Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Control: tags -1 - moreinfo
Hi Niels, hi Bdale,
On Mon, Jun 05, 2017 at 12:20:00PM +0000, Niels Thykier wrote:
> Control: tags -1 moreinfo
>
> Salvatore Bonaccorso:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> >
> > Hi
> >
> > Please unblock package sudo, actually a pre-approval request.
> >
> > The upload addresses CVE-2017-1000368, Arbitrary terminal access,
> > which is #863897 in the BTS. See
> >
> > http://www.openwall.com/lists/oss-security/2017/06/02/7
> >
> > I'm including the generated debdiff against the current version in
> > stretch.
> >
> > unblock sudo/1.8.19p1-2.1
> >
> > Regards,
> > Salvatore
> >
>
> According to the BTS, #863897 affects and is unfixed in unstable. Lets
> fix it in unstable first.
Yes that's true. Okay I have uploaded (without delay, and hope this is
fine with Bdale!) the NMU to sid.
> Otherwise, the diff look fine (feel free to include
> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).
Thanks, feel more confortable to follow upstream. Attached is a new
debdiff!
Regards,
Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog 2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/changelog 2017-06-05 14:22:55.000000000 +0200
@@ -1,3 +1,11 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+ * Non-maintainer upload.
+ * Use /proc/self consistently on Linux
+ * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Mon, 05 Jun 2017 14:22:55 +0200
+
sudo (1.8.19p1-2) stretch; urgency=high
* patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff 2017-06-05 14:22:55.000000000 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF. It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any. With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+diff -r 6f3d9816541b -r 15a46f4007dd src/ttyname.c
+--- a/src/ttyname.c Tue May 30 10:44:11 2017 -0600
++++ b/src/ttyname.c Wed May 31 09:14:31 2017 -0600
+@@ -452,25 +452,37 @@
+ get_process_ttyname(char *name, size_t namelen)
+ {
+ const char path[] = "/proc/self/stat";
+- char *line = NULL;
++ char *cp, buf[1024];
+ char *ret = NULL;
+- size_t linesize = 0;
+ int serrno = errno;
+- ssize_t len;
+- FILE *fp;
++ ssize_t nread;
++ int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/self/stat. */
+- if ((fp = fopen(path, "r")) != NULL) {
+- len = getline(&line, &linesize, fp);
+- fclose(fp);
+- if (len != -1) {
++ /*
++ * Try to determine the tty from tty_nr in /proc/self/stat.
++ * Ignore /proc/self/stat if it contains embedded NUL bytes.
++ */
++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++ cp = buf;
++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++ if (nread == -1) {
++ if (errno == EAGAIN || errno == EINTR)
++ continue;
++ break;
++ }
++ cp += nread;
++ if (cp >= buf + sizeof(buf))
++ break;
++ }
++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+- * Since the process name at field 2 "(comm)" may include spaces,
+- * start at the last ')' found.
++ * Since the process name at field 2 "(comm)" may include
++ * whitespace (including newlines), start at the last ')' found.
+ */
+- char *cp = strrchr(line, ')');
++ *cp = '\0';
++ cp = strrchr(buf, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+@@ -501,7 +513,8 @@
+ errno = ENOENT;
+
+ done:
+- free(line);
++ if (fd != -1)
++ close(fd);
+ if (ret == NULL)
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ "unable to resolve tty via %s", path);
+
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/patches/series 2017-06-05 14:22:55.000000000 +0200
@@ -1,3 +1,5 @@
typo-in-classic-insults.diff
paths-in-samples.diff
CVE-2017-1000367.patch
+use-proc-self-consistently-on-linux.diff
+CVE-2017-1000368.diff
diff -Nru sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff
--- sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff 2017-06-05 14:22:55.000000000 +0200
@@ -0,0 +1,33 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496162651 21600
+# Node ID 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+# Parent 98ef2ef47aba10f6b83904dca4d446c4b8f24987
+Use /proc/self consistently on Linux. As far as I know, only AIX
+doesn't support /proc/self.
+
+diff -r 98ef2ef47aba -r 6f3d9816541b src/ttyname.c
+--- a/src/ttyname.c Mon May 29 14:36:35 2017 -0600
++++ b/src/ttyname.c Tue May 30 10:44:11 2017 -0600
+@@ -451,7 +451,8 @@
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+- char path[PATH_MAX], *line = NULL;
++ const char path[] = "/proc/self/stat";
++ char *line = NULL;
+ char *ret = NULL;
+ size_t linesize = 0;
+ int serrno = errno;
+@@ -459,8 +460,7 @@
+ FILE *fp;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
+- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
++ /* Try to determine the tty from tty_nr in /proc/self/stat. */
+ if ((fp = fopen(path, "r")) != NULL) {
+ len = getline(&line, &linesize, fp);
+ fclose(fp);
+
Reply to: