[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

wireshark security update for Wheezy LTS

Hi,

I have prepared an update for sudo in Wheezy.

Please see the diff to previous version and a small test program attached.

Changes:
 sudo (1.8.5p2-1+nmu3+deb7u2) wheezy-security; urgency=medium
 .
   * LTS Team upload.
   * Fix noexec bypass via system() and popen() (CVE-2016-7032)
   * Fix noexec bypass via wordexp() (CVE-2016-7076) (Closes: #842507)

I plan uploading the package tomorrow around 18:00 UTC.

The binary packages for amd64 are also available for testing here:

 deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/

Cheers,
Balint


diff -Nru sudo-1.8.5p2/debian/changelog sudo-1.8.5p2/debian/changelog
--- sudo-1.8.5p2/debian/changelog	2016-01-05 19:48:04.000000000 +0100
+++ sudo-1.8.5p2/debian/changelog	2016-11-11 15:54:01.000000000 +0100
@@ -1,3 +1,11 @@
+sudo (1.8.5p2-1+nmu3+deb7u2) wheezy-security; urgency=medium
+
+  * LTS Team upload.
+  * Fix noexec bypass via system() and popen() (CVE-2016-7032)
+  * Fix noexec bypass via wordexp() (CVE-2016-7076) (Closes: #842507)
+
+ -- Balint Reczey <balint@balintreczey.hu>  Fri, 11 Nov 2016 15:52:14 +0100
+
 sudo (1.8.5p2-1+nmu3+deb7u1) wheezy-security; urgency=medium
 
   * Non-maintainer upload
diff -Nru sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch
--- sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch	2016-11-11 17:46:36.000000000 +0100
@@ -0,0 +1,39 @@
+From 31e5576a54a439c943f20998cb319f7101a609e3 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@courtesan.com>
+Date: Mon, 28 Sep 2015 15:10:00 -0600
+Subject: [PATCH 1/3] Also interpose system(3).  On glibc systems you cannot
+ interpose the syscalls used internally by libc.
+
+Conflicts:
+	src/sudo_noexec.c
+---
+ src/sudo_noexec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/sudo_noexec.c b/src/sudo_noexec.c
+index af1915f..c83df44 100644
+--- a/src/sudo_noexec.c
++++ b/src/sudo_noexec.c
+@@ -40,6 +40,11 @@
+     return -1;					\
+ }
+ 
++#define DUMMY1(fn, t1)                          \
++int						\
++fn(t1 a1)                                       \
++DUMMY_BODY
++
+ #define DUMMY2(fn, t1, t2)			\
+ int						\
+ fn(t1 a1, t2 a2)				\
+@@ -69,6 +74,7 @@ DUMMY_VA(__execle, const char *, const char *)
+ DUMMY_VA(execlp, const char *, const char *)
+ DUMMY_VA(_execlp, const char *, const char *)
+ DUMMY_VA(__execlp, const char *, const char *)
++DUMMY1(system, const char *)
+ DUMMY3(exect, const char *, char * const *, char * const *)
+ DUMMY3(_exect, const char *, char * const *, char * const *)
+ DUMMY3(__exect, const char *, char * const *, char * const *)
+-- 
+2.1.4
+
diff -Nru sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch
--- sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch	2016-11-11 17:46:36.000000000 +0100
@@ -0,0 +1,57 @@
+From 129bf12da13c4f095502ae36b1fc9726eaa23403 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@courtesan.com>
+Date: Mon, 28 Sep 2015 15:34:16 -0600
+Subject: [PATCH 2/3] Also wrap popen(3).
+
+Back-ported to not use FN_NAME and INTERPOSE by Balint Reczey.
+
+Conflicts:
+	src/sudo_noexec.c
+---
+ src/sudo_noexec.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/sudo_noexec.c b/src/sudo_noexec.c
+index c83df44..c00006c 100644
+--- a/src/sudo_noexec.c
++++ b/src/sudo_noexec.c
+@@ -20,6 +20,8 @@
+ 
+ #include <errno.h>
+ #include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #ifdef HAVE_SPAWN_H
+ #include <spawn.h>
+ #endif
+@@ -74,7 +76,6 @@ DUMMY_VA(__execle, const char *, const char *)
+ DUMMY_VA(execlp, const char *, const char *)
+ DUMMY_VA(_execlp, const char *, const char *)
+ DUMMY_VA(__execlp, const char *, const char *)
+-DUMMY1(system, const char *)
+ DUMMY3(exect, const char *, char * const *, char * const *)
+ DUMMY3(_exect, const char *, char * const *, char * const *)
+ DUMMY3(__exect, const char *, char * const *, char * const *)
+@@ -96,6 +97,7 @@ DUMMY3(__execvpe, const char *, char * const *, char * const *)
+ DUMMY3(fexecve, int , char * const *, char * const *)
+ DUMMY3(_fexecve, int , char * const *, char * const *)
+ DUMMY3(__fexecve, int , char * const *, char * const *)
++DUMMY1(system, const char *)
+ #ifdef HAVE_SPAWN_H
+ DUMMY6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+ DUMMY6(_posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+@@ -104,3 +106,11 @@ DUMMY6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *,
+ DUMMY6(_posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+ DUMMY6(__posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+ #endif /* HAVE_SPAWN_H */
++
++/* popen(3) returns FILE *, not int so we can't use a wrapper. */
++FILE *
++popen(const char *c, const char *t)
++{
++    errno = EACCES;
++    return NULL;
++}
+-- 
+2.1.4
+
diff -Nru sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch
--- sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch	2016-11-13 15:53:24.000000000 +0100
@@ -0,0 +1,59 @@
+From 30038238114b747a4ede01b37a334f1420971453 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@courtesan.com>
+Date: Wed, 5 Oct 2016 20:21:18 -0600
+Subject: [PATCH 3/3] Wrap wordexp(3) in sudo_noexec.
+
+Simplified patch for Debian Wheezy LTS by Balint Reczey.
+
+Conflicts:
+	aclocal.m4
+	configure
+	configure.in
+	src/sudo_noexec.c
+---
+ src/sudo_noexec.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/src/sudo_noexec.c
++++ b/src/sudo_noexec.c
+@@ -25,6 +25,16 @@
+ #ifdef HAVE_SPAWN_H
+ #include <spawn.h>
+ #endif
++#ifdef HAVE_STRING_H
++# include <string.h>
++#endif /* HAVE_STRING_H */
++#ifdef HAVE_STRINGS_H
++# include <strings.h>
++#endif /* HAVE_STRINGS_H */
++#include <wordexp.h>
++#if defined(HAVE_DLOPEN)
++# include <dlfcn.h>
++#endif
+ 
+ #include "missing.h"
+ 
+@@ -114,3 +124,23 @@
+     errno = EACCES;
+     return NULL;
+ }
++
++/* use real dlsym, not sudo_dlsym */
++#undef dlsym
++
++/*
++ * We can't use a wrapper for wordexp(3) since we still want to call
++ * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
++ */
++typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
++
++int
++wordexp(const char *words, wordexp_t *we, int flags)
++{
++    void *fn = dlsym(RTLD_NEXT, "wordexp");
++    if (fn == NULL) {
++	errno = EACCES;
++	return -1;
++    }
++    return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
++}
diff -Nru sudo-1.8.5p2/debian/patches/series sudo-1.8.5p2/debian/patches/series
--- sudo-1.8.5p2/debian/patches/series	2016-01-05 19:47:48.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/series	2016-11-13 16:23:56.000000000 +0100
@@ -15,3 +15,7 @@
 CVE-2015-5602-5-generated.patch
 CVE-2015-5602-6.patch
 CVE-2015-5602-7.patch
+CVE-2016-7032-1.patch
+CVE-2016-7032-2.patch
+CVE-2016-7076.patch
+use_ldl_for_sudo_noexec.so.patch
diff -Nru sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch
--- sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch	2016-11-13 18:31:22.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Use -ldl when linking sudo_noexec.so
+ Without -ldl dlsym added in fix for CVE-2016-7076 can't be resolved.
+Author: Balint Reczey <balint@balintreczey.hu>
+Bug-Debian: https://bugs.debian.org/842507
+
+Bug: https://bugzilla.sudo.ws/show_bug.cgi?id=761
+Forwarded: https://bugzilla.sudo.ws/show_bug.cgi?id=761
+
+--- sudo-1.8.5p2.orig/src/Makefile.in
++++ sudo-1.8.5p2/src/Makefile.in
+@@ -97,7 +97,7 @@ sudo: $(OBJS) $(LT_LIBS)
+ 	$(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(LIBS)
+ 
+ libsudo_noexec.la: sudo_noexec.lo
+-	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
++	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
+ 
+ sesh: sesh.o error.o exec_common.o @LIBINTL@ $(LT_LIBS)
+ 	$(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) @LIBINTL@ $(LIBS)

#include <stdlib.h>
#include <stdio.h>
#include <wordexp.h>

int main () {
  wordexp_t p;
  printf("sudo CVE-2016-7032 & CVE-2016-7076 tests\n");
  printf("Set the noexec default setting in the sudoers file then run this binary with sudo.\n\n");
  if (-1 != system("ls /")) {
    printf("\nSystem's system() call is not protected, sudo is vulnerable to CVE-2016-7032\n");
  } else {
    printf("System's system() call is protected (CVE-2016-7032)\n");
  }
  if (NULL != popen("ls /", "r")) {
    printf("\nSystem's popen() call is not protected, sudo is vulnerable to CVE-2016-7032\n");
  } else {
    printf("System's popen() call is protected (CVE-2016-7032)\n");
  }
  if (WRDE_CMDSUB != wordexp("$(echo e)", &p, 0)) {
    printf("\nSystem's wordexp() call is not protected, sudo is vulnerable to CVE-2016-7076\n");
  } else {
    printf("System's wordexp() call is protected (CVE-2016-7076)\n");
  }
  
}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: