Bug#863757: unblock: sudo/1.8.19p1-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package sudo to allow a fix for CVE-2017-1000367, #863731,
to be included in stretch. Source debdiff included below is upstream's
isolated patch for this issue, de-fuzzed to apply cleanly to our sources.
This is essentially the same change as between 1.8.20-1 and 1.8.20p1-1 now
in unstable.
Bdale
unblock sudo/1.8.19p1-1
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.12+ (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog 2017-01-13 11:12:49.000000000 -0700
+++ sudo-1.8.19p1/debian/changelog 2017-05-30 22:35:01.000000000 -0600
@@ -1,3 +1,9 @@
+sudo (1.8.19p1-2) stretch; urgency=high
+
+ * patch from upstream to fix CVE-2017-1000367, closes: #863731
+
+ -- Bdale Garbee <bdale@gag.com> Tue, 30 May 2017 22:35:01 -0600
+
sudo (1.8.19p1-1) unstable; urgency=medium
* new upstream version
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch 1969-12-31 17:00:00.000000000 -0700
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000367.patch 2017-05-30 22:35:01.000000000 -0600
@@ -0,0 +1,246 @@
+diff --git a/src/ttyname.c b/src/ttyname.c
+index 9b94ba8..ab0f2d3 100644
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
++ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -145,20 +145,22 @@ sudo_ttyname_dev(dev_t tdev, char *name, size_t namelen)
+ }
+ #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__)
+ /*
+- * Devices to search before doing a breadth-first scan.
++ * Device nodes and directories to search before searching all of /dev
+ */
+ static char *search_devs[] = {
+ "/dev/console",
+- "/dev/wscons",
+- "/dev/pts/",
+- "/dev/vt/",
+- "/dev/term/",
+- "/dev/zcons/",
++ "/dev/pts/", /* POSIX pty */
++ "/dev/vt/", /* Solaris virtual console */
++ "/dev/term/", /* Solaris serial ports */
++ "/dev/zcons/", /* Solaris zone console */
++ "/dev/pty/", /* HP-UX old-style pty */
+ NULL
+ };
+
++/*
++ * Device nodes to ignore when searching all of /dev
++ */
+ static char *ignore_devs[] = {
+- "/dev/fd/",
+ "/dev/stdin",
+ "/dev/stdout",
+ "/dev/stderr",
+@@ -166,16 +168,18 @@ static char *ignore_devs[] = {
+ };
+
+ /*
+- * Do a breadth-first scan of dir looking for the specified device.
++ * Do a scan of a directory looking for the specified device.
++ * Does not descend into subdirectories.
+ * Returns name on success and NULL on failure, setting errno.
+ */
+ static char *
+-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen)
++sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen)
+ {
+- size_t sdlen, num_subdirs = 0, max_subdirs = 0;
+- char pathbuf[PATH_MAX], **subdirs = NULL;
++ size_t sdlen;
++ char pathbuf[PATH_MAX];
+ char *ret = NULL;
+ struct dirent *dp;
++ struct stat sb;
+ unsigned int i;
+ DIR *d = NULL;
+ debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL)
+@@ -183,6 +187,18 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
+ if (dir[0] == '\0' || (d = opendir(dir)) == NULL)
+ goto done;
+
++ if (fstat(dirfd(d), &sb) == -1) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "unable to fstat %s", dir);
++ goto done;
++ }
++ if ((sb.st_mode & S_IWOTH) != 0) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "ignoring world-writable directory %s", dir);
++ errno = ENOENT;
++ goto done;
++ }
++
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "scanning for dev %u in %s", (unsigned int)rdev, dir);
+
+@@ -220,18 +236,6 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
+ }
+ if (ignore_devs[i] != NULL)
+ continue;
+- if (!builtin) {
+- /* Skip entries in search_devs; we already checked them. */
+- for (i = 0; search_devs[i] != NULL; i++) {
+- len = strlen(search_devs[i]);
+- if (search_devs[i][len - 1] == '/')
+- len--;
+- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0)
+- break;
+- }
+- if (search_devs[i] != NULL)
+- continue;
+- }
+ # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF)
+ /*
+ * Avoid excessive stat() calls by checking dp->d_type.
+@@ -244,39 +248,14 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
+ if (stat(pathbuf, &sb) == -1)
+ continue;
+ break;
+- case DT_DIR:
+- /* Directory, no need to stat() it. */
+- sb.st_mode = DTTOIF(dp->d_type);
+- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */
+- break;
+ default:
+- /* Not a character device, link or directory, skip it. */
++ /* Not a character device or link, skip it. */
+ continue;
+ }
+ # else
+ if (stat(pathbuf, &sb) == -1)
+ continue;
+ # endif
+- if (S_ISDIR(sb.st_mode)) {
+- if (!builtin) {
+- /* Add to list of subdirs to search. */
+- if (num_subdirs + 1 > max_subdirs) {
+- char **new_subdirs;
+-
+- new_subdirs = reallocarray(subdirs, max_subdirs + 64,
+- sizeof(char *));
+- if (new_subdirs == NULL)
+- goto done;
+- subdirs = new_subdirs;
+- max_subdirs += 64;
+- }
+- subdirs[num_subdirs] = strdup(pathbuf);
+- if (subdirs[num_subdirs] == NULL)
+- goto done;
+- num_subdirs++;
+- }
+- continue;
+- }
+ if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "resolved dev %u as %s", (unsigned int)rdev, pathbuf);
+@@ -292,16 +271,9 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
+ }
+ }
+
+- /* Search subdirs if we didn't find it in the root level. */
+- for (i = 0; ret == NULL && i < num_subdirs; i++)
+- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen);
+-
+ done:
+ if (d != NULL)
+ closedir(d);
+- for (i = 0; i < num_subdirs; i++)
+- free(subdirs[i]);
+- free(subdirs);
+ debug_return_str(ret);
+ }
+
+@@ -320,7 +292,7 @@ sudo_ttyname_dev(dev_t rdev, char *name, size_t namelen)
+ debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL)
+
+ /*
+- * First check search_devs for common tty devices.
++ * First check search_devs[] for common tty devices.
+ */
+ for (sd = search_devs; (devname = *sd) != NULL; sd++) {
+ len = strlen(devname);
+@@ -345,7 +317,7 @@ sudo_ttyname_dev(dev_t rdev, char *name, size_t namelen)
+ "comparing dev %u to %s: no", (unsigned int)rdev, buf);
+ } else {
+ /* Traverse directory */
+- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen);
++ ret = sudo_ttyname_scan(devname, rdev, name, namelen);
+ if (ret != NULL || errno == ENOMEM)
+ goto done;
+ }
+@@ -363,9 +335,9 @@ sudo_ttyname_dev(dev_t rdev, char *name, size_t namelen)
+ }
+
+ /*
+- * Not found? Do a breadth-first traversal of /dev/.
++ * Not found? Check all device nodes in /dev.
+ */
+- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen);
++ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen);
+
+ done:
+ debug_return_str(ret);
+@@ -489,28 +461,35 @@ get_process_ttyname(char *name, size_t namelen)
+ len = getline(&line, &linesize, fp);
+ fclose(fp);
+ if (len != -1) {
+- /* Field 7 is the tty dev (0 if no tty) */
+- char *cp = line;
+- char *ep = line;
+- const char *errstr;
+- int field = 0;
+- while (*++ep != '\0') {
+- if (*ep == ' ') {
+- *ep = '\0';
+- if (++field == 7) {
+- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
+- if (errstr) {
+- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+- "%s: tty device %s: %s", path, cp, errstr);
+- }
+- if (tdev > 0) {
+- errno = serrno;
+- ret = sudo_ttyname_dev(tdev, name, namelen);
+- goto done;
++ /*
++ * Field 7 is the tty dev (0 if no tty).
++ * Since the process name at field 2 "(comm)" may include spaces,
++ * start at the last ')' found.
++ */
++ char *cp = strrchr(line, ')');
++ if (cp != NULL) {
++ char *ep = cp;
++ const char *errstr;
++ int field = 1;
++
++ while (*++ep != '\0') {
++ if (*ep == ' ') {
++ *ep = '\0';
++ if (++field == 7) {
++ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
++ if (errstr) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "%s: tty device %s: %s", path, cp, errstr);
++ }
++ if (tdev > 0) {
++ errno = serrno;
++ ret = sudo_ttyname_dev(tdev, name, namelen);
++ goto done;
++ }
++ break;
+ }
+- break;
++ cp = ep + 1;
+ }
+- cp = ep + 1;
+ }
+ }
+ }
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series 2017-01-13 11:12:49.000000000 -0700
+++ sudo-1.8.19p1/debian/patches/series 2017-05-30 22:35:01.000000000 -0600
@@ -1,2 +1,3 @@
typo-in-classic-insults.diff
paths-in-samples.diff
+CVE-2017-1000367.patch
Reply to: