Bug#870376: jessie-pu: package sudo/1.8.10p3-1+deb8u5
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
sudo in jessie ist still affected by CVE-2017-1000368. The issue IMHo
does not need a DSA, since with the previous fixes due to the /dev
traversal changes the issue was not anymore exploitable. Still it
would make sense IMHO to address it. Attached is the proposed debdiff.
But in the Debian BTS: #863897
Regards,
Salvatore
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog
--- sudo-1.8.10p3/debian/changelog 2017-05-28 13:25:43.000000000 +0200
+++ sudo-1.8.10p3/debian/changelog 2017-08-01 15:00:25.000000000 +0200
@@ -1,3 +1,10 @@
+sudo (1.8.10p3-1+deb8u5) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 01 Aug 2017 15:00:25 +0200
+
sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch
--- sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/CVE-2017-1000368.patch 2017-08-01 15:00:25.000000000 +0200
@@ -0,0 +1,76 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1496243671 21600
+# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312
+# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3
+A command name may also contain newline characters so read
+/proc/self/stat until EOF. It is not legal for /proc/self/stat to
+contain embedded NUL bytes so treat the file as corrupt if we see
+any. With help from Qualys.
+
+This is not exploitable due to the /dev traversal changes in sudo
+1.8.20p1 (thanks Solar!).
+
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -412,24 +412,36 @@ get_process_ttyname(void)
+ char *
+ get_process_ttyname(void)
+ {
+- char path[PATH_MAX], *line = NULL, *tty = NULL;
+- size_t linesize = 0;
+- ssize_t len;
+- FILE *fp;
++ char path[PATH_MAX], *tty = NULL;
++ char *cp, buf[1024];
++ ssize_t nread;
++ int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
+- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+- if ((fp = fopen(path, "r")) != NULL) {
+- len = getline(&line, &linesize, fp);
+- fclose(fp);
+- if (len != -1) {
++ /*
++ * Try to determine the tty from tty_nr in /proc/pid/stat.
++ * Ignore /proc/self/stat if it contains embedded NUL bytes.
++ */
++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++ cp = buf;
++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++ if (nread == -1) {
++ if (errno == EAGAIN || errno == EINTR)
++ continue;
++ break;
++ }
++ cp += nread;
++ if (cp >= buf + sizeof(buf))
++ break;
++ }
++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+- * Since the process name at field 2 "(comm)" may include spaces,
+- * start at the last ')' found.
++ * Since the process name at field 2 "(comm)" may include
++ * whitespace (including newlines), start at the last ')' found.
+ */
+- char *cp = strrchr(line, ')');
++ *cp = '\0';
++ cp = strrchr(buf, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+@@ -453,7 +465,8 @@ get_process_ttyname(void)
+ }
+ }
+ }
+- efree(line);
++ if (fd != -1)
++ close(fd);
+ }
+
+ debug_return_str(tty);
diff -Nru sudo-1.8.10p3/debian/patches/series sudo-1.8.10p3/debian/patches/series
--- sudo-1.8.10p3/debian/patches/series 2017-05-28 13:25:43.000000000 +0200
+++ sudo-1.8.10p3/debian/patches/series 2017-08-01 15:00:25.000000000 +0200
@@ -16,3 +16,4 @@
CVE-2015-5602-6.patch
CVE-2015-5602-7.patch
CVE-2017-1000367.patch
+CVE-2017-1000368.patch
Reply to: