Bug#804149: NMU diff for sudo 1.8.15-1.1

Mon, 04 Jan 2016 15:43:26 -0800 

See attachment.

Ben.

-- 
Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.

diff -Nru sudo-1.8.15/debian/changelog sudo-1.8.15/debian/changelog
--- sudo-1.8.15/debian/changelog	2015-12-23 18:58:20.000000000 +0000
+++ sudo-1.8.15/debian/changelog	2016-01-04 23:36:56.000000000 +0000
@@ -1,3 +1,13 @@
+sudo (1.8.15-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload
+  * Disable editing of files via user-controllable symlinks
+    (Closes: #804149) (CVE-2015-5602)
+    - Fix directory writability checks for sudoedit
+    - Enable sudoedit directory writability checks by default
+
+ -- Ben Hutchings <b...@decadent.org.uk>  Mon, 04 Jan 2016 23:36:50 +0000
+
 sudo (1.8.15-1) unstable; urgency=low
 
   * new upstream version, closes: #804149
diff -Nru sudo-1.8.15/debian/patches/CVE-2015-5602-6.patch sudo-1.8.15/debian/patches/CVE-2015-5602-6.patch
--- sudo-1.8.15/debian/patches/CVE-2015-5602-6.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.15/debian/patches/CVE-2015-5602-6.patch	2016-01-04 23:38:45.000000000 +0000
@@ -0,0 +1,102 @@
+Description: CVE-2015-5602: Fix directory writability checks for sudoedit.
+Bug: https://bugzilla.sudo.ws/show_bug.cgi?id=707
+Bug-Debian: https://bugs.debian.org/804149
+Author: Ben Hutchings <b...@decadent.org.uk>
+Forwarded: https://bugzilla.sudo.ws/show_bug.cgi?id=707#c11
+
+This prevents access to a file in a writable directory *or* accessed
+through a symlink in a writable directory.
+
+--- a/src/sudo_edit.c
++++ b/src/sudo_edit.c
+@@ -248,46 +248,52 @@ dir_is_writable(struct stat *sb, uid_t u
+ static int
+ sudo_edit_open_nonwritable(char *path, int oflags, mode_t mode)
+ {
+-    char *base, *dir;
++#ifndef O_NOFOLLOW
++    error(1, "%s: Can't check writability without O_NOFOLLOW", __func__);
++#else
++    char *sep;
+     struct stat sb;
+-    int dfd, fd;
++    int dfd, subdfd, fd;
++    int is_writable;
+     debug_decl(sudo_edit_open_nonwritable, SUDO_DEBUG_EDIT)
+ 
+-    base = strrchr(path, '/');
+-    if (base != NULL) {
+-	*base++ = '\0';
+-	dir = path;
++    if (path[0] == '/') {
++	dfd = open("/", O_RDONLY);
++	++path;
+     } else {
+-	base = path;
+-	dir = ".";
+-    }
+-#ifdef O_PATH
+-    if ((dfd = open(dir, O_PATH)) != -1) {
+-	/* Linux kernels < 3.6 can't do fstat on O_PATH fds. */
+-	if (fstat(dfd, &sb) == -1) {
+-	    close(dfd);
+-	    dfd = open(dir, O_RDONLY);
+-	    if (fstat(dfd, &sb) == -1) {
+-		close(dfd);
+-		dfd = -1;
+-	    }
+-	}
++	/* XXX It doesn't make any sense to allow editing relative paths */
++	dfd = open(".", O_RDONLY);
+     }
+-#else
+-    if ((dfd = open(dir, O_RDONLY)) != -1) {
++    if (dfd == -1)
++	debug_return_int(-1);
++
++    for (;;) {
++	/*
++	 * Look up one component at a time, avoiding symbolic links in
++	 * writable directories
++	 */
++
+ 	if (fstat(dfd, &sb) == -1) {
+ 	    close(dfd);
+-	    dfd = -1;
++	    debug_return_int(-1);
+ 	}
++	is_writable = dir_is_writable(&sb, user_details.uid, user_details.gid,
++				      user_details.ngroups, user_details.groups);
++
++	sep = strchr(path, '/');
++	if (sep == NULL)
++	    break;
++	*sep = '\0';
++	subdfd = openat(dfd, path, O_RDONLY | (is_writable ? O_NOFOLLOW : 0), 0);
++	*sep = '/';			/* restore path */
++	close(dfd);
++	if (subdfd == -1)
++	    debug_return_int(-1);
++	path = sep + 1;
++	dfd = subdfd;
+     }
+-#endif
+-    if (base != path)
+-	base[-1] = '/';			/* restore path */
+-    if (dfd == -1)
+-	debug_return_int(-1);
+ 
+-    if (dir_is_writable(&sb, user_details.uid, user_details.gid,
+-	user_details.ngroups, user_details.groups)) {
++    if (is_writable) {
+ 	close(dfd);
+ 	errno = EISDIR;
+ 	debug_return_int(-1);
+@@ -296,6 +302,7 @@ sudo_edit_open_nonwritable(char *path, i
+     fd = openat(dfd, path, oflags, mode);
+     close(dfd);
+     debug_return_int(fd);
++#endif
+ }
+ 
+ #ifdef O_NOFOLLOW
diff -Nru sudo-1.8.15/debian/patches/CVE-2015-5602-7.patch sudo-1.8.15/debian/patches/CVE-2015-5602-7.patch
--- sudo-1.8.15/debian/patches/CVE-2015-5602-7.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.15/debian/patches/CVE-2015-5602-7.patch	2016-01-04 23:38:58.000000000 +0000
@@ -0,0 +1,49 @@
+Description: CVE-2015-5602: Enable sudoedit directory writability checks by default
+Bug: https://bugzilla.sudo.ws/show_bug.cgi?id=707
+Bug-Debian: https://bugs.debian.org/804149
+Author: Ben Hutchings <b...@decadent.org.uk>
+Forwarded: not-needed
+
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -504,6 +504,7 @@ init_defaults(void)
+ 	goto oom;
+     def_set_utmp = true;
+     def_pam_setcred = true;
++    def_sudoedit_checkdir = true;
+ 
+     /* Finally do the lists (currently just environment tables). */
+     if (!init_envtables())
+--- a/doc/sudoers.cat
++++ b/doc/sudoers.cat
+@@ -1280,7 +1280,7 @@ SSUUDDOOEERRSS OOPPTTIIOONN
+                        it is run by root.  On many systems, this option
+                        requires that the parent directory of the file to be
+                        edited be readable by the target user.  This flag is
+-                       _o_f_f by default.
++                       _o_n by default.
+ 
+      sudoedit_follow   By default, ssuuddooeeddiitt will not follow symbolic links
+                        when opening files.  The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be
+--- a/doc/sudoers.man.in
++++ b/doc/sudoers.man.in
+@@ -2720,7 +2720,7 @@ by the invoking user unless it is run by
+ On many systems, this option requires that the parent directory
+ of the file to be edited be readable by the target user.
+ This flag is
+-\fIoff\fR
++\fIon\fR
+ by default.
+ .TP 18n
+ sudoedit_follow
+--- a/doc/sudoers.mdoc.in
++++ b/doc/sudoers.mdoc.in
+@@ -2554,7 +2554,7 @@ by the invoking user unless it is run by
+ On many systems, this option requires that the parent directory
+ of the file to be edited be readable by the target user.
+ This flag is
+-.Em off
++.Em on
+ by default.
+ .It sudoedit_follow
+ By default,
diff -Nru sudo-1.8.15/debian/patches/series sudo-1.8.15/debian/patches/series
--- sudo-1.8.15/debian/patches/series	2015-12-23 18:58:20.000000000 +0000
+++ sudo-1.8.15/debian/patches/series	2015-12-29 20:20:35.000000000 +0000
@@ -1,2 +1,4 @@
 typo-in-classic-insults.diff
 paths-in-samples.diff
+CVE-2015-5602-6.patch
+CVE-2015-5602-7.patch

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to