Control: tags -1 - moreinfo
On Tue, Aug 08, 2017 at 09:03:46PM +0200, Salvatore Bonaccorso wrote:
> Hi Adam,
>
> On Tue, Aug 08, 2017 at 11:25:53AM -0400, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> >
> > On Tue, 2017-08-01 at 15:55 +0200, Salvatore Bonaccorso wrote:
> > > sudo in jessie ist still affected by CVE-2017-1000368. The issue IMHo
> > > does not need a DSA, since with the previous fixes due to the /dev
> > > traversal changes the issue was not anymore exploitable. Still it
> > > would make sense IMHO to address it. Attached is the proposed debdiff.
> >
> > Please go ahead.
>
> I will not for now fortunately spotted in time, there is a problem in
> my patch. I lost
>
> snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
>
> while backporting.
Attached is the updated debdiff, taking the aproach of integrating
upstrema commit "Use /proc/self consistently on Linux [...]".
Regards,
Salvatore
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog
--- sudo-1.8.10p3/debian/changelog 2017-05-28 13:25:43.000000000 +0200
+++ sudo-1.8.10p3/debian/changelog 2017-08-08 21:44:31.000000000 +0200
@@ -1,3 +1,11 @@
+sudo (1.8.10p3-1+deb8u5) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Use /proc/self consistently on Linux
+ * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Tue, 08 Aug 2017 21:44:31 +0200
+
sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch
sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 1970-01-01
01:00:00.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 2017-08-08
21:44:31.000000000 +0200
@@ -0,0 +1,75 @@
+
+# HG changeset patch
+# User Todd C. Miller <todd.mil...@courtesan.com>
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF. It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any. With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -413,23 +413,36 @@ char *
+ get_process_ttyname(void)
+ {
+ const char path[] = "/proc/self/stat";
+- char *line = NULL, *tty = NULL;
+- size_t linesize = 0;
+- ssize_t len;
+- FILE *fp;
++ char *tty = NULL;
++ char *cp, buf[1024];
++ ssize_t nread;
++ int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/self/stat. */
+- if ((fp = fopen(path, "r")) != NULL) {
+- len = getline(&line, &linesize, fp);
+- fclose(fp);
+- if (len != -1) {
++ /*
++ * Try to determine the tty from tty_nr in /proc/self/stat.
++ * Ignore /proc/self/stat if it contains embedded NUL bytes.
++ */
++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++ cp = buf;
++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++ if (nread == -1) {
++ if (errno == EAGAIN || errno == EINTR)
++ continue;
++ break;
++ }
++ cp += nread;
++ if (cp >= buf + sizeof(buf))
++ break;
++ }
++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+- * Since the process name at field 2 "(comm)" may include spaces,
+- * start at the last ')' found.
++ * Since the process name at field 2 "(comm)" may include
++ * whitespace (including newlines), start at the last ')' found.
+ */
+- char *cp = strrchr(line, ')');
++ *cp = '\0';
++ cp = strrchr(buf, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+@@ -453,7 +466,8 @@ get_process_ttyname(void)
+ }
+ }
+ }
+- efree(line);
++ if (fd != -1)
++ close(fd);
+ }
+
+ debug_return_str(tty);
diff -Nru
sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch
sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch
--- sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch
1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/Use-proc-self-consistently-on-Linux.patch
2017-08-08 21:44:31.000000000 +0200
@@ -0,0 +1,29 @@
+
+# HG changeset patch
+# User Todd C. Miller <todd.mil...@courtesan.com>
+# Date 1496162651 21600
+# Node ID ef737b5d4ed831178f6049e50ef085d79438d92a
+# Parent 7ab1be502dc3ad227c6f6c687b004cea3b94bd66
+Use /proc/self consistently on Linux. As far as I know, only AIX
+doesn't support /proc/self.
+
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -412,14 +412,14 @@ get_process_ttyname(void)
+ char *
+ get_process_ttyname(void)
+ {
+- char path[PATH_MAX], *line = NULL, *tty = NULL;
++ const char path[] = "/proc/self/stat";
++ char *line = NULL, *tty = NULL;
+ size_t linesize = 0;
+ ssize_t len;
+ FILE *fp;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
+- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
++ /* Try to determine the tty from tty_nr in /proc/self/stat. */
+ if ((fp = fopen(path, "r")) != NULL) {
+ len = getline(&line, &linesize, fp);
+ fclose(fp);
diff -Nru sudo-1.8.10p3/debian/patches/series
sudo-1.8.10p3/debian/patches/series
--- sudo-1.8.10p3/debian/patches/series 2017-05-28 13:25:43.000000000 +0200
+++ sudo-1.8.10p3/debian/patches/series 2017-08-08 21:44:31.000000000 +0200
@@ -16,3 +16,5 @@
CVE-2015-5602-6.patch
CVE-2015-5602-7.patch
CVE-2017-1000367.patch
+Use-proc-self-consistently-on-Linux.patch
+CVE-2017-1000368.patch
