Control: tags -1 - moreinfo Hi Niels, hi Bdale,
On Mon, Jun 05, 2017 at 12:20:00PM +0000, Niels Thykier wrote: > Control: tags -1 moreinfo > > Salvatore Bonaccorso: > > Package: release.debian.org > > Severity: normal > > User: [email protected] > > Usertags: unblock > > > > Hi > > > > Please unblock package sudo, actually a pre-approval request. > > > > The upload addresses CVE-2017-1000368, Arbitrary terminal access, > > which is #863897 in the BTS. See > > > > http://www.openwall.com/lists/oss-security/2017/06/02/7 > > > > I'm including the generated debdiff against the current version in > > stretch. > > > > unblock sudo/1.8.19p1-2.1 > > > > Regards, > > Salvatore > > > > According to the BTS, #863897 affects and is unfixed in unstable. Lets > fix it in unstable first. Yes that's true. Okay I have uploaded (without delay, and hope this is fine with Bdale!) the NMU to sid. > Otherwise, the diff look fine (feel free to include > https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well). Thanks, feel more confortable to follow upstream. Attached is a new debdiff! Regards, Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog --- sudo-1.8.19p1/debian/changelog 2017-05-31 06:35:01.000000000 +0200 +++ sudo-1.8.19p1/debian/changelog 2017-06-05 14:22:55.000000000 +0200 @@ -1,3 +1,11 @@ +sudo (1.8.19p1-2.1) stretch; urgency=high + + * Non-maintainer upload. + * Use /proc/self consistently on Linux + * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) + + -- Salvatore Bonaccorso <[email protected]> Mon, 05 Jun 2017 14:22:55 +0200 + sudo (1.8.19p1-2) stretch; urgency=high * patch from upstream to fix CVE-2017-1000367, closes: #863731 diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff --- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 2017-06-05 14:22:55.000000000 +0200 @@ -0,0 +1,78 @@ + +# HG changeset patch +# User Todd C. Miller <[email protected]> +# Date 1496243671 21600 +# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312 +# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +A command name may also contain newline characters so read +/proc/self/stat until EOF. It is not legal for /proc/self/stat to +contain embedded NUL bytes so treat the file as corrupt if we see +any. With help from Qualys. + +This is not exploitable due to the /dev traversal changes in sudo +1.8.20p1 (thanks Solar!). + +diff -r 6f3d9816541b -r 15a46f4007dd src/ttyname.c +--- a/src/ttyname.c Tue May 30 10:44:11 2017 -0600 ++++ b/src/ttyname.c Wed May 31 09:14:31 2017 -0600 +@@ -452,25 +452,37 @@ + get_process_ttyname(char *name, size_t namelen) + { + const char path[] = "/proc/self/stat"; +- char *line = NULL; ++ char *cp, buf[1024]; + char *ret = NULL; +- size_t linesize = 0; + int serrno = errno; +- ssize_t len; +- FILE *fp; ++ ssize_t nread; ++ int fd; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +- /* Try to determine the tty from tty_nr in /proc/self/stat. */ +- if ((fp = fopen(path, "r")) != NULL) { +- len = getline(&line, &linesize, fp); +- fclose(fp); +- if (len != -1) { ++ /* ++ * Try to determine the tty from tty_nr in /proc/self/stat. ++ * Ignore /proc/self/stat if it contains embedded NUL bytes. ++ */ ++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { ++ cp = buf; ++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { ++ if (nread == -1) { ++ if (errno == EAGAIN || errno == EINTR) ++ continue; ++ break; ++ } ++ cp += nread; ++ if (cp >= buf + sizeof(buf)) ++ break; ++ } ++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* + * Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. + */ +- char *cp = strrchr(line, ')'); ++ *cp = '\0'; ++ cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -501,7 +513,8 @@ + errno = ENOENT; + + done: +- free(line); ++ if (fd != -1) ++ close(fd); + if (ret == NULL) + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to resolve tty via %s", path); + diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series --- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.000000000 +0200 +++ sudo-1.8.19p1/debian/patches/series 2017-06-05 14:22:55.000000000 +0200 @@ -1,3 +1,5 @@ typo-in-classic-insults.diff paths-in-samples.diff CVE-2017-1000367.patch +use-proc-self-consistently-on-linux.diff +CVE-2017-1000368.diff diff -Nru sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff --- sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff 2017-06-05 14:22:55.000000000 +0200 @@ -0,0 +1,33 @@ + +# HG changeset patch +# User Todd C. Miller <[email protected]> +# Date 1496162651 21600 +# Node ID 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +# Parent 98ef2ef47aba10f6b83904dca4d446c4b8f24987 +Use /proc/self consistently on Linux. As far as I know, only AIX +doesn't support /proc/self. + +diff -r 98ef2ef47aba -r 6f3d9816541b src/ttyname.c +--- a/src/ttyname.c Mon May 29 14:36:35 2017 -0600 ++++ b/src/ttyname.c Tue May 30 10:44:11 2017 -0600 +@@ -451,7 +451,8 @@ + char * + get_process_ttyname(char *name, size_t namelen) + { +- char path[PATH_MAX], *line = NULL; ++ const char path[] = "/proc/self/stat"; ++ char *line = NULL; + char *ret = NULL; + size_t linesize = 0; + int serrno = errno; +@@ -459,8 +460,7 @@ + FILE *fp; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +- /* Try to determine the tty from tty_nr in /proc/pid/stat. */ +- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); ++ /* Try to determine the tty from tty_nr in /proc/self/stat. */ + if ((fp = fopen(path, "r")) != NULL) { + len = getline(&line, &linesize, fp); + fclose(fp); +
