Control: tags -1 - moreinfo On Tue, Aug 08, 2017 at 09:03:46PM +0200, Salvatore Bonaccorso wrote: > Hi Adam, > > On Tue, Aug 08, 2017 at 11:25:53AM -0400, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Tue, 2017-08-01 at 15:55 +0200, Salvatore Bonaccorso wrote: > > > sudo in jessie ist still affected by CVE-2017-1000368. The issue IMHo > > > does not need a DSA, since with the previous fixes due to the /dev > > > traversal changes the issue was not anymore exploitable. Still it > > > would make sense IMHO to address it. Attached is the proposed debdiff. > > > > Please go ahead. > > I will not for now fortunately spotted in time, there is a problem in > my patch. I lost > > snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); > > while backporting.
Attached is the updated debdiff, taking the aproach of integrating upstrema commit "Use /proc/self consistently on Linux [...]". Regards, Salvatore
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog --- sudo-1.8.10p3/debian/changelog 2017-05-28 13:25:43.000000000 +0200 +++ sudo-1.8.10p3/debian/changelog 2017-08-08 21:44:31.000000000 +0200 @@ -1,3 +1,11 @@ +sudo (1.8.10p3-1+deb8u5) jessie; urgency=medium + + * Non-maintainer upload. + * Use /proc/self consistently on Linux + * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 08 Aug 2017 21:44:31 +0200 + sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch --- sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 2017-08-08 21:44:31.000000000 +0200 @@ -0,0 +1,75 @@ + +# HG changeset patch +# User Todd C. Miller <todd.mil...@courtesan.com> +# Date 1496243671 21600 +# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312 +# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +A command name may also contain newline characters so read +/proc/self/stat until EOF. It is not legal for /proc/self/stat to +contain embedded NUL bytes so treat the file as corrupt if we see +any. With help from Qualys. + +This is not exploitable due to the /dev traversal changes in sudo +1.8.20p1 (thanks Solar!). + +--- a/src/ttyname.c ++++ b/src/ttyname.c +@@ -413,23 +413,36 @@ char * + get_process_ttyname(void) + { + const char path[] = "/proc/self/stat"; +- char *line = NULL, *tty = NULL; +- size_t linesize = 0; +- ssize_t len; +- FILE *fp; ++ char *tty = NULL; ++ char *cp, buf[1024]; ++ ssize_t nread; ++ int fd; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +- /* Try to determine the tty from tty_nr in /proc/self/stat. */ +- if ((fp = fopen(path, "r")) != NULL) { +- len = getline(&line, &linesize, fp); +- fclose(fp); +- if (len != -1) { ++ /* ++ * Try to determine the tty from tty_nr in /proc/self/stat. ++ * Ignore /proc/self/stat if it contains embedded NUL bytes. ++ */ ++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { ++ cp = buf; ++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { ++ if (nread == -1) { ++ if (errno == EAGAIN || errno == EINTR) ++ continue; ++ break; ++ } ++ cp += nread; ++ if (cp >= buf + sizeof(buf)) ++ break; ++ } ++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* + * Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. + */ +- char *cp = strrchr(line, ')'); ++ *cp = '\0'; ++ cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -453,7 +466,8 @@ get_process_ttyname(void) + } + } + } +- efree(line); ++ if (fd != -1) ++ close(fd); + } + + debug_return_str(tty); diff -Nru sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch --- sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch 2017-08-08 21:44:31.000000000 +0200 @@ -0,0 +1,29 @@ + +# HG changeset patch +# User Todd C. Miller <todd.mil...@courtesan.com> +# Date 1496162651 21600 +# Node ID ef737b5d4ed831178f6049e50ef085d79438d92a +# Parent 7ab1be502dc3ad227c6f6c687b004cea3b94bd66 +Use /proc/self consistently on Linux. As far as I know, only AIX +doesn't support /proc/self. + +--- a/src/ttyname.c ++++ b/src/ttyname.c +@@ -412,14 +412,14 @@ get_process_ttyname(void) + char * + get_process_ttyname(void) + { +- char path[PATH_MAX], *line = NULL, *tty = NULL; ++ const char path[] = "/proc/self/stat"; ++ char *line = NULL, *tty = NULL; + size_t linesize = 0; + ssize_t len; + FILE *fp; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +- /* Try to determine the tty from tty_nr in /proc/pid/stat. */ +- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); ++ /* Try to determine the tty from tty_nr in /proc/self/stat. */ + if ((fp = fopen(path, "r")) != NULL) { + len = getline(&line, &linesize, fp); + fclose(fp); diff -Nru sudo-1.8.10p3/debian/patches/series sudo-1.8.10p3/debian/patches/series --- sudo-1.8.10p3/debian/patches/series 2017-05-28 13:25:43.000000000 +0200 +++ sudo-1.8.10p3/debian/patches/series 2017-08-08 21:44:31.000000000 +0200 @@ -16,3 +16,5 @@ CVE-2015-5602-6.patch CVE-2015-5602-7.patch CVE-2017-1000367.patch +Use-proc-self-consistently-on-Linux.patch +CVE-2017-1000368.patch