Hi! On Sun, Jun 04, 2017 at 08:35:05PM +0200, Salvatore Bonaccorso wrote: > Hi Bdale > > Since time is pressing a bit for the release of stretch, any problem > in if I would prepare a NMU for both stretch (targetted) and sid for > this issue?
Attached attempt/proposed debdiff for stretch. Regards, Salvatore
diff -Nru sudo-1.8.19p1/debian/changelog sudo-1.8.19p1/debian/changelog --- sudo-1.8.19p1/debian/changelog 2017-05-31 06:35:01.000000000 +0200 +++ sudo-1.8.19p1/debian/changelog 2017-06-05 06:19:37.000000000 +0200 @@ -1,3 +1,10 @@ +sudo (1.8.19p1-2.1) stretch; urgency=high + + * Non-maintainer upload. + * CVE-2017-1000368: Arbitrary terminal access (Closes: #863897) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 05 Jun 2017 06:19:37 +0200 + sudo (1.8.19p1-2) stretch; urgency=high * patch from upstream to fix CVE-2017-1000367, closes: #863731 diff -Nru sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch --- sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.8.19p1/debian/patches/CVE-2017-1000368.patch 2017-06-05 06:19:37.000000000 +0200 @@ -0,0 +1,78 @@ + +# HG changeset patch +# User Todd C. Miller <todd.mil...@courtesan.com> +# Date 1496243671 21600 +# Node ID 15a46f4007dde8e819dd2c70e670a529bbb9d312 +# Parent 6f3d9816541ba84055ae5aec6ff9d9523c2a96f3 +A command name may also contain newline characters so read +/proc/self/stat until EOF. It is not legal for /proc/self/stat to +contain embedded NUL bytes so treat the file as corrupt if we see +any. With help from Qualys. + +This is not exploitable due to the /dev traversal changes in sudo +1.8.20p1 (thanks Solar!). + +--- a/src/ttyname.c ++++ b/src/ttyname.c +@@ -447,26 +447,39 @@ done: + char * + get_process_ttyname(char *name, size_t namelen) + { +- char path[PATH_MAX], *line = NULL; ++ char path[PATH_MAX]; ++ char *cp, buf[1024]; + char *ret = NULL; +- size_t linesize = 0; + int serrno = errno; +- ssize_t len; +- FILE *fp; ++ ssize_t nread; ++ int fd; + debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) + +- /* Try to determine the tty from tty_nr in /proc/pid/stat. */ ++ /* ++ * Try to determine the tty from tty_nr in /proc/pid/stat. ++ * Ignore /proc/self/stat if it contains embedded NUL bytes. ++ */ + snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); +- if ((fp = fopen(path, "r")) != NULL) { +- len = getline(&line, &linesize, fp); +- fclose(fp); +- if (len != -1) { ++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { ++ cp = buf; ++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { ++ if (nread == -1) { ++ if (errno == EAGAIN || errno == EINTR) ++ continue; ++ break; ++ } ++ cp += nread; ++ if (cp >= buf + sizeof(buf)) ++ break; ++ } ++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { + /* + * Field 7 is the tty dev (0 if no tty). +- * Since the process name at field 2 "(comm)" may include spaces, +- * start at the last ')' found. ++ * Since the process name at field 2 "(comm)" may include ++ * whitespace (including newlines), start at the last ')' found. + */ +- char *cp = strrchr(line, ')'); ++ *cp = '\0'; ++ cp = strrchr(buf, ')'); + if (cp != NULL) { + char *ep = cp; + const char *errstr; +@@ -497,7 +510,8 @@ get_process_ttyname(char *name, size_t n + errno = ENOENT; + + done: +- free(line); ++ if (fd != -1) ++ close(fd); + if (ret == NULL) + sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "unable to resolve tty via %s", path); diff -Nru sudo-1.8.19p1/debian/patches/series sudo-1.8.19p1/debian/patches/series --- sudo-1.8.19p1/debian/patches/series 2017-05-31 06:35:01.000000000 +0200 +++ sudo-1.8.19p1/debian/patches/series 2017-06-05 06:19:37.000000000 +0200 @@ -1,3 +1,4 @@ typo-in-classic-insults.diff paths-in-samples.diff CVE-2017-1000367.patch +CVE-2017-1000368.patch