Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package sudo to allow a fix for CVE-2017-1000367, #863731,
to be included in stretch. Source debdiff included below is upstream's
isolated patch for this issue, de-fuzzed to apply cleanly to our sources.
This is essentially the same change as between 1.8.20-1 and 1.8.20p1-1 now
in unstable.
Bdale
unblock sudo/1.8.19p1-1
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.12+ (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog 2017-01-13 11:12:49.0 -0700
+++ sudo-1.8.19p1/debian/changelog 2017-05-30 22:35:01.0 -0600
@@ -1,3 +1,9 @@
+sudo (1.8.19p1-2) stretch; urgency=high
+
+ * patch from upstream to fix CVE-2017-1000367, closes: #863731
+
+ -- Bdale Garbee Tue, 30 May 2017 22:35:01 -0600
+
sudo (1.8.19p1-1) unstable; urgency=medium
* new upstream version
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch
sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch 1969-12-31
17:00:00.0 -0700
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch 2017-05-30
22:35:01.0 -0600
@@ -0,0 +1,246 @@
+diff --git a/src/ttyname.c b/src/ttyname.c
+index 9b94ba8..ab0f2d3 100644
+--- a/src/ttyname.c
b/src/ttyname.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2016 Todd C. Miller
++ * Copyright (c) 2012-2017 Todd C. Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -145,20 +145,22 @@ sudo_ttyname_dev(dev_t tdev, char *name, size_t namelen)
+ }
+ #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) ||
defined(__linux__)
+ /*
+- * Devices to search before doing a breadth-first scan.
++ * Device nodes and directories to search before searching all of /dev
+ */
+ static char *search_devs[] = {
+ "/dev/console",
+-"/dev/wscons",
+-"/dev/pts/",
+-"/dev/vt/",
+-"/dev/term/",
+-"/dev/zcons/",
++"/dev/pts/", /* POSIX pty */
++"/dev/vt/", /* Solaris virtual console */
++"/dev/term/", /* Solaris serial ports */
++"/dev/zcons/",/* Solaris zone console */
++"/dev/pty/", /* HP-UX old-style pty */
+ NULL
+ };
+
++/*
++ * Device nodes to ignore when searching all of /dev
++ */
+ static char *ignore_devs[] = {
+-"/dev/fd/",
+ "/dev/stdin",
+ "/dev/stdout",
+ "/dev/stderr",
+@@ -166,16 +168,18 @@ static char *ignore_devs[] = {
+ };
+
+ /*
+- * Do a breadth-first scan of dir looking for the specified device.
++ * Do a scan of a directory looking for the specified device.
++ * Does not descend into subdirectories.
+ * Returns name on success and NULL on failure, setting errno.
+ */
+ static char *
+-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name,
size_t namelen)
++sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen)
+ {
+-size_t sdlen, num_subdirs = 0, max_subdirs = 0;
+-char pathbuf[PATH_MAX], **subdirs = NULL;
++size_t sdlen;
++char pathbuf[PATH_MAX];
+ char *ret = NULL;
+ struct dirent *dp;
++struct stat sb;
+ unsigned int i;
+ DIR *d = NULL;
+ debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL)
+@@ -183,6 +187,18 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool
builtin, char *name, size_t
+ if (dir[0] == '\0' || (d = opendir(dir)) == NULL)
+ goto done;
+
++if (fstat(dirfd(d), ) == -1) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "unable to fstat %s", dir);
++ goto done;
++}
++if ((sb.st_mode & S_IWOTH) != 0) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "ignoring world-writable directory %s", dir);
++ errno = ENOENT;
++ goto done;
++}
++
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "scanning for dev %u in %s", (unsigned int)rdev, dir);
+
+@@ -220,18 +236,6 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool
builtin, char *name, size_t
+ }
+ if (ignore_devs[i] != NULL)
+ continue;
+- if (!builtin) {
+- /* Skip entries in search_devs; we already checked them. */
+- for (i = 0; search_devs[i] != NULL; i++) {
+- len = strlen(search_devs[i]);
+- if (search_devs[i][len - 1] == '/')
+- len--;
+-