Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)

To: Niels Thykier <niels@thykier.net>
Cc: Bdale Garbee <bdale@gag.com>, 864217@bugs.debian.org
Subject: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 5 Jun 2017 14:59:35 +0200
Message-id: <[🔎] 20170605125935.bhqtcdq4pbjm75ij@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 864217@bugs.debian.org
In-reply-to: <[🔎] 3073b783-7efa-4ccf-3c53-26f425d295f8@thykier.net>
References: <[🔎] 20170605114033.30056.46148.reportbug@lorien.valinor.li> <[🔎] 3073b783-7efa-4ccf-3c53-26f425d295f8@thykier.net>

Control: tags -1 - moreinfo

Hi Niels, hi Bdale,

On Mon, Jun 05, 2017 at 12:20:00PM +0000, Niels Thykier wrote:
> Control: tags -1 moreinfo
> 
> Salvatore Bonaccorso:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > 
> > Hi
> > 
> > Please unblock package sudo, actually a pre-approval request.
> > 
> > The upload addresses CVE-2017-1000368, Arbitrary terminal access,
> > which is #863897 in the BTS. See
> > 
> > http://www.openwall.com/lists/oss-security/2017/06/02/7
> > 
> > I'm including the generated debdiff against the current version in
> > stretch.
> > 
> > unblock sudo/1.8.19p1-2.1
> > 
> > Regards,
> > Salvatore
> > 
> 
> According to the BTS, #863897 affects and is unfixed in unstable.  Lets
> fix it in unstable first.

Yes that's true. Okay I have uploaded (without delay, and hope this is
fine with Bdale!) the NMU to sid.

> Otherwise, the diff look fine (feel free to include
> https://www.sudo.ws/repos/sudo/rev/6f3d9816541b as well).

Thanks, feel more confortable to follow upstream. Attached is a new
debdiff!

Regards,
Salvatore

diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog	2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/changelog	2017-06-05 14:22:55.000000000 +0200
@@ -1,3 +1,11 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * Use /proc/self consistently on Linux
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 05 Jun 2017 14:22:55 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.diff	2017-06-05 14:22:55.000000000 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+diff -r 6f3d9816541b -r 15a46f4007dd src/ttyname.c
+--- a/src/ttyname.c	Tue May 30 10:44:11 2017 -0600
++++ b/src/ttyname.c	Wed May 31 09:14:31 2017 -0600
+@@ -452,25 +452,37 @@
+ get_process_ttyname(char *name, size_t namelen)
+ {
+     const char path[] = "/proc/self/stat";
+-    char *line = NULL;
++    char *cp, buf[1024];
+     char *ret = NULL;
+-    size_t linesize = 0;
+     int serrno = errno;
+-    ssize_t len;
+-    FILE *fp;
++    ssize_t nread;
++    int fd;
+     debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-    /* Try to determine the tty from tty_nr in /proc/self/stat. */
+-    if ((fp = fopen(path, "r")) != NULL) {
+-	len = getline(&line, &linesize, fp);
+-	fclose(fp);
+-	if (len != -1) {
++    /*
++     * Try to determine the tty from tty_nr in /proc/self/stat.
++     * Ignore /proc/self/stat if it contains embedded NUL bytes.
++     */
++    if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++	cp = buf;
++	while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++	    if (nread == -1) {
++		if (errno == EAGAIN || errno == EINTR)
++		    continue;
++		break;
++	    }
++	    cp += nread;
++	    if (cp >= buf + sizeof(buf))
++		break;
++	}
++	if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ 	    /*
+ 	     * Field 7 is the tty dev (0 if no tty).
+-	     * Since the process name at field 2 "(comm)" may include spaces,
+-	     * start at the last ')' found.
++	     * Since the process name at field 2 "(comm)" may include
++	     * whitespace (including newlines), start at the last ')' found.
+ 	     */
+-	    char *cp = strrchr(line, ')');
++	    *cp = '\0';
++	    cp = strrchr(buf, ')');
+ 	    if (cp != NULL) {
+ 		char *ep = cp;
+ 		const char *errstr;
+@@ -501,7 +513,8 @@
+     errno = ENOENT;
+ 
+ done:
+-    free(line);
++    if (fd != -1)
++	close(fd);
+     if (ret == NULL)
+ 	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ 	    "unable to resolve tty via %s", path);
+
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series	2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/patches/series	2017-06-05 14:22:55.000000000 +0200
@@ -1,3 +1,5 @@
 typo-in-classic-insults.diff
 paths-in-samples.diff
 CVE-2017-1000367.patch
+use-proc-self-consistently-on-linux.diff
+CVE-2017-1000368.diff
diff -Nru sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff
--- sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.19p1/debian/patches/use-proc-self-consistently-on-linux.diff	2017-06-05 14:22:55.000000000 +0200
@@ -0,0 +1,33 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496162651 21600
+# Node ID 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+# Parent  98ef2ef47aba10f6b83904dca4d446c4b8f24987
+Use /proc/self consistently on Linux.  As far as I know, only AIX
+doesn't support /proc/self.
+
+diff -r 98ef2ef47aba -r 6f3d9816541b src/ttyname.c
+--- a/src/ttyname.c	Mon May 29 14:36:35 2017 -0600
++++ b/src/ttyname.c	Tue May 30 10:44:11 2017 -0600
+@@ -451,7 +451,8 @@
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+-    char path[PATH_MAX], *line = NULL;
++    const char path[] = "/proc/self/stat";
++    char *line = NULL;
+     char *ret = NULL;
+     size_t linesize = 0;
+     int serrno = errno;
+@@ -459,8 +460,7 @@
+     FILE *fp;
+     debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-    /* Try to determine the tty from tty_nr in /proc/pid/stat. */
+-    snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
++    /* Try to determine the tty from tty_nr in /proc/self/stat. */
+     if ((fp = fopen(path, "r")) != NULL) {
+ 	len = getline(&line, &linesize, fp);
+ 	fclose(fp);
+

Reply to:

Follow-Ups:
- Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
  - From: Niels Thykier <niels@thykier.net>

References:
- Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Processed: Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Next by Date: Bug#864228: unblock: python-django/1:1.10.7-2
Previous by thread: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Next by thread: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
Index(es):
- Date
- Thread