aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2017-05-31 08:47:18 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2017-06-01 16:42:25 +0200
commite67d4c0c3f554d1a7f9e622bfb971886ac0935a5 (patch)
tree37cad15f4f6e80e14ca62c5eddd61d1f0bbd9a80
parente73a40c41c79c44e7bf29b021d4feb6905bbd991 (diff)
downloadbuildroot-e67d4c0c3f554d1a7f9e622bfb971886ac0935a5.tar.gz
buildroot-e67d4c0c3f554d1a7f9e622bfb971886ac0935a5.tar.bz2
sudo: add upstream security patch for CVE-2017-1000367
CVE-2017-1000367 - Potential overwrite of arbitrary files on Linux On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process's tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user's choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number. If SELinux is enabled on the system and sudo was built with SELinux support, a user with sudo privileges may be able to to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers. For more details, see: https://www.sudo.ws/alerts/linux_tty.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit fddb760946a4f4ca366528a673989793be65a678) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/sudo/0001-fix-CVE-2017-1000367.patch264
1 files changed, 264 insertions, 0 deletions
diff --git a/package/sudo/0001-fix-CVE-2017-1000367.patch b/package/sudo/0001-fix-CVE-2017-1000367.patch
new file mode 100644
index 0000000000..6e44399c05
--- /dev/null
+++ b/package/sudo/0001-fix-CVE-2017-1000367.patch
@@ -0,0 +1,264 @@
+Downloaded from upstream: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496089973 21600
+# Node ID b5460cbbb11bbf9d92ffcc6798a686cf4125efd3
+# Parent c303e6eecc7841e2f891d70613e80fcf27fa6e86
+Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when
+the process name contains spaces. Since the user has control over
+the command name this could be used by a user with sudo access to
+overwrite an arbitrary file.
+Thanks to Qualys for investigating and reporting this bug.
+
+Also stop performing a breadth-first traversal of /dev when looking
+for the device. Only the directories specified in search_devs[]
+are checked.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+diff -r c303e6eecc78 -r b5460cbbb11b src/ttyname.c
+--- a/src/ttyname.c Tue May 23 13:26:54 2017 -0600
++++ b/src/ttyname.c Mon May 29 14:32:53 2017 -0600
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
++ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -145,20 +145,22 @@
+ }
+ #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__)
+ /*
+- * Devices to search before doing a breadth-first scan.
++ * Device nodes and directories to search before searching all of /dev
+ */
+ static char *search_devs[] = {
+ "/dev/console",
+- "/dev/wscons",
+- "/dev/pts/",
+- "/dev/vt/",
+- "/dev/term/",
+- "/dev/zcons/",
++ "/dev/pts/", /* POSIX pty */
++ "/dev/vt/", /* Solaris virtual console */
++ "/dev/term/", /* Solaris serial ports */
++ "/dev/zcons/", /* Solaris zone console */
++ "/dev/pty/", /* HP-UX old-style pty */
+ NULL
+ };
+
++/*
++ * Device nodes to ignore when searching all of /dev
++ */
+ static char *ignore_devs[] = {
+- "/dev/fd/",
+ "/dev/stdin",
+ "/dev/stdout",
+ "/dev/stderr",
+@@ -166,16 +168,18 @@
+ };
+
+ /*
+- * Do a breadth-first scan of dir looking for the specified device.
++ * Do a scan of a directory looking for the specified device.
++ * Does not descend into subdirectories.
+ * Returns name on success and NULL on failure, setting errno.
+ */
+ static char *
+-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen)
++sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen)
+ {
+- size_t sdlen, num_subdirs = 0, max_subdirs = 0;
+- char pathbuf[PATH_MAX], **subdirs = NULL;
++ size_t sdlen;
++ char pathbuf[PATH_MAX];
+ char *ret = NULL;
+ struct dirent *dp;
++ struct stat sb;
+ unsigned int i;
+ DIR *d = NULL;
+ debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL)
+@@ -187,6 +191,18 @@
+ if ((d = opendir(dir)) == NULL)
+ goto done;
+
++ if (fstat(dirfd(d), &sb) == -1) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "unable to fstat %s", dir);
++ goto done;
++ }
++ if ((sb.st_mode & S_IWOTH) != 0) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "ignoring world-writable directory %s", dir);
++ errno = ENOENT;
++ goto done;
++ }
++
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "scanning for dev %u in %s", (unsigned int)rdev, dir);
+
+@@ -224,18 +240,6 @@
+ }
+ if (ignore_devs[i] != NULL)
+ continue;
+- if (!builtin) {
+- /* Skip entries in search_devs; we already checked them. */
+- for (i = 0; search_devs[i] != NULL; i++) {
+- len = strlen(search_devs[i]);
+- if (search_devs[i][len - 1] == '/')
+- len--;
+- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0)
+- break;
+- }
+- if (search_devs[i] != NULL)
+- continue;
+- }
+ # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF)
+ /*
+ * Avoid excessive stat() calls by checking dp->d_type.
+@@ -248,39 +252,14 @@
+ if (stat(pathbuf, &sb) == -1)
+ continue;
+ break;
+- case DT_DIR:
+- /* Directory, no need to stat() it. */
+- sb.st_mode = DTTOIF(dp->d_type);
+- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */
+- break;
+ default:
+- /* Not a character device, link or directory, skip it. */
++ /* Not a character device or link, skip it. */
+ continue;
+ }
+ # else
+ if (stat(pathbuf, &sb) == -1)
+ continue;
+ # endif
+- if (S_ISDIR(sb.st_mode)) {
+- if (!builtin) {
+- /* Add to list of subdirs to search. */
+- if (num_subdirs + 1 > max_subdirs) {
+- char **new_subdirs;
+-
+- new_subdirs = reallocarray(subdirs, max_subdirs + 64,
+- sizeof(char *));
+- if (new_subdirs == NULL)
+- goto done;
+- subdirs = new_subdirs;
+- max_subdirs += 64;
+- }
+- subdirs[num_subdirs] = strdup(pathbuf);
+- if (subdirs[num_subdirs] == NULL)
+- goto done;
+- num_subdirs++;
+- }
+- continue;
+- }
+ if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "resolved dev %u as %s", (unsigned int)rdev, pathbuf);
+@@ -296,16 +275,9 @@
+ }
+ }
+
+- /* Search subdirs if we didn't find it in the root level. */
+- for (i = 0; ret == NULL && i < num_subdirs; i++)
+- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen);
+-
+ done:
+ if (d != NULL)
+ closedir(d);
+- for (i = 0; i < num_subdirs; i++)
+- free(subdirs[i]);
+- free(subdirs);
+ debug_return_str(ret);
+ }
+
+@@ -324,7 +296,7 @@
+ debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL)
+
+ /*
+- * First check search_devs for common tty devices.
++ * First check search_devs[] for common tty devices.
+ */
+ for (sd = search_devs; (devname = *sd) != NULL; sd++) {
+ len = strlen(devname);
+@@ -349,7 +321,7 @@
+ "comparing dev %u to %s: no", (unsigned int)rdev, buf);
+ } else {
+ /* Traverse directory */
+- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen);
++ ret = sudo_ttyname_scan(devname, rdev, name, namelen);
+ if (ret != NULL || errno == ENOMEM)
+ goto done;
+ }
+@@ -367,9 +339,9 @@
+ }
+
+ /*
+- * Not found? Do a breadth-first traversal of /dev/.
++ * Not found? Check all device nodes in /dev.
+ */
+- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen);
++ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen);
+
+ done:
+ debug_return_str(ret);
+@@ -493,28 +465,35 @@
+ len = getline(&line, &linesize, fp);
+ fclose(fp);
+ if (len != -1) {
+- /* Field 7 is the tty dev (0 if no tty) */
+- char *cp = line;
+- char *ep = line;
+- const char *errstr;
+- int field = 0;
+- while (*++ep != '\0') {
+- if (*ep == ' ') {
+- *ep = '\0';
+- if (++field == 7) {
+- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
+- if (errstr) {
+- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+- "%s: tty device %s: %s", path, cp, errstr);
++ /*
++ * Field 7 is the tty dev (0 if no tty).
++ * Since the process name at field 2 "(comm)" may include spaces,
++ * start at the last ')' found.
++ */
++ char *cp = strrchr(line, ')');
++ if (cp != NULL) {
++ char *ep = cp;
++ const char *errstr;
++ int field = 1;
++
++ while (*++ep != '\0') {
++ if (*ep == ' ') {
++ *ep = '\0';
++ if (++field == 7) {
++ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
++ if (errstr) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "%s: tty device %s: %s", path, cp, errstr);
++ }
++ if (tdev > 0) {
++ errno = serrno;
++ ret = sudo_ttyname_dev(tdev, name, namelen);
++ goto done;
++ }
++ break;
+ }
+- if (tdev > 0) {
+- errno = serrno;
+- ret = sudo_ttyname_dev(tdev, name, namelen);
+- goto done;
+- }
+- break;
++ cp = ep + 1;
+ }
+- cp = ep + 1;
+ }
+ }
+ }
+