Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1133278,
regarding trixie-pu: package sudo/1.9.16p2-3+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133278
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:sudo
User: [email protected]
Usertags: pu
[ Reason ]
This sudo upload fixes CVE-2026-35535.
[ Impact ]
If this is not approved, trixie's sudo will still be vulnerable
[ Tests ]
none.
[ Risks ]
This is a backported upstream fix.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Apply upstream fix.
diff --git a/debian/changelog b/debian/changelog
index 2131df824..a7a3d3ed0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+sudo (1.9.13p3-1+deb12u4) bookworm; urgency=medium
+
+ * cherry-pick upstream exec_mailer-Set-group-as-well-as-uid.
+ This is adapted from upstream and fixes CVE-2026-35535:
+ https://github.com/sudo-project/sudo/commit/3e474c2 (Closes: #1130593)
+
+ -- Marc Haber <[email protected]> Sat, 11 Apr 2026 14:01:23
+0200
+
sudo (1.9.13p3-1+deb12u3) bookworm; urgency=medium
* Apply a patch fro Marcos Del Sol Vives to Enable Intel CET on amd64 only.
diff --git
a/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
new file mode 100644
index 000000000..5216b11a2
--- /dev/null
+++
b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
@@ -0,0 +1,132 @@
+From: "Todd C. Miller" <[email protected]>
+Date: Sat, 8 Nov 2025 15:34:02 -0700
+Subject: exec_mailer: Set group as well as uid when running the mailer
+
+Also make a setuid(), setgid() or setgroups() failure fatal.
+
+Found by the ZeroPath AI Security Engineer <https://zeropath.com>
+---
+ include/sudo_eventlog.h | 3 ++-
+ lib/eventlog/eventlog.c | 21 +++++++++++++++++----
+ lib/eventlog/eventlog_conf.c | 4 +++-
+ plugins/sudoers/logging.c | 2 +-
+ plugins/sudoers/policy.c | 2 +-
+ 5 files changed, 24 insertions(+), 8 deletions(-)
+
+--- a/include/sudo_eventlog.h
++++ b/include/sudo_eventlog.h
+@@ -79,6 +79,7 @@ struct eventlog_config {
+ int syslog_maxlen;
+ int file_maxlen;
+ uid_t mailuid;
++ gid_t mailgid;
+ bool omit_hostname;
+ const char *logpath;
+ const char *time_fmt;
+@@ -146,7 +147,7 @@ void eventlog_set_syslog_rejectpri(int p
+ void eventlog_set_syslog_alertpri(int pri);
+ void eventlog_set_syslog_maxlen(int len);
+ void eventlog_set_file_maxlen(int len);
+-void eventlog_set_mailuid(uid_t uid);
++void eventlog_set_mailuser(uid_t uid, gid_t gid);
+ void eventlog_set_omit_hostname(bool omit_hostname);
+ void eventlog_set_logpath(const char *path);
+ void eventlog_set_time_fmt(const char *fmt);
+--- a/lib/eventlog/eventlog.c
++++ b/lib/eventlog/eventlog.c
+@@ -304,15 +304,13 @@ exec_mailer(int pipein)
+ syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
+ sudo_debug_printf(SUDO_DEBUG_ERROR,
+ "unable to dup stdin: %s", strerror(errno));
+- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+- _exit(127);
++ goto bad;
+ }
+
+ /* Build up an argv based on the mailer path and flags */
+ if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
+ syslog(LOG_ERR, _("unable to allocate memory")); // -V618
+- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+- _exit(127);
++ goto bad;
+ }
+ argv[0] = sudo_basename(mpath);
+
+@@ -331,11 +329,23 @@ exec_mailer(int pipein)
+ if (setuid(ROOT_UID) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+ ROOT_UID);
++ goto bad;
++ }
++ if (setgid(evl_conf->mailgid) != 0) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
++ (unsigned int)evl_conf->mailgid);
++ goto bad;
++ }
++ if (setgroups(1, &evl_conf->mailgid) != 0) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
++ (unsigned int)evl_conf->mailgid);
++ goto bad;
+ }
+ if (evl_conf->mailuid != ROOT_UID) {
+ if (setuid(evl_conf->mailuid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
+ (unsigned int)evl_conf->mailuid);
++ goto bad;
+ }
+ }
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+@@ -347,6 +357,9 @@ exec_mailer(int pipein)
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
+ mpath, strerror(errno));
+ _exit(127);
++bad:
++ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
++ _exit(127);
+ }
+
+ /* Send a message to the mailto user */
+--- a/lib/eventlog/eventlog_conf.c
++++ b/lib/eventlog/eventlog_conf.c
+@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf =
+ MAXSYSLOGLEN, /* syslog_maxlen */
+ 0, /* file_maxlen */
+ ROOT_UID, /* mailuid */
++ ROOT_GID, /* mailgid */
+ false, /* omit_hostname */
+ _PATH_SUDO_LOGFILE, /* logpath */
+ "%h %e %T", /* time_fmt */
+@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len)
+ }
+
+ void
+-eventlog_set_mailuid(uid_t uid)
++eventlog_set_mailuser(uid_t uid, gid_t gid)
+ {
+ evl_conf.mailuid = uid;
++ evl_conf.mailgid = gid;
+ }
+
+ void
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -1076,7 +1076,7 @@ init_eventlog_config(void)
+ eventlog_set_syslog_alertpri(def_syslog_badpri);
+ eventlog_set_syslog_maxlen(def_syslog_maxlen);
+ eventlog_set_file_maxlen(def_loglinelen);
+- eventlog_set_mailuid(ROOT_UID);
++ eventlog_set_mailuser(ROOT_UID, ROOT_GID);
+ eventlog_set_omit_hostname(!def_log_host);
+ eventlog_set_logpath(def_logfile);
+ eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
+--- a/plugins/sudoers/policy.c
++++ b/plugins/sudoers/policy.c
+@@ -607,7 +607,7 @@ sudoers_policy_deserialize_info(void *v,
+ }
+
+ #ifdef NO_ROOT_MAILER
+- eventlog_set_mailuid(user_uid);
++ eventlog_set_mailuser(user_uid, user_gid);
+ #endif
+
+ /* Dump settings and user info (XXX - plugin args) */
diff --git a/debian/patches/series b/debian/patches/series
index 00726ed5a..a1e4e5227 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ Whitelist-DPKG_COLORS-environment-variable.diff
sudo-ldap-docs
sudo_host_vuln.diff
amd64-ibt.diff
+0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
