summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch')
-rw-r--r--meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch170
1 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
new file mode 100644
index 0000000000..f954fac8fc
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
@@ -0,0 +1,170 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+
+Index: sudo-1.8.21p2/lib/util/strtoid.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400
++++ sudo-1.8.21p2/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400
+@@ -42,6 +42,27 @@
+ #include "sudo_util.h"
+
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++ bool valid = false;
++ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++ if (ep != p) {
++ /* check for valid separator (including '\0') */
++ if (sep == NULL)
++ sep = "";
++ do {
++ if (*ep == *sep)
++ valid = true;
++ } while (*sep++ != '\0');
++ }
++ debug_return_bool(valid);
++}
++
++/*
+ * Parse a uid/gid in string form.
+ * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+ * If endp is non-NULL it is set to the next char after the ID.
+@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha
+ char *ep;
+ id_t ret = 0;
+ long long llval;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+ errno = 0;
+ llval = strtoll(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++ errno = ERANGE;
++ if (errstr != NULL)
++ *errstr = N_("value too large");
++ goto done;
+ }
+- if (!valid) {
++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++ errno = ERANGE;
+ if (errstr != NULL)
+- *errstr = N_("invalid value");
+- errno = EINVAL;
++ *errstr = N_("value too small");
+ goto done;
+ }
+- if (errno == ERANGE) {
+- if (errstr != NULL) {
+- if (llval == LLONG_MAX)
+- *errstr = N_("value too large");
+- else
+- *errstr = N_("value too small");
+- }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
++ if (errstr != NULL)
++ *errstr = N_("invalid value");
++ errno = EINVAL;
+ goto done;
+ }
+ ret = (id_t)llval;
+@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha
+ {
+ char *ep;
+ id_t ret = 0;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
+ errno = 0;
+ if (*p == '-') {
+ long lval = strtol(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
+- if (errstr != NULL)
+- *errstr = N_("invalid value");
+- errno = EINVAL;
+- goto done;
+- }
+ if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha
+ *errstr = N_("value too small");
+ goto done;
+ }
+- ret = (id_t)lval;
+- } else {
+- unsigned long ulval = strtoul(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || lval == -1) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
++ ret = (id_t)lval;
++ } else {
++ unsigned long ulval = strtoul(p, &ep, 10);
+ if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+ *errstr = N_("value too large");
+ goto done;
+ }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++ if (errstr != NULL)
++ *errstr = N_("invalid value");
++ errno = EINVAL;
++ goto done;
++ }
+ ret = (id_t)ulval;
+ }
+ if (errstr != NULL)
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-24 15:05:16 +0000