ -- Marc Haber   Sat, 11 Apr 2026 14:01:23 
+0200
+
 sudo (1.9.13p3-1+deb12u3) bookworm; urgency=medium
 
   * Apply a patch fro Marcos Del Sol Vives to Enable Intel CET on amd64 only.
diff --git 
a/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
 
b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
new file mode 100644
index 0..5216b11a2
--- /dev/null
+++ 
b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
@@ -0,0 +1,132 @@
+From: "Todd C. Miller" 
+Date: Sat, 8 Nov 2025 15:34:02 -0700
+Subject: exec_mailer: Set group as well as uid when running the mailer
+
+Also make a setuid(), setgid() or setgroups() failure fatal.
+
+Found by the ZeroPath AI Security Engineer 
+---
+ include/sudo_eventlog.h  |  3 ++-
+ lib/eventlog/eventlog.c  | 21 +
+ lib/eventlog/eventlog_conf.c |  4 +++-
+ plugins/sudoers/logging.c|  2 +-
+ plugins/sudoers/policy.c |  2 +-
+ 5 files changed, 24 insertions(+), 8 deletions(-)
+
+--- a/include/sudo_eventlog.h
 b/include/sudo_eventlog.h
+@@ -79,6 +79,7 @@ struct eventlog_config {
+ int syslog_maxlen;
+ int file_maxlen;
+ uid_t mailuid;
++gid_t mailgid;
+ bool omit_hostname;
+ const char *logpath;
+ const char *time_fmt;
+@@ -146,7 +147,7 @@ void eventlog_set_syslog_rejectpri(int p
+ void eventlog_set_syslog_alertpri(int pri);
+ void eventlog_set_syslog_maxlen(int len);
+ void eventlog_set_file_maxlen(int len);
+-void eventlog_set_mailuid(uid_t uid);
++void eventlog_set_mailuser(uid_t uid, gid_t gid);
+ void eventlog_set_omit_hostname(bool omit_hostname);
+ void eventlog_set_logpath(const char *path);
+ void eventlog_set_time_fmt(const char *fmt);
+--- a/lib/eventlog/eventlog.c
 b/lib/eventlog/eventlog.c
+@@ -304,15 +304,13 @@ exec_mailer(int pipein)
+   syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
+   sudo_debug_printf(SUDO_DEBUG_ERROR,
+   "unable to dup stdin: %s", strerror(errno));
+-  sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+-  _exit(127);
++  goto bad;
+ }
+ 
+ /* Build up an argv based on the mailer path and flags */
+ if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
+   syslog(LOG_ERR, _("unable to allocate memory")); // -V618
+-  sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+-  _exit(127);
++  goto bad;
+ }
+ argv[0] = sudo_basename(mpath);
+ 
+@@ -331,11 +329,23 @@ exec_mailer(int pipein)
+ if (setuid(ROOT_UID) != 0) {
+   sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+   ROOT_UID);
++  goto bad;
++}
++if (setgid(evl_conf->mailgid) != 0) {
++  sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
++  (unsigned int)evl_conf->mailgid);
++  goto bad;
++}
++if (setgroups(1, &evl_conf->mailgid) != 0) {
++  sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
++  (unsigned int)evl_conf->mailgid);
++  goto bad;
+ }
+ if (evl_conf->mailuid != ROOT_UID) {
+   if (setuid(evl_conf->mailuid) != 0) {
+   sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+   (unsigned int)evl_conf->mailuid);
++  goto bad;
+   }
+ }
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+@@ -347,6 +357,9 @@ exec_mailer(int pipein)
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
+   mpath, strerror(errno));
+ _exit(127);
++bad:
++sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
++_exit(127);
+ }
+ 
+ /* Send a message to the mailto user */
+--- a/lib/eventlog/eventlog_conf.c
 b/lib/eventlog/eventlog_conf.c
+@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf =
+ MAXSYSLOGLEN, /* syslog_maxlen */
+ 0,

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

Bug#1133278: trixie-pu: package sudo/1.9.16p2-3+deb13u2

5 matches

Site Navigation

Mail list logo

Footer information