Bug#772707: sudo: should not preserve TZ by default

Salvatore Bonaccorso Thu, 19 Feb 2015 00:34:23 -0800

Hi,

Proposed debdiff aiming for jessie is attached.


Regards,
Salvatore

diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog
--- sudo-1.8.10p3/debian/changelog      2015-01-19 06:56:53.000000000 +0100
+++ sudo-1.8.10p3/debian/changelog      2015-02-18 17:55:25.000000000 +0100
@@ -1,3 +1,13 @@
+sudo (1.8.10p3-1+deb8u2) testing-proposed-updates; urgency=medium
+
+  * Add CVE-2014-9680-1.patch patch.
+    CVE-2014-9680: unsafe handling of TZ environment variable. (Closes: 
#772707)
+  * Add CVE-2014-9680-2.patch patch.
+    Documents that a leading ':' is skipped when checking TZ for a
+    fully-qualified path name.
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 18 Feb 2015 17:50:12 +0100
+
 sudo (1.8.10p3-1+deb8u1) testing-proposed-updates; urgency=medium
 
   * Non-maintainer upload.
diff -Nru sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch 
sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch
--- sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch  1970-01-01 
01:00:00.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/CVE-2014-9680-1.patch  2015-02-18 
17:55:25.000000000 +0100
@@ -0,0 +1,380 @@
+Description: CVE-2014-9680: unsafe handling of TZ environment variable
+ The TZ environment variable was passed through unchecked.  Most libc
+ tzset() implementations support passing an absolute pathname in the time
+ zone to point to an arbitrary, user-controlled file.  This may be used
+ to exploit bugs in the C library's TZ parser or open files the user
+ would not otherwise have access to.  Arbitrary file access via TZ could
+ also be used in a denial of service attack by reading from a file or
+ fifo that will block.
+Origin: backport, http://www.sudo.ws/repos/sudo/rev/650ac6938b59,
+ http://www.sudo.ws/repos/sudo/rev/ac1467f71ac0
+Bug-Debian: https://bugs.debian.org/772707
+Forwarded: not-needed
+Author: Todd C. Miller <todd.mil...@courtesan.com>
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2015-02-18
+Applied-Upstream: 1.8.12
+
+--- a/configure
++++ b/configure
+@@ -882,6 +882,7 @@ with_timedir
+ with_rundir
+ with_vardir
+ with_iologdir
++with_tzdir
+ with_sendmail
+ with_sudoers_mode
+ with_sudoers_uid
+@@ -1670,6 +1671,7 @@ Optional Packages:
+   --with-rundir=DIR       path to the sudo time stamp parent dir
+   --with-vardir=DIR       path to the sudo var dir
+   --with-iologdir=DIR     directory to store sudo I/O log files in
++  --with-tzdir=DIR        path to the time zone data directory
+   --with-sendmail         set path to sendmail
+   --without-sendmail      do not send mail at all
+   --with-sudoers-mode     mode of sudoers file (defaults to 0440)
+@@ -4773,6 +4775,16 @@ fi
+ 
+ 
+ 
++# Check whether --with-tzdir was given.
++if test "${with_tzdir+set}" = set; then :
++  withval=$with_tzdir; case $with_tzdir in
++    yes)      as_fn_error $? "\"must give --with-tzdir an argument.\"" 
"$LINENO" 5
++              ;;
++esac
++fi
++
++
++
+ # Check whether --with-sendmail was given.
+ if test "${with_sendmail+set}" = set; then :
+   withval=$with_sendmail; case $with_sendmail in
+@@ -21483,6 +21495,27 @@ EOF
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: $iolog_dir" >&5
+ $as_echo "$iolog_dir" >&6; }
+ 
++{ $as_echo "$as_me:${as_lineno-$LINENO}: checking time zone data directory" 
>&5
++$as_echo_n "checking time zone data directory... " >&6; }
++tzdir="$with_tzdir"
++if test -z "$tzdir"; then
++    tzdir=no
++    for d in /usr/share /usr/share/lib /usr/lib /etc; do
++      if test -d "$d/zoneinfo"; then
++          tzdir="$d/zoneinfo"
++          break
++      fi
++    done
++fi
++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $tzdir" >&5
++$as_echo "$tzdir" >&6; }
++if test "${tzdir}" != "no"; then
++    cat >>confdefs.h <<EOF
++#define _PATH_ZONEINFO "$tzdir"
++EOF
++
++fi
++
+ 
+ 
+ ac_c_werror_flag=yes
+--- a/configure.ac
++++ b/configure.ac
+@@ -816,6 +816,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([-
+           ;;
+ esac])
+ 
++AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone 
data directory])],
++[case $with_tzdir in
++    yes)      AC_MSG_ERROR(["must give --with-tzdir an argument."])
++              ;;
++esac])
++
+ AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to 
sendmail])
+ AS_HELP_STRING([--without-sendmail], [do not send mail at all])],
+ [case $with_sendmail in
+@@ -3446,6 +3452,7 @@ SUDO_LOGFILE
+ SUDO_RUNDIR
+ SUDO_VARDIR
+ SUDO_IO_LOGDIR
++SUDO_TZDIR
+ 
+ dnl
+ dnl Turn warnings into errors.
+--- a/doc/sudoers.cat
++++ b/doc/sudoers.cat
+@@ -1628,19 +1628,35 @@ SSUUDDOOEERRSS OOPPTTIIOONN
+      LLiissttss tthhaatt ccaann bbee uusseedd iinn aa 
bboooolleeaann ccoonntteexxtt:
+ 
+      env_check         Environment variables to be removed from the user's
+-                       environment if the variable's value contains `%' or `/'
++                       environment unless they are considered ``safe''.
++                       For all variables except TZ, ``safe'' means that the
++                       variable's value does not contain any `%' or `/'
+                        characters.  This can be used to guard against printf-
+                        style format vulnerabilities in poorly-written
+-                       programs.  The argument may be a double-quoted, space-
+-                       separated list or a single value without double-quotes.
+-                       The list can be replaced, added to, deleted from, or
+-                       disabled by using the =, +=, -=, and ! operators
+-                       respectively.  Regardless of whether the env_reset
+-                       option is enabled or disabled, variables specified by
+-                       env_check will be preserved in the environment if they
+-                       pass the aforementioned check.  The default list of
+-                       environment variables to check is displayed when 
ssuuddoo
+-                       is run by root with the --VV option.
++                       programs.  The TZ variable is considered unsafe if any
++                       of the following are true:
++
++                       ++oo   It consists of a fully-qualified path name 
that
++                           does not match the location of the 
_z_o_n_e_i_n_f_o
++                           directory.
++
++                       ++oo   It contains a _._. path element.
++
++                       ++oo   It contains white space or non-printable
++                           characters.
++
++                       ++oo   It is longer than the value of PATH_MAX.
++
++                       The argument may be a double-quoted, space-separated
++                       list or a single value without double-quotes.  The list
++                       can be replaced, added to, deleted from, or disabled by
++                       using the =, +=, -=, and ! operators respectively.
++                       Regardless of whether the env_reset option is enabled
++                       or disabled, variables specified by env_check will be
++                       preserved in the environment if they pass the
++                       aforementioned check.  The default list of environment
++                       variables to check is displayed when ssuuddoo is 
run by
++                       root with the --VV option.
+ 
+      env_delete        Environment variables to be removed from the user's
+                        environment when the _e_n_v___r_e_s_e_t 
option is not in effect.
+--- a/doc/sudoers.man.in
++++ b/doc/sudoers.man.in
+@@ -3336,14 +3336,45 @@ The default value is
+ \fBLists that can be used in a boolean context\fR:
+ .TP 18n
+ env_check
+-Environment variables to be removed from the user's environment if
+-the variable's value contains
++Environment variables to be removed from the user's environment
++unless they are considered
++\(lqsafe\(rq.
++For all variables except
++\fRTZ\fR,
++\(lqsafe\(rq
++means that the variable's value does not contain any
+ \(oq%\(cq
+ or
+ \(oq/\(cq
+ characters.
+ This can be used to guard against printf-style format vulnerabilities
+ in poorly-written programs.
++The
++\fRTZ\fR
++variable is considered unsafe if any of the following are true:
++.PP
++.RS 18n
++.PD 0
++.TP 4n
++\fB\(bu\fR
++It consists of a fully-qualified path name that does not match
++the location of the
++\fIzoneinfo\fR
++directory.
++.PD
++.TP 4n
++\fB\(bu\fR
++It contains a
++\fI..\fR
++path element.
++.TP 4n
++\fB\(bu\fR
++It contains white space or non-printable characters.
++.TP 4n
++\fB\(bu\fR
++It is longer than the value of
++\fRPATH_MAX\fR.
++.PP
+ The argument may be a double-quoted, space-separated list or a
+ single value without double-quotes.
+ The list can be replaced, added to, deleted from, or disabled by using
+@@ -3365,6 +3396,7 @@ is run by root with
+ the
+ \fB\-V\fR
+ option.
++.RE
+ .TP 18n
+ env_delete
+ Environment variables to be removed from the user's environment when the
+--- a/doc/sudoers.mdoc.in
++++ b/doc/sudoers.mdoc.in
+@@ -3095,14 +3095,39 @@ The default value is
+ .Sy Lists that can be used in a boolean context :
+ .Bl -tag -width 16n
+ .It env_check
+-Environment variables to be removed from the user's environment if
+-the variable's value contains
++Environment variables to be removed from the user's environment
++unless they are considered
++.Dq safe .
++For all variables except
++.Li TZ ,
++.Dq safe
++means that the variable's value does not contain any
+ .Ql %
+ or
+ .Ql /
+ characters.
+ This can be used to guard against printf-style format vulnerabilities
+ in poorly-written programs.
++The
++.Li TZ 
++variable is considered unsafe if any of the following are true:
++.Bl -bullet
++.It
++It consists of a fully-qualified path name that does not match
++the location of the
++.Pa zoneinfo
++directory.
++.It
++It contains a
++.Pa ..
++path element.
++.It
++It contains white space or non-printable characters.
++.It
++It is longer than the value of
++.Li PATH_MAX .
++.El
++.Pp
+ The argument may be a double-quoted, space-separated list or a
+ single value without double-quotes.
+ The list can be replaced, added to, deleted from, or disabled by using
+--- a/m4/sudo.m4
++++ b/m4/sudo.m4
+@@ -119,6 +119,26 @@ fi
+ ])dnl
+ 
+ dnl
++dnl Detect time zone file directory, if any.
++dnl
++AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory)
++tzdir="$with_tzdir"
++if test -z "$tzdir"; then
++    tzdir=no
++    for d in /usr/share /usr/share/lib /usr/lib /etc; do
++      if test -d "$d/zoneinfo"; then
++          tzdir="$d/zoneinfo"
++          break
++      fi
++    done
++fi
++AC_MSG_RESULT([$tzdir])
++if test "${tzdir}" != "no"; then
++    SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir")
++fi
++])dnl
++
++dnl
+ dnl Parent directory for time stamp dir.
+ dnl
+ AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location)
+--- a/pathnames.h.in
++++ b/pathnames.h.in
+@@ -178,3 +178,7 @@
+ #ifndef _PATH_NETSVC_CONF
+ #undef        _PATH_NETSVC_CONF
+ #endif /* _PATH_NETSVC_CONF */
++
++#ifndef _PATH_ZONEINFO
++# undef        _PATH_ZONEINFO
++#endif /* _PATH_ZONEINFO */
+--- a/plugins/sudoers/env.c
++++ b/plugins/sudoers/env.c
+@@ -197,6 +197,7 @@ static const char *initial_checkenv_tabl
+     "LC_*",
+     "LINGUAS",
+     "TERM",
++    "TZ",
+     NULL
+ };
+ 
+@@ -212,7 +213,6 @@ static const char *initial_keepenv_table
+     "PATH",
+     "PS1",
+     "PS2",
+-    "TZ",
+     "XAUTHORITY",
+     "XAUTHORIZATION",
+     NULL
+@@ -576,6 +576,54 @@ matches_env_delete(const char *var)
+ }
+ 
+ /*
++ * Sanity-check the TZ environment variable.
++ * On many systems it is possible to set this to a pathname.
++ */
++static bool
++tz_is_sane(const char *tzval)
++{
++    const char *cp;
++    char lastch;
++    debug_decl(tz_is_sane, SUDO_DEBUG_ENV)
++
++    /* tzcode treats a value beginning with a ':' as a path. */
++    if (tzval[0] == ':')
++      tzval++;
++
++    /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
++    if (tzval[0] == '/') {
++#ifdef _PATH_ZONEINFO
++      if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
++          tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
++          debug_return_bool(false);
++#else
++      /* Assume the worst. */
++      debug_return_bool(false);
++#endif
++    }
++
++    /*
++     * Make sure TZ only contains printable non-space characters
++     * and does not contain a '..' path element.
++     */
++    lastch = '/';
++    for (cp = tzval; *cp != '\0'; cp++) {
++      if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
++          debug_return_bool(false);
++      if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
++          (cp[2] == '/' || cp[2] == '\0'))
++          debug_return_bool(false);
++      lastch = *cp;
++    }
++
++    /* Reject extra long TZ values (even if not a path). */
++    if ((size_t)(cp - tzval) >= PATH_MAX)
++      debug_return_bool(false);
++
++    debug_return_bool(true);
++}
++
++/*
+  * Apply the env_check list.
+  * Returns true if the variable is allowed, false if denied
+  * or -1 if no match.
+@@ -599,7 +647,12 @@ matches_env_check(const char *var)
+           iswild = false;
+       if (strncmp(cur->value, var, len) == 0 &&
+           (iswild || var[len] == '=')) {
+-          keepit = !strpbrk(var, "/%");
++          if (strncmp(var, "TZ=", 3) == 0) {
++              /* Special case for TZ */
++              keepit = tz_is_sane(var + 3);
++          } else {
++              keepit = !strpbrk(var, "/%");
++          }
+           break;
+       }
+     }
diff -Nru sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch 
sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch
--- sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch  1970-01-01 
01:00:00.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/CVE-2014-9680-2.patch  2015-02-18 
17:55:25.000000000 +0100
@@ -0,0 +1,56 @@
+Description: Document handling of leading ':' when checking TZ variable
+ Document that a leading ':' is skipped when checking TZ for a
+ fully-qualified path name.
+Origin: backport, http://www.sudo.ws/repos/sudo/rev/91859f613b88,
+ http://www.sudo.ws/repos/sudo/rev/579b02f0dbe0
+Forwarded: not-needed
+Author: Todd C. Miller <todd.mil...@courtesan.com>
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2015-02-18
+Applied-Upstream: 1.8.12
+
+--- a/doc/sudoers.cat
++++ b/doc/sudoers.cat
+@@ -1636,9 +1636,9 @@ SSUUDDOOEERRSS OOPPTTIIOONN
+                        programs.  The TZ variable is considered unsafe if any
+                        of the following are true:
+ 
+-                       ++oo   It consists of a fully-qualified path name 
that
+-                           does not match the location of the 
_z_o_n_e_i_n_f_o
+-                           directory.
++                       ++oo   It consists of a fully-qualified path name,
++                           optionally prefixed with a colon (`:'), that does
++                           not match the location of the 
_z_o_n_e_i_n_f_o directory.
+ 
+                        ++oo   It contains a _._. path element.
+ 
+--- a/doc/sudoers.man.in
++++ b/doc/sudoers.man.in
+@@ -3357,8 +3357,10 @@ variable is considered unsafe if any of
+ .PD 0
+ .TP 4n
+ \fB\(bu\fR
+-It consists of a fully-qualified path name that does not match
+-the location of the
++It consists of a fully-qualified path name,
++optionally prefixed with a colon
++(\(oq:\&\(cq),
++that does not match the location of the
+ \fIzoneinfo\fR
+ directory.
+ .PD
+--- a/doc/sudoers.mdoc.in
++++ b/doc/sudoers.mdoc.in
+@@ -3113,8 +3113,10 @@ The
+ variable is considered unsafe if any of the following are true:
+ .Bl -bullet
+ .It
+-It consists of a fully-qualified path name that does not match
+-the location of the
++It consists of a fully-qualified path name,
++optionally prefixed with a colon
++.Pq Ql :\& ,
++that does not match the location of the
+ .Pa zoneinfo
+ directory.
+ .It
diff -Nru sudo-1.8.10p3/debian/patches/series 
sudo-1.8.10p3/debian/patches/series
--- sudo-1.8.10p3/debian/patches/series 2015-01-19 06:56:17.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/series 2015-02-18 17:55:25.000000000 +0100
@@ -1,3 +1,5 @@
 typo-in-classic-insults.diff
 paths-in-samples.diff
 Fix-for-broken-FQDN-host-specifications.diff
+CVE-2014-9680-1.patch
+CVE-2014-9680-2.patch

signature.asc
Description: Digital signature

Bug#772707: sudo: should not preserve TZ by default

Reply via email to