[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864217: marked as done (unblock: sudo/1.8.19p1-2.1 (pre-approval request))

Your message dated Mon, 05 Jun 2017 20:06:00 +0000
with message-id <108fdd01-d441-53dd-f7e5-623a4ca9e746@thykier.net>
and subject line Re: Bug#864217: unblock: sudo/1.8.19p1-2.1 (pre-approval request)
has caused the Debian Bug report #864217,
regarding unblock: sudo/1.8.19p1-2.1 (pre-approval request)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864217
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package sudo, actually a pre-approval request.

The upload addresses CVE-2017-1000368, Arbitrary terminal access,
which is #863897 in the BTS. See

http://www.openwall.com/lists/oss-security/2017/06/02/7

I'm including the generated debdiff against the current version in
stretch.

unblock sudo/1.8.19p1-2.1

Regards,
Salvatore

diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog
--- sudo-1.8.19p1/debian/changelog	2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/changelog	2017-06-05 06:19:37.000000000 +0200
@@ -1,3 +1,10 @@
+sudo (1.8.19p1-2.1) stretch; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 05 Jun 2017 06:19:37 +0200
+
 sudo (1.8.19p1-2) stretch; urgency=high
 
   * patch from upstream to fix CVE-2017-1000367, closes: #863731
diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch	2017-06-05 06:19:37.000000000 +0200
@@ -0,0 +1,78 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent  6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF.  It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any.  With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -447,26 +447,39 @@ done:
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+-    char path[PATH_MAX], *line = NULL;
++    char path[PATH_MAX];
++    char *cp, buf[1024];
+     char *ret = NULL;
+-    size_t linesize = 0;
+     int serrno = errno;
+-    ssize_t len;
+-    FILE *fp;
++    ssize_t nread;
++    int fd;
+     debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+ 
+-    /* Try to determine the tty from tty_nr in /proc/pid/stat. */
++    /*
++     * Try to determine the tty from tty_nr in /proc/pid/stat.
++     * Ignore /proc/pid/stat if it contains embedded NUL bytes.
++     */
+     snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+-    if ((fp = fopen(path, "r")) != NULL) {
+-	len = getline(&line, &linesize, fp);
+-	fclose(fp);
+-	if (len != -1) {
++    if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++        cp = buf;
++        while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++            if (nread == -1) {
++                if (errno == EAGAIN || errno == EINTR)
++                    continue;
++                break;
++            }
++            cp += nread;
++            if (cp >= buf + sizeof(buf))
++                break;
++        }
++        if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ 	    /*
+ 	     * Field 7 is the tty dev (0 if no tty).
+-	     * Since the process name at field 2 "(comm)" may include spaces,
+-	     * start at the last ')' found.
++	     * Since the process name at field 2 "(comm)" may include
++	     * whitespace (including newlines), start at the last ')' found.
+ 	     */
+-	    char *cp = strrchr(line, ')');
++            *cp = '\0';
++            cp = strrchr(buf, ')');
+ 	    if (cp != NULL) {
+ 		char *ep = cp;
+ 		const char *errstr;
+@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n
+     errno = ENOENT;
+ 
+ done:
+-    free(line);
++    if (fd != -1)
++	close(fd);
+     if (ret == NULL)
+ 	sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ 	    "unable to resolve tty via %s", path);
diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series
--- sudo-1.8.19p1/debian/patches/series	2017-05-31 06:35:01.000000000 +0200
+++ sudo-1.8.19p1/debian/patches/series	2017-06-05 06:19:37.000000000 +0200
@@ -1,3 +1,4 @@
 typo-in-classic-insults.diff
 paths-in-samples.diff
 CVE-2017-1000367.patch
+CVE-2017-1000368.patch

--- End Message ---
--- Begin Message --- 
Salvatore Bonaccorso:
> Control: tags -1 - moreinfo
> 
> Hi Niels,
> 
> [...]
> 
> Thank you, done!
> 
> Regards,
> Salvatore
> 

Approved, thanks.

~Niels

--- End Message ---
Reply to: