+sudo (1.6.9p17-2+lenny1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fixed CVE-2010-0426: verify path for the 'sudoedit' pseudo-command
+ (Closes: #570737)
+ * Fixed CVE-2010-0427: When changing the runas user, reset any aux runas
+ groups we have cached.
+
+ -- Giuseppe Iuculano <iuculano@debian.org> Tue, 02 Mar 2010 15:22:43 +0100
+
sudo (1.6.9p17-2) unstable; urgency=high
* patch from upstream to fix privilege escalation with certain
DIR *dirp;
/* Check for pseudo-commands */
- if (strchr(user_cmnd, '/') == NULL) {
+ if (sudoers_cmnd[0] != '/') {
/*
* Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
* a) there are no args in sudoers OR
#endif /* HAVE_SETRESUID */
#ifdef HAVE_INITGROUPS
+static int runas_ngroups = -1;
+static GETGROUPS_T *runas_groups;
+
static void
runas_setgroups()
{
- static int ngroups = -1;
- static GETGROUPS_T *groups;
struct passwd *pw;
if (def_preserve_groups)
/*
* Use stashed copy of runas groups if available, else initgroups and stash.
*/
- if (ngroups == -1) {
+ if (runas_ngroups == -1) {
pw = runas_pw ? runas_pw : sudo_user.pw;
if (initgroups(pw->pw_name, pw->pw_gid) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
- if ((ngroups = getgroups(0, NULL)) < 0)
+ if ((runas_ngroups = getgroups(0, NULL)) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups");
- groups = emalloc2(ngroups, sizeof(GETGROUPS_T));
- if (getgroups(ngroups, groups) < 0)
+ runas_groups = emalloc2(runas_ngroups, sizeof(GETGROUPS_T));
+ if (getgroups(runas_ngroups, runas_groups) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector");
} else {
- if (setgroups(ngroups, groups) < 0)
+ if (setgroups(runas_ngroups, runas_groups) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
}
}
+void
+runas_resetgroups()
+{
+ runas_ngroups = -1;
+ efree(runas_groups);
+}
+
static void
restore_groups()
{
extern struct passwd *sudo_getpwnam __P((const char *));
extern struct passwd *sudo_getpwuid __P((uid_t));
extern struct passwd *sudo_pwdup __P((const struct passwd *));
+extern void runas_resetgroups __P((void));
/*
* Globals
if (runas_pw == NULL)
log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user);
}
+ runas_resetgroups();
return(TRUE);
}