Hi, Proposed debdiff aiming for jessie is attached.
Regards, Salvatore
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog --- sudo-1.8.10p3/debian/changelog 2015-01-19 06:56:53.000000000 +0100 +++ sudo-1.8.10p3/debian/changelog 2015-02-18 17:55:25.000000000 +0100 @@ -1,3 +1,13 @@ +sudo (1.8.10p3-1+deb8u2) testing-proposed-updates; urgency=medium + + * Add CVE-2014-9680-1.patch patch. + CVE-2014-9680: unsafe handling of TZ environment variable. (Closes: #772707) + * Add CVE-2014-9680-2.patch patch. + Documents that a leading ':' is skipped when checking TZ for a + fully-qualified path name. + + -- Salvatore Bonaccorso <[email protected]> Wed, 18 Feb 2015 17:50:12 +0100 + sudo (1.8.10p3-1+deb8u1) testing-proposed-updates; urgency=medium * Non-maintainer upload. diff -Nru sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch --- sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch 2015-02-18 17:55:25.000000000 +0100 @@ -0,0 +1,380 @@ +Description: CVE-2014-9680: unsafe handling of TZ environment variable + The TZ environment variable was passed through unchecked. Most libc + tzset() implementations support passing an absolute pathname in the time + zone to point to an arbitrary, user-controlled file. This may be used + to exploit bugs in the C library's TZ parser or open files the user + would not otherwise have access to. Arbitrary file access via TZ could + also be used in a denial of service attack by reading from a file or + fifo that will block. +Origin: backport, http://www.sudo.ws/repos/sudo/rev/650ac6938b59, + http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0 +Bug-Debian: https://bugs.debian.org/772707 +Forwarded: not-needed +Author: Todd C. Miller <[email protected]> +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-02-18 +Applied-Upstream: 1.8.12 + +--- a/configure ++++ b/configure +@@ -882,6 +882,7 @@ with_timedir + with_rundir + with_vardir + with_iologdir ++with_tzdir + with_sendmail + with_sudoers_mode + with_sudoers_uid +@@ -1670,6 +1671,7 @@ Optional Packages: + --with-rundir=DIR path to the sudo time stamp parent dir + --with-vardir=DIR path to the sudo var dir + --with-iologdir=DIR directory to store sudo I/O log files in ++ --with-tzdir=DIR path to the time zone data directory + --with-sendmail set path to sendmail + --without-sendmail do not send mail at all + --with-sudoers-mode mode of sudoers file (defaults to 0440) +@@ -4773,6 +4775,16 @@ fi + + + ++# Check whether --with-tzdir was given. ++if test "${with_tzdir+set}" = set; then : ++ withval=$with_tzdir; case $with_tzdir in ++ yes) as_fn_error $? "\"must give --with-tzdir an argument.\"" "$LINENO" 5 ++ ;; ++esac ++fi ++ ++ ++ + # Check whether --with-sendmail was given. + if test "${with_sendmail+set}" = set; then : + withval=$with_sendmail; case $with_sendmail in +@@ -21483,6 +21495,27 @@ EOF + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $iolog_dir" >&5 + $as_echo "$iolog_dir" >&6; } + ++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking time zone data directory" >&5 ++$as_echo_n "checking time zone data directory... " >&6; } ++tzdir="$with_tzdir" ++if test -z "$tzdir"; then ++ tzdir=no ++ for d in /usr/share /usr/share/lib /usr/lib /etc; do ++ if test -d "$d/zoneinfo"; then ++ tzdir="$d/zoneinfo" ++ break ++ fi ++ done ++fi ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $tzdir" >&5 ++$as_echo "$tzdir" >&6; } ++if test "${tzdir}" != "no"; then ++ cat >>confdefs.h <<EOF ++#define _PATH_ZONEINFO "$tzdir" ++EOF ++ ++fi ++ + + + ac_c_werror_flag=yes +--- a/configure.ac ++++ b/configure.ac +@@ -816,6 +816,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([- + ;; + esac]) + ++AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])], ++[case $with_tzdir in ++ yes) AC_MSG_ERROR(["must give --with-tzdir an argument."]) ++ ;; ++esac]) ++ + AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail]) + AS_HELP_STRING([--without-sendmail], [do not send mail at all])], + [case $with_sendmail in +@@ -3446,6 +3452,7 @@ SUDO_LOGFILE + SUDO_RUNDIR + SUDO_VARDIR + SUDO_IO_LOGDIR ++SUDO_TZDIR + + dnl + dnl Turn warnings into errors. +--- a/doc/sudoers.cat ++++ b/doc/sudoers.cat +@@ -1628,19 +1628,35 @@ SSUUDDOOEERRSS OOPPTTIIOONN + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + env_check Environment variables to be removed from the user's +- environment if the variable's value contains `%' or `/' ++ environment unless they are considered ``safe''. ++ For all variables except TZ, ``safe'' means that the ++ variable's value does not contain any `%' or `/' + characters. This can be used to guard against printf- + style format vulnerabilities in poorly-written +- programs. The argument may be a double-quoted, space- +- separated list or a single value without double-quotes. +- The list can be replaced, added to, deleted from, or +- disabled by using the =, +=, -=, and ! operators +- respectively. Regardless of whether the env_reset +- option is enabled or disabled, variables specified by +- env_check will be preserved in the environment if they +- pass the aforementioned check. The default list of +- environment variables to check is displayed when ssuuddoo +- is run by root with the --VV option. ++ programs. The TZ variable is considered unsafe if any ++ of the following are true: ++ ++ ++oo It consists of a fully-qualified path name that ++ does not match the location of the _z_o_n_e_i_n_f_o ++ directory. ++ ++ ++oo It contains a _._. path element. ++ ++ ++oo It contains white space or non-printable ++ characters. ++ ++ ++oo It is longer than the value of PATH_MAX. ++ ++ The argument may be a double-quoted, space-separated ++ list or a single value without double-quotes. The list ++ can be replaced, added to, deleted from, or disabled by ++ using the =, +=, -=, and ! operators respectively. ++ Regardless of whether the env_reset option is enabled ++ or disabled, variables specified by env_check will be ++ preserved in the environment if they pass the ++ aforementioned check. The default list of environment ++ variables to check is displayed when ssuuddoo is run by ++ root with the --VV option. + + env_delete Environment variables to be removed from the user's + environment when the _e_n_v___r_e_s_e_t option is not in effect. +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -3336,14 +3336,45 @@ The default value is + \fBLists that can be used in a boolean context\fR: + .TP 18n + env_check +-Environment variables to be removed from the user's environment if +-the variable's value contains ++Environment variables to be removed from the user's environment ++unless they are considered ++\(lqsafe\(rq. ++For all variables except ++\fRTZ\fR, ++\(lqsafe\(rq ++means that the variable's value does not contain any + \(oq%\(cq + or + \(oq/\(cq + characters. + This can be used to guard against printf-style format vulnerabilities + in poorly-written programs. ++The ++\fRTZ\fR ++variable is considered unsafe if any of the following are true: ++.PP ++.RS 18n ++.PD 0 ++.TP 4n ++\fB\(bu\fR ++It consists of a fully-qualified path name that does not match ++the location of the ++\fIzoneinfo\fR ++directory. ++.PD ++.TP 4n ++\fB\(bu\fR ++It contains a ++\fI..\fR ++path element. ++.TP 4n ++\fB\(bu\fR ++It contains white space or non-printable characters. ++.TP 4n ++\fB\(bu\fR ++It is longer than the value of ++\fRPATH_MAX\fR. ++.PP + The argument may be a double-quoted, space-separated list or a + single value without double-quotes. + The list can be replaced, added to, deleted from, or disabled by using +@@ -3365,6 +3396,7 @@ is run by root with + the + \fB\-V\fR + option. ++.RE + .TP 18n + env_delete + Environment variables to be removed from the user's environment when the +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -3095,14 +3095,39 @@ The default value is + .Sy Lists that can be used in a boolean context : + .Bl -tag -width 16n + .It env_check +-Environment variables to be removed from the user's environment if +-the variable's value contains ++Environment variables to be removed from the user's environment ++unless they are considered ++.Dq safe . ++For all variables except ++.Li TZ , ++.Dq safe ++means that the variable's value does not contain any + .Ql % + or + .Ql / + characters. + This can be used to guard against printf-style format vulnerabilities + in poorly-written programs. ++The ++.Li TZ ++variable is considered unsafe if any of the following are true: ++.Bl -bullet ++.It ++It consists of a fully-qualified path name that does not match ++the location of the ++.Pa zoneinfo ++directory. ++.It ++It contains a ++.Pa .. ++path element. ++.It ++It contains white space or non-printable characters. ++.It ++It is longer than the value of ++.Li PATH_MAX . ++.El ++.Pp + The argument may be a double-quoted, space-separated list or a + single value without double-quotes. + The list can be replaced, added to, deleted from, or disabled by using +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -119,6 +119,26 @@ fi + ])dnl + + dnl ++dnl Detect time zone file directory, if any. ++dnl ++AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory) ++tzdir="$with_tzdir" ++if test -z "$tzdir"; then ++ tzdir=no ++ for d in /usr/share /usr/share/lib /usr/lib /etc; do ++ if test -d "$d/zoneinfo"; then ++ tzdir="$d/zoneinfo" ++ break ++ fi ++ done ++fi ++AC_MSG_RESULT([$tzdir]) ++if test "${tzdir}" != "no"; then ++ SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir") ++fi ++])dnl ++ ++dnl + dnl Parent directory for time stamp dir. + dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) +--- a/pathnames.h.in ++++ b/pathnames.h.in +@@ -178,3 +178,7 @@ + #ifndef _PATH_NETSVC_CONF + #undef _PATH_NETSVC_CONF + #endif /* _PATH_NETSVC_CONF */ ++ ++#ifndef _PATH_ZONEINFO ++# undef _PATH_ZONEINFO ++#endif /* _PATH_ZONEINFO */ +--- a/plugins/sudoers/env.c ++++ b/plugins/sudoers/env.c +@@ -197,6 +197,7 @@ static const char *initial_checkenv_tabl + "LC_*", + "LINGUAS", + "TERM", ++ "TZ", + NULL + }; + +@@ -212,7 +213,6 @@ static const char *initial_keepenv_table + "PATH", + "PS1", + "PS2", +- "TZ", + "XAUTHORITY", + "XAUTHORIZATION", + NULL +@@ -576,6 +576,54 @@ matches_env_delete(const char *var) + } + + /* ++ * Sanity-check the TZ environment variable. ++ * On many systems it is possible to set this to a pathname. ++ */ ++static bool ++tz_is_sane(const char *tzval) ++{ ++ const char *cp; ++ char lastch; ++ debug_decl(tz_is_sane, SUDO_DEBUG_ENV) ++ ++ /* tzcode treats a value beginning with a ':' as a path. */ ++ if (tzval[0] == ':') ++ tzval++; ++ ++ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */ ++ if (tzval[0] == '/') { ++#ifdef _PATH_ZONEINFO ++ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 || ++ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/') ++ debug_return_bool(false); ++#else ++ /* Assume the worst. */ ++ debug_return_bool(false); ++#endif ++ } ++ ++ /* ++ * Make sure TZ only contains printable non-space characters ++ * and does not contain a '..' path element. ++ */ ++ lastch = '/'; ++ for (cp = tzval; *cp != '\0'; cp++) { ++ if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp)) ++ debug_return_bool(false); ++ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' && ++ (cp[2] == '/' || cp[2] == '\0')) ++ debug_return_bool(false); ++ lastch = *cp; ++ } ++ ++ /* Reject extra long TZ values (even if not a path). */ ++ if ((size_t)(cp - tzval) >= PATH_MAX) ++ debug_return_bool(false); ++ ++ debug_return_bool(true); ++} ++ ++/* + * Apply the env_check list. + * Returns true if the variable is allowed, false if denied + * or -1 if no match. +@@ -599,7 +647,12 @@ matches_env_check(const char *var) + iswild = false; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { +- keepit = !strpbrk(var, "/%"); ++ if (strncmp(var, "TZ=", 3) == 0) { ++ /* Special case for TZ */ ++ keepit = tz_is_sane(var + 3); ++ } else { ++ keepit = !strpbrk(var, "/%"); ++ } + break; + } + } diff -Nru sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch --- sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch 2015-02-18 17:55:25.000000000 +0100 @@ -0,0 +1,56 @@ +Description: Document handling of leading ':' when checking TZ variable + Document that a leading ':' is skipped when checking TZ for a + fully-qualified path name. +Origin: backport, http://www.sudo.ws/repos/sudo/rev/91859f613b88, + http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0 +Forwarded: not-needed +Author: Todd C. Miller <[email protected]> +Author: Salvatore Bonaccorso <[email protected]> +Last-Update: 2015-02-18 +Applied-Upstream: 1.8.12 + +--- a/doc/sudoers.cat ++++ b/doc/sudoers.cat +@@ -1636,9 +1636,9 @@ SSUUDDOOEERRSS OOPPTTIIOONN + programs. The TZ variable is considered unsafe if any + of the following are true: + +- ++oo It consists of a fully-qualified path name that +- does not match the location of the _z_o_n_e_i_n_f_o +- directory. ++ ++oo It consists of a fully-qualified path name, ++ optionally prefixed with a colon (`:'), that does ++ not match the location of the _z_o_n_e_i_n_f_o directory. + + ++oo It contains a _._. path element. + +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -3357,8 +3357,10 @@ variable is considered unsafe if any of + .PD 0 + .TP 4n + \fB\(bu\fR +-It consists of a fully-qualified path name that does not match +-the location of the ++It consists of a fully-qualified path name, ++optionally prefixed with a colon ++(\(oq:\&\(cq), ++that does not match the location of the + \fIzoneinfo\fR + directory. + .PD +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -3113,8 +3113,10 @@ The + variable is considered unsafe if any of the following are true: + .Bl -bullet + .It +-It consists of a fully-qualified path name that does not match +-the location of the ++It consists of a fully-qualified path name, ++optionally prefixed with a colon ++.Pq Ql :\& , ++that does not match the location of the + .Pa zoneinfo + directory. + .It diff -Nru sudo-1.8.10p3/debian/patches/series sudo-1.8.10p3/debian/patches/series --- sudo-1.8.10p3/debian/patches/series 2015-01-19 06:56:17.000000000 +0100 +++ sudo-1.8.10p3/debian/patches/series 2015-02-18 17:55:25.000000000 +0100 @@ -1,3 +1,5 @@ typo-in-classic-insults.diff paths-in-samples.diff Fix-for-broken-FQDN-host-specifications.diff +CVE-2014-9680-1.patch +CVE-2014-9680-2.patch
signature.asc
Description: Digital signature

