Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:sudo User: [email protected] Usertags: pu
Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:sudo User: [email protected] Usertags: pu [ Reason ] This sudo upload fixes CVE-2026-35535. [ Impact ] If this is not approved, trixie's sudo will still be vulnerable [ Tests ] none. [ Risks ] This is a backported upstream fix. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply upstream fix.
diff --git a/debian/changelog b/debian/changelog index 2131df824..a7a3d3ed0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +sudo (1.9.13p3-1+deb12u4) bookworm; urgency=medium + + * cherry-pick upstream exec_mailer-Set-group-as-well-as-uid. + This is adapted from upstream and fixes CVE-2026-35535: + https://github.com/sudo-project/sudo/commit/3e474c2 (Closes: #1130593) + + -- Marc Haber <[email protected]> Sat, 11 Apr 2026 14:01:23 +0200 + sudo (1.9.13p3-1+deb12u3) bookworm; urgency=medium * Apply a patch fro Marcos Del Sol Vives to Enable Intel CET on amd64 only. diff --git a/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch new file mode 100644 index 000000000..5216b11a2 --- /dev/null +++ b/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch @@ -0,0 +1,132 @@ +From: "Todd C. Miller" <[email protected]> +Date: Sat, 8 Nov 2025 15:34:02 -0700 +Subject: exec_mailer: Set group as well as uid when running the mailer + +Also make a setuid(), setgid() or setgroups() failure fatal. + +Found by the ZeroPath AI Security Engineer <https://zeropath.com> +--- + include/sudo_eventlog.h | 3 ++- + lib/eventlog/eventlog.c | 21 +++++++++++++++++---- + lib/eventlog/eventlog_conf.c | 4 +++- + plugins/sudoers/logging.c | 2 +- + plugins/sudoers/policy.c | 2 +- + 5 files changed, 24 insertions(+), 8 deletions(-) + +--- a/include/sudo_eventlog.h ++++ b/include/sudo_eventlog.h +@@ -79,6 +79,7 @@ struct eventlog_config { + int syslog_maxlen; + int file_maxlen; + uid_t mailuid; ++ gid_t mailgid; + bool omit_hostname; + const char *logpath; + const char *time_fmt; +@@ -146,7 +147,7 @@ void eventlog_set_syslog_rejectpri(int p + void eventlog_set_syslog_alertpri(int pri); + void eventlog_set_syslog_maxlen(int len); + void eventlog_set_file_maxlen(int len); +-void eventlog_set_mailuid(uid_t uid); ++void eventlog_set_mailuser(uid_t uid, gid_t gid); + void eventlog_set_omit_hostname(bool omit_hostname); + void eventlog_set_logpath(const char *path); + void eventlog_set_time_fmt(const char *fmt); +--- a/lib/eventlog/eventlog.c ++++ b/lib/eventlog/eventlog.c +@@ -304,15 +304,13 @@ exec_mailer(int pipein) + syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618 + sudo_debug_printf(SUDO_DEBUG_ERROR, + "unable to dup stdin: %s", strerror(errno)); +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + + /* Build up an argv based on the mailer path and flags */ + if ((mflags = strdup(evl_conf->mailerflags)) == NULL) { + syslog(LOG_ERR, _("unable to allocate memory")); // -V618 +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + argv[0] = sudo_basename(mpath); + +@@ -331,11 +329,23 @@ exec_mailer(int pipein) + if (setuid(ROOT_UID) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + ROOT_UID); ++ goto bad; ++ } ++ if (setgid(evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; ++ } ++ if (setgroups(1, &evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; + } + if (evl_conf->mailuid != ROOT_UID) { + if (setuid(evl_conf->mailuid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + (unsigned int)evl_conf->mailuid); ++ goto bad; + } + } + sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +@@ -347,6 +357,9 @@ exec_mailer(int pipein) + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s", + mpath, strerror(errno)); + _exit(127); ++bad: ++ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); ++ _exit(127); + } + + /* Send a message to the mailto user */ +--- a/lib/eventlog/eventlog_conf.c ++++ b/lib/eventlog/eventlog_conf.c +@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = + MAXSYSLOGLEN, /* syslog_maxlen */ + 0, /* file_maxlen */ + ROOT_UID, /* mailuid */ ++ ROOT_GID, /* mailgid */ + false, /* omit_hostname */ + _PATH_SUDO_LOGFILE, /* logpath */ + "%h %e %T", /* time_fmt */ +@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len) + } + + void +-eventlog_set_mailuid(uid_t uid) ++eventlog_set_mailuser(uid_t uid, gid_t gid) + { + evl_conf.mailuid = uid; ++ evl_conf.mailgid = gid; + } + + void +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -1076,7 +1076,7 @@ init_eventlog_config(void) + eventlog_set_syslog_alertpri(def_syslog_badpri); + eventlog_set_syslog_maxlen(def_syslog_maxlen); + eventlog_set_file_maxlen(def_loglinelen); +- eventlog_set_mailuid(ROOT_UID); ++ eventlog_set_mailuser(ROOT_UID, ROOT_GID); + eventlog_set_omit_hostname(!def_log_host); + eventlog_set_logpath(def_logfile); + eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -607,7 +607,7 @@ sudoers_policy_deserialize_info(void *v, + } + + #ifdef NO_ROOT_MAILER +- eventlog_set_mailuid(user_uid); ++ eventlog_set_mailuser(user_uid, user_gid); + #endif + + /* Dump settings and user info (XXX - plugin args) */ diff --git a/debian/patches/series b/debian/patches/series index 00726ed5a..a1e4e5227 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ Whitelist-DPKG_COLORS-environment-variable.diff sudo-ldap-docs sudo_host_vuln.diff amd64-ibt.diff +0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch
