Your message dated Mon, 05 Jun 2017 20:06:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval
request)
has caused the Debian Bug report #864217,
regarding unblock: sudo/1.8.19p1-2.1 (pre-approval request)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi
Please unblock package sudo, actually a pre-approval request.
The upload addresses CVE-2017-1000368, Arbitrary terminal access,
which is #863897 in the BTS. See
http://www.openwall.com/lists/oss-security/2017/06/02/7
I'm including the generated debdiff against the current version in
stretch.
unblock sudo/1.8.19p1-2.1
Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog 2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/changelog 2017-06-05 06:19:37.000000000 +0200
@@ -1,3 +1,10 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso <[email protected]> Mon, 05 Jun 2017 06:19:37 +0200
+
sudo (1.8.19p1-2) stretch; urgency=high
* patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch 2017-06-05 06:19:37.000000000 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller <[email protected]>
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF. It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any. With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -447,26 +447,39 @@ done:
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+- char path[PATH_MAX], *line = NULL;
++ char path[PATH_MAX];
++ char *cp, buf[1024];
+ char *ret = NULL;
+- size_t linesize = 0;
+ int serrno = errno;
+- ssize_t len;
+- FILE *fp;
++ ssize_t nread;
++ int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
++ /*
++ * Try to determine the tty from tty_nr in /proc/pid/stat.
++ * Ignore /proc/pid/stat if it contains embedded NUL bytes.
++ */
+ snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+- if ((fp = fopen(path, "r")) != NULL) {
+- len = getline(&line, &linesize, fp);
+- fclose(fp);
+- if (len != -1) {
++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++ cp = buf;
++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++ if (nread == -1) {
++ if (errno == EAGAIN || errno == EINTR)
++ continue;
++ break;
++ }
++ cp += nread;
++ if (cp >= buf + sizeof(buf))
++ break;
++ }
++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+- * Since the process name at field 2 "(comm)" may include spaces,
+- * start at the last ')' found.
++ * Since the process name at field 2 "(comm)" may include
++ * whitespace (including newlines), start at the last ')' found.
+ */
+- char *cp = strrchr(line, ')');
++ *cp = '\0';
++ cp = strrchr(buf, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n
+ errno = ENOENT;
+
+ done:
+- free(line);
++ if (fd != -1)
++ close(fd);
+ if (ret == NULL)
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ "unable to resolve tty via %s", path);
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/patches/series 2017-06-05 06:19:37.000000000 +0200
@@ -1,3 +1,4 @@
typo-in-classic-insults.diff
paths-in-samples.diff
CVE-2017-1000367.patch
+CVE-2017-1000368.patch
--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
>
> Hi Niels,
>
> [...]
>
> Thank you, done!
>
> Regards,
> Salvatore
>
Approved, thanks.
~Niels
--- End Message ---
