Bug#567998: sudo: sends non-printable random characters in email if DNS is not working

Mon, 01 Feb 2010 10:46:27 -0800 

Package: sudo
Version: 1.7.2p1-1
Severity: normal

This bug has also been sent upstream at 
http://www.gratisoft.us/bugzilla/show_bug.cgi?id=390

Steps to reproduce:
1) iptables -A INPUT -p udp --sport 53 -j DROP
2) sudo true

Expected results:
2) sudo sends a warning email that dns is broken

Actual results:
2) sudo sends a warning email that DNS is broken but the email contains
non-printable random characters. Here are some examples (filtered with
"cat -A" to escape those non-printable characters):

>From r...@fomalhaut.lan Mon Feb 01 16:50:59 2010$
Return-path: <r...@fomalhaut.lan>$
Envelope-to: r...@fomalhaut.lan$
Delivery-date: Mon, 01 Feb 2010 16:50:59 +0000$
Received: from root by fomalhaut with local (Exim 4.71)$
^I(envelope-from <r...@fomalhaut.lan>)$
^Iid 1NbzTf-0006AP-21$
^Ifor r...@fomalhaut.lan; Mon, 01 Feb 2010 16:50:19 +0000$
Date: Mon, 01 Feb 2010 16:50:19 +0000$
Message-Id: <e1nbztf-0006ap...@fomalhaut>$
To: r...@fomalhaut.lan$
Auto-Submitted: auto-generated$
Subject: *** SECURITY information for fomalhaut ***$
From: root <r...@fomalhaut.lan>$
$
fomalhaut : Feb  1 16:49:38 : root : ^PM-d^HM-8^PM-d^HM-8o resolve host
fomalhaut($


>From r...@fomalhaut.lan Mon Feb 01 17:15:10 2010$
Return-path: <r...@fomalhaut.lan>$
Envelope-to: r...@fomalhaut.lan$
Delivery-date: Mon, 01 Feb 2010 17:15:10 +0000$
Received: from root by fomalhaut with local (Exim 4.71)$
^I(envelope-from <r...@fomalhaut.lan>)$
^Iid 1Nbzr4-0006FF-0r$
^Ifor r...@fomalhaut.lan; Mon, 01 Feb 2010 17:14:30 +0000$
Date: Mon, 01 Feb 2010 17:14:30 +0000$
Message-Id: <e1nbzr4-0006ff...@fomalhaut>$
To: r...@fomalhaut.lan$
Auto-Submitted: auto-generated$
Subject: *** SECURITY information for fomalhaut ***$
From: root <r...@fomalhaut.lan>$
$
fomalhaut : Feb  1 17:13:49 : root : ^PM-dM-|M-7^PM-dM-|M-7o resolve
host fomalhaut($

More info:
1) This happens every time DNS is broken.
2) This does not happen with sudo 1.6.9p17-2 in debian lenny.
3) strace shows

24020 execve("/usr/bin/sudo", ["sudo", "true"], [/* 29 vars */]) = 0
...
24020 write(2, "sudo", 4)               = 4
24020 write(2, ": ", 2)                 = 2
24020 write(2, "unable to resolve host fomalhaut", 32) = 32
24020 write(2, "\n", 1)                 = 1
24020 clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7ecb728) = 24023
24023 clone(child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0xb7ecb728) = 24024
24024 setsid()                          = 24024
24024 chdir("/")                        = 0
24024 open("/dev/null", O_RDWR)         = 5
...
24024 write(4, "To: root\nFrom: root\nAuto-Submitted:
auto-generated\nSubject: *** SECURITY information for fomalhaut
***\n\nfomalhaut : Feb  1 17:14:51 : root : \20\24\1\270\20\24\1\270o
resolve host fomalhaut(\n\n", 176) = 176

4) gdb shows me that
4.1) send_mail() is called with line that points to ""
4.2) after closefrom(STDERR_FILENO + 1); line no longer starts with \0
and shows

"\020\224\006ž\020\224\006žo resolve host fomalhaut("

4.3) settings watchpoint for line[0] shows

Old value = 0
New value = 146555480
malloc_consolidate (av=0xb7f283c0) at malloc.c:5138
5138    malloc.c: No such file or directory.
        in malloc.c
Mon Feb  1 17:51:48 UTC 2010
(gdb) bt
#0  malloc_consolidate (av=0xb7f283c0) at malloc.c:5138
#1  0xb7e51e96 in _int_malloc (av=0xb7f283c0, bytes=32792) at
malloc.c:4360
#2  0xb7e542ce in *__GI___libc_malloc (bytes=32792) at malloc.c:3660
#3  0xb7e791b0 in __alloc_dir (fd=6, close_fd=true, statp=0x0) at
../sysdeps/unix/opendir.c:186
#4  0xb7e792f5 in __opendir (name=0x806925c "/proc/self/fd") at
../sysdeps/unix/opendir.c:141
#5  0x0805f439 in closefrom (lowfd=3) at ../closefrom.c:113
#6  0x0805823d in send_mail (line=0x8bc5040 "XBŒ\ble to resolve host
fomalhaut") at ../logging.c:504
#7  0x08058074 in log_error (flags=9, fmt=0x8068c06 "unable to resolve
host %s") at ../logging.c:400
#8  0x0805d3dd in set_fqdn () at ../sudo.c:1342
#9  0x0805c465 in init_vars (sudo_mode=1, envp=0xbfd935f0) at
../sudo.c:721
#10 0x0805b4d1 in main (argc=2, argv=0xbfd935e4, envp=0xbfd935f0) at
../sudo.c:275

5) Then I looked at log_error and noticed:

evasprintf(&message, fmt, ap); // allocates memory
...
logline = message;
...
efree(message); // frees the memory
...
send_mail(logline); // uses the free'd memory!

Proposed patch is attached.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-lindi-kprobes-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fi_FI (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo depends on:
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib
ii  libpam-modules                1.1.0-4    Pluggable Authentication Modules f
ii  libpam0g                      1.1.0-4    Pluggable Authentication Modules l

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to