Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Salvatore Bonaccorso 
Control: tags -1 - moreinfo

Hi Niels,

On Mon, Jun 05, 2017 at 02:05:00PM +, Niels Thykier wrote:
> Control: tags -1 confirmed moreinfo
> 
> Salvatore Bonaccorso:
> > Control: tags -1 - moreinfo
> > 
> > Hi Niels, hi Bdale,
> > 
> > On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote:
> >> Control: tags -1 moreinfo
> >>
> >> [...]
> >>
> >> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
> >> fix it in unstable first.
> > 
> > Yes that's true. Okay I have uploaded (without delay, and hope this is
> > fine with Bdale!) the NMU to sid.
> > 
> >> Otherwise, the diff look fine (feel free to include
> >> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).
> > 
> > Thanks, feel more confortable to follow upstream. Attached is a new
> > debdiff!
> > 
> > Regards,
> > Salvatore
> > 
> 
> 
> Thanks, please go ahead with the tpu upload.

Thank you, done!

Regards,
Salvatore

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 - moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Removed tag(s) moreinfo.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 confirmed moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Added tag(s) moreinfo and confirmed.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Niels Thykier 
Control: tags -1 confirmed moreinfo

Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
> 
> Hi Niels, hi Bdale,
> 
> On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote:
>> Control: tags -1 moreinfo
>>
>> [...]
>>
>> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
>> fix it in unstable first.
> 
> Yes that's true. Okay I have uploaded (without delay, and hope this is
> fine with Bdale!) the NMU to sid.
> 
>> Otherwise, the diff look fine (feel free to include
>> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).
> 
> Thanks, feel more confortable to follow upstream. Attached is a new
> debdiff!
> 
> Regards,
> Salvatore
> 


Thanks, please go ahead with the tpu upload.

~Niels

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Salvatore Bonaccorso 
Control: tags -1 - moreinfo

Hi Niels, hi Bdale,

On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote:
> Control: tags -1 moreinfo
> 
> Salvatore Bonaccorso:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Hi
> > 
> > Please unblock package sudo, actually a pre-approval request.
> > 
> > The upload addresses CVE-2017-1000368, Arbitrary terminal access,
> > which is #863897 in the BTS. See
> > 
> > http://www.openwall.com/lists/oss-security/2017/06/02/7
> > 
> > I'm including the generated debdiff against the current version in
> > stretch.
> > 
> > unblock sudo/1.8.19p1-2.1
> > 
> > Regards,
> > Salvatore
> > 
> 
> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
> fix it in unstable first.

Yes that's true. Okay I have uploaded (without delay, and hope this is
fine with Bdale!) the NMU to sid.

> Otherwise, the diff look fine (feel free to include
> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).

Thanks, feel more confortable to follow upstream. Attached is a new
debdiff!

Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog  2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/changelog  2017-06-05 14:22:55.0 +0200
@@ -1,3 +1,11 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Use /proc/self consistently on Linux
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso   Mon, 05 Jun 2017 14:22:55 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 
sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff  1970-01-01 
01:00:00.0 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff  2017-06-05 
14:22:55.0 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller 
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+diff -r 6f3d9816541b -r 15a46f4007dd src/ttyname.c
+--- a/src/ttyname.cTue May 30 10:44:11 2017 -0600
 b/src/ttyname.cWed May 31 09:14:31 2017 -0600
+@@ -452,25 +452,37 @@
+ get_process_ttyname(char *name, size_t namelen)
+ {
+ const char path[] = "/proc/self/stat";
+-char *line = NULL;
++char *cp, buf[1024];
+ char *ret = NULL;
+-size_t linesize = 0;
+ int serrno = errno;
+-ssize_t len;
+-FILE *fp;
++ssize_t nread;
++int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-/* Try to determine the tty from tty_nr in /proc/self/stat. */
+-if ((fp = fopen(path, "r")) != NULL) {
+-  len = getline(, , fp);
+-  fclose(fp);
+-  if (len != -1) {
++/*
++ * Try to determine the tty from tty_nr in /proc/self/stat.
++ * Ignore /proc/self/stat if it contains embedded NUL bytes.
++ */
++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++  cp = buf;
++  while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++  if (nread == -1) {
++  if (errno == EAGAIN || errno == EINTR)
++  continue;
++  break;
++  }
++  cp += nread;
++  if (cp >= buf + sizeof(buf))
++  break;
++  }
++  if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+   /*
+* Field 7 is the tty dev (0 if no tty).
+-   * Since the process name at field 2 "(comm)" may include spaces,
+-   * start at the last ')' found.
++   * Since the process name at field 2 "(comm)" may include
++   * whitespace (including newlines), start at the last ')' found.
+*/
+-  char *cp = strrchr(line, ')');
++  *cp = '\0';
++  cp = strrchr(buf, ')');
+   if (cp != NULL) {
+   char *ep = cp;
+   const char *errstr;
+@@ -501,7 +513,8 @@
+ errno = ENOENT;
+ 
+ done:
+-free(line);
++if (fd != -1)
++  close(fd);
+ if (ret == NULL)
+   sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+   "unable to resolve tty via %s", path);
+
diff -Nru sudo-1.8.19p1/debian/patches/series 
sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/patches/series 2017-06-05 14:22:55.0 +0200
@@

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 - moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Removed tag(s) moreinfo.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Niels Thykier 
Control: tags -1 moreinfo

Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package sudo, actually a pre-approval request.
> 
> The upload addresses CVE-2017-1000368, Arbitrary terminal access,
> which is #863897 in the BTS. See
> 
> http://www.openwall.com/lists/oss-security/2017/06/02/7
> 
> I'm including the generated debdiff against the current version in
> stretch.
> 
> unblock sudo/1.8.19p1-2.1
> 
> Regards,
> Salvatore
> 

According to the BTS, #863897 affects and is unfixed in unstable.  Lets
fix it in unstable first.

Otherwise, the diff look fine (feel free to include
https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).

Thanks,
~Niels

Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 moreinfo
Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval 
request)
Added tag(s) moreinfo.

-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Salvatore Bonaccorso 
Hi

On Mon, Jun 05, 2017 at 01:40:33PM +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package sudo, actually a pre-approval request.

One side note on the patch. If you allow me to I would rather as well
add https://www.sudo.ws/repos/sudo/rev/6f3d9816541b from 1.8.20p2 and
then rebase the patch on top of that. It would be more consistent on
what upstream has done to not diverge too much.

If you agree I can send a new debdiff for that.

Regards,
Salvatore

Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

2017-06-05 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi

Please unblock package sudo, actually a pre-approval request.

The upload addresses CVE-2017-1000368, Arbitrary terminal access,
which is #863897 in the BTS. See

http://www.openwall.com/lists/oss-security/2017/06/02/7

I'm including the generated debdiff against the current version in
stretch.

unblock sudo/1.8.19p1-2.1

Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog	2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/changelog	2017-06-05 06:19:37.0 +0200
@@ -1,3 +1,10 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso   Mon, 05 Jun 2017 06:19:37 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	1970-01-01 01:00:00.0 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	2017-06-05 06:19:37.0 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller 
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
 b/src/ttyname.c
+@@ -447,26 +447,39 @@ done:
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+-char path[PATH_MAX], *line = NULL;
++char path[PATH_MAX];
++char *cp, buf[1024];
+ char *ret = NULL;
+-size_t linesize = 0;
+ int serrno = errno;
+-ssize_t len;
+-FILE *fp;
++ssize_t nread;
++int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-/* Try to determine the tty from tty_nr in /proc/pid/stat. */
++/*
++ * Try to determine the tty from tty_nr in /proc/pid/stat.
++ * Ignore /proc/pid/stat if it contains embedded NUL bytes.
++ */
+ snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+-if ((fp = fopen(path, "r")) != NULL) {
+-	len = getline(, , fp);
+-	fclose(fp);
+-	if (len != -1) {
++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++cp = buf;
++while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++if (nread == -1) {
++if (errno == EAGAIN || errno == EINTR)
++continue;
++break;
++}
++cp += nread;
++if (cp >= buf + sizeof(buf))
++break;
++}
++if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ 	/*
+ 	 * Field 7 is the tty dev (0 if no tty).
+-	 * Since the process name at field 2 "(comm)" may include spaces,
+-	 * start at the last ')' found.
++	 * Since the process name at field 2 "(comm)" may include
++	 * whitespace (including newlines), start at the last ')' found.
+ 	 */
+-	char *cp = strrchr(line, ')');
++*cp = '\0';
++cp = strrchr(buf, ')');
+ 	if (cp != NULL) {
+ 		char *ep = cp;
+ 		const char *errstr;
+@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n
+ errno = ENOENT;
+ 
+ done:
+-free(line);
++if (fd != -1)
++	close(fd);
+ if (ret == NULL)
+ 	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ 	"unable to resolve tty via %s", path);
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series	2017-05-31 06:35:01.0 +0200
+++ sudo-1.8.19p1/debian/patches/series	2017-06-05 06:19:37.0 +0200
@@ -1,3 +1,4 @@
 typo-in-classic-insults.diff
 paths-in-samples.diff
 CVE-2017-1000367.patch
+CVE-2017-1000368.patch