Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Control: tags -1 - moreinfo Hi Niels, On Mon, Jun 05, 2017 at 02:05:00PM +, Niels Thykier wrote: > Control: tags -1 confirmed moreinfo > > Salvatore Bonaccorso: > > Control: tags -1 - moreinfo > > > > Hi Niels, hi Bdale, > > > > On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote: > >> Control: tags -1 moreinfo > >> > >> [...] > >> > >> According to the BTS, #863897 affects and is unfixed in unstable. Lets > >> fix it in unstable first. > > > > Yes that's true. Okay I have uploaded (without delay, and hope this is > > fine with Bdale!) the NMU to sid. > > > >> Otherwise, the diff look fine (feel free to include > >> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well). > > > > Thanks, feel more confortable to follow upstream. Attached is a new > > debdiff! > > > > Regards, > > Salvatore > > > > > Thanks, please go ahead with the tpu upload. Thank you, done! Regards, Salvatore
Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Processing control commands: > tags -1 - moreinfo Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval request) Removed tag(s) moreinfo. -- 864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Processing control commands: > tags -1 confirmed moreinfo Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval request) Added tag(s) moreinfo and confirmed. -- 864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Control: tags -1 confirmed moreinfo Salvatore Bonaccorso: > Control: tags -1 - moreinfo > > Hi Niels, hi Bdale, > > On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote: >> Control: tags -1 moreinfo >> >> [...] >> >> According to the BTS, #863897 affects and is unfixed in unstable. Lets >> fix it in unstable first. > > Yes that's true. Okay I have uploaded (without delay, and hope this is > fine with Bdale!) the NMU to sid. > >> Otherwise, the diff look fine (feel free to include >> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well). > > Thanks, feel more confortable to follow upstream. Attached is a new > debdiff! > > Regards, > Salvatore > Thanks, please go ahead with the tpu upload. ~Niels
Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Control: tags -1 - moreinfo Hi Niels, hi Bdale, On Mon, Jun 05, 2017 at 12:20:00PM +, Niels Thykier wrote: > Control: tags -1 moreinfo > > Salvatore Bonaccorso: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Hi > > > > Please unblock package sudo, actually a pre-approval request. > > > > The upload addresses CVE-2017-1000368, Arbitrary terminal access, > > which is #863897 in the BTS. See > > > > http://www.openwall.com/lists/oss-security/2017/06/02/7 > > > > I'm including the generated debdiff against the current version in > > stretch. > > > > unblock sudo/1.8.19p1-2.1 > > > > Regards, > > Salvatore > > > > According to the BTS, #863897 affects and is unfixed in unstable. Lets > fix it in unstable first. Yes that's true. Okay I have uploaded (without delay, and hope this is fine with Bdale!) the NMU to sid. > Otherwise, the diff look fine (feel free to include > https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well). Thanks, feel more confortable to follow upstream. Attached is a new debdiff! Regards, Salvatore diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog --- sudo-1.8.19p1/debian/changelog 2017-05-31 06:35:01.0 +0200 +++ sudo-1.8.19p1/debian/changelog 2017-06-05 14:22:55.0 +0200 @@ -1,3 +1,11 @@ +sudo (1.8.19p1-2.1) stretch; urgency=high + + * Non-maintainer upload. + * Use /proc/self consistently on Linux + * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) + + -- Salvatore BonaccorsoMon, 05 Jun 2017 14:22:55 +0200 + sudo (1.8.19p1-2) stretch; urgency=high * patch from upstream to fix CVE-2017-1000367, closes: #863731 diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff --- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 1970-01-01 01:00:00.0 +0100 +++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 2017-06-05 14:22:55.0 +0200 @@ -0,0 +1,78 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1496243671 21600 +# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312 +# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +A command name may also contain newline characters so read +/proc/self/stat until EOF. It is not legal for /proc/self/stat to +contain embedded NUL bytes so treat the file as corrupt if we see +any. With help from Qualys. + +This is not exploitable due to the /dev traversal changes in sudo +1.8.20p1 (thanks Solar!). + +diff -r 6f3d9816541b -r 15a46f4007dd src/ttyname.c +--- a/src/ttyname.cTue May 30 10:44:11 2017 -0600 b/src/ttyname.cWed May 31 09:14:31 2017 -0600 +@@ -452,25 +452,37 @@ + get_process_ttyname(char *name, size_t namelen) + { + const char path[] = "/proc/self/stat"; +-char *line = NULL; ++char *cp, buf[1024]; + char *ret = NULL; +-size_t linesize = 0; + int serrno = errno; +-ssize_t len; +-FILE *fp; ++ssize_t nread; ++int fd; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +-/* Try to determine the tty from tty_nr in /proc/self/stat. */ +-if ((fp = fopen(path, "r")) != NULL) { +- len = getline(, , fp); +- fclose(fp); +- if (len != -1) { ++/* ++ * Try to determine the tty from tty_nr in /proc/self/stat. ++ * Ignore /proc/self/stat if it contains embedded NUL bytes. ++ */ ++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { ++ cp = buf; ++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { ++ if (nread == -1) { ++ if (errno == EAGAIN || errno == EINTR) ++ continue; ++ break; ++ } ++ cp += nread; ++ if (cp >= buf + sizeof(buf)) ++ break; ++ } ++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* +* Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. +*/ +- char *cp = strrchr(line, ')'); ++ *cp = '\0'; ++ cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -501,7 +513,8 @@ + errno = ENOENT; + + done: +-free(line); ++if (fd != -1) ++ close(fd); + if (ret == NULL) + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to resolve tty via %s", path); + diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series --- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.0 +0200 +++ sudo-1.8.19p1/debian/patches/series 2017-06-05 14:22:55.0 +0200 @@
Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Processing control commands: > tags -1 - moreinfo Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval request) Removed tag(s) moreinfo. -- 864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Control: tags -1 moreinfo Salvatore Bonaccorso: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Hi > > Please unblock package sudo, actually a pre-approval request. > > The upload addresses CVE-2017-1000368, Arbitrary terminal access, > which is #863897 in the BTS. See > > http://www.openwall.com/lists/oss-security/2017/06/02/7 > > I'm including the generated debdiff against the current version in > stretch. > > unblock sudo/1.8.19p1-2.1 > > Regards, > Salvatore > According to the BTS, #863897 affects and is unfixed in unstable. Lets fix it in unstable first. Otherwise, the diff look fine (feel free to include https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well). Thanks, ~Niels
Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Processing control commands: > tags -1 moreinfo Bug #864217 [release.debian.org] unblock: sudo/1.8.19p1-2.1 (pre-approval request) Added tag(s) moreinfo. -- 864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Hi On Mon, Jun 05, 2017 at 01:40:33PM +0200, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Hi > > Please unblock package sudo, actually a pre-approval request. One side note on the patch. If you allow me to I would rather as well add https://www.sudo.ws/repos/sudo/rev/6f3d9816541b from 1.8.20p2 and then rebase the patch on top of that. It would be more consistent on what upstream has done to not diverge too much. If you agree I can send a new debdiff for that. Regards, Salvatore
Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi Please unblock package sudo, actually a pre-approval request. The upload addresses CVE-2017-1000368, Arbitrary terminal access, which is #863897 in the BTS. See http://www.openwall.com/lists/oss-security/2017/06/02/7 I'm including the generated debdiff against the current version in stretch. unblock sudo/1.8.19p1-2.1 Regards, Salvatore diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog --- sudo-1.8.19p1/debian/changelog 2017-05-31 06:35:01.0 +0200 +++ sudo-1.8.19p1/debian/changelog 2017-06-05 06:19:37.0 +0200 @@ -1,3 +1,10 @@ +sudo (1.8.19p1-2.1) stretch; urgency=high + + * Non-maintainer upload. + * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) + + -- Salvatore BonaccorsoMon, 05 Jun 2017 06:19:37 +0200 + sudo (1.8.19p1-2) stretch; urgency=high * patch from upstream to fix CVE-2017-1000367, closes: #863731 diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch --- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch 1970-01-01 01:00:00.0 +0100 +++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch 2017-06-05 06:19:37.0 +0200 @@ -0,0 +1,78 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1496243671 21600 +# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312 +# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +A command name may also contain newline characters so read +/proc/self/stat until EOF. It is not legal for /proc/self/stat to +contain embedded NUL bytes so treat the file as corrupt if we see +any. With help from Qualys. + +This is not exploitable due to the /dev traversal changes in sudo +1.8.20p1 (thanks Solar!). + +--- a/src/ttyname.c b/src/ttyname.c +@@ -447,26 +447,39 @@ done: + char * + get_process_ttyname(char *name, size_t namelen) + { +-char path[PATH_MAX], *line = NULL; ++char path[PATH_MAX]; ++char *cp, buf[1024]; + char *ret = NULL; +-size_t linesize = 0; + int serrno = errno; +-ssize_t len; +-FILE *fp; ++ssize_t nread; ++int fd; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +-/* Try to determine the tty from tty_nr in /proc/pid/stat. */ ++/* ++ * Try to determine the tty from tty_nr in /proc/pid/stat. ++ * Ignore /proc/pid/stat if it contains embedded NUL bytes. ++ */ + snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); +-if ((fp = fopen(path, "r")) != NULL) { +- len = getline(, , fp); +- fclose(fp); +- if (len != -1) { ++if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { ++cp = buf; ++while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { ++if (nread == -1) { ++if (errno == EAGAIN || errno == EINTR) ++continue; ++break; ++} ++cp += nread; ++if (cp >= buf + sizeof(buf)) ++break; ++} ++if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* + * Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. + */ +- char *cp = strrchr(line, ')'); ++*cp = '\0'; ++cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n + errno = ENOENT; + + done: +-free(line); ++if (fd != -1) ++ close(fd); + if (ret == NULL) + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to resolve tty via %s", path); diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series --- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.0 +0200 +++ sudo-1.8.19p1/debian/patches/series 2017-06-05 06:19:37.0 +0200 @@ -1,3 +1,4 @@ typo-in-classic-insults.diff paths-in-samples.diff CVE-2017-1000367.patch +CVE-2017-1000368.patch