|
|
diff -up sudo-1.8.6p7/aclocal.m4.CVE-2014-9680 sudo-1.8.6p7/aclocal.m4 |
|
|
--- sudo-1.8.6p7/aclocal.m4.CVE-2014-9680 2013-02-25 20:42:44.000000000 +0100 |
|
|
+++ sudo-1.8.6p7/aclocal.m4 2015-07-05 13:44:11.610596042 +0200 |
|
|
@@ -156,6 +156,25 @@ AC_DEFUN([SUDO_IO_LOGDIR], [ |
|
|
AC_MSG_RESULT($iolog_dir) |
|
|
])dnl |
|
|
|
|
|
+dnl Detect time zone file directory, if any. |
|
|
+dnl |
|
|
+AC_DEFUN([SUDO_TZDIR], [AC_MSG_CHECKING(time zone data directory) |
|
|
+tzdir="$with_tzdir" |
|
|
+if test -z "$tzdir"; then |
|
|
+ tzdir=no |
|
|
+ for d in /usr/share /usr/share/lib /usr/lib /etc; do |
|
|
+ if test -d "$d/zoneinfo"; then |
|
|
+ tzdir="$d/zoneinfo" |
|
|
+ break |
|
|
+ fi |
|
|
+ done |
|
|
+fi |
|
|
+AC_MSG_RESULT([$tzdir]) |
|
|
+if test "${tzdir}" != "no"; then |
|
|
+ SUDO_DEFINE_UNQUOTED(_PATH_ZONEINFO, "$tzdir") |
|
|
+fi |
|
|
+])dnl |
|
|
+ |
|
|
dnl |
|
|
dnl check for working fnmatch(3) |
|
|
dnl |
|
|
diff -up sudo-1.8.6p7/configure.in.CVE-2014-9680 sudo-1.8.6p7/configure.in |
|
|
--- sudo-1.8.6p7/configure.in.CVE-2014-9680 2015-07-05 13:44:11.598596222 +0200 |
|
|
+++ sudo-1.8.6p7/configure.in 2015-07-05 13:44:11.610596042 +0200 |
|
|
@@ -776,6 +776,12 @@ AC_ARG_WITH(iologdir, [AS_HELP_STRING([- |
|
|
;; |
|
|
esac]) |
|
|
|
|
|
+AC_ARG_WITH(tzdir, [AS_HELP_STRING([--with-tzdir=DIR], [path to the time zone data directory])], |
|
|
+[case $with_tzdir in |
|
|
+ yes) AC_MSG_ERROR(["must give --with-tzdir an argument."]) |
|
|
+ ;; |
|
|
+esac]) |
|
|
+ |
|
|
AC_ARG_WITH(sendmail, [AS_HELP_STRING([--with-sendmail], [set path to sendmail]) |
|
|
AS_HELP_STRING([--without-sendmail], [do not send mail at all])], |
|
|
[case $with_sendmail in |
|
|
@@ -3250,6 +3256,7 @@ fi |
|
|
SUDO_LOGFILE |
|
|
SUDO_TIMEDIR |
|
|
SUDO_IO_LOGDIR |
|
|
+SUDO_TZDIR |
|
|
|
|
|
dnl |
|
|
dnl Turn warnings into errors. |
|
|
diff -up sudo-1.8.6p7/doc/sudoers.cat.CVE-2014-9680 sudo-1.8.6p7/doc/sudoers.cat |
|
|
--- sudo-1.8.6p7/doc/sudoers.cat.CVE-2014-9680 2015-07-05 13:44:11.586596402 +0200 |
|
|
+++ sudo-1.8.6p7/doc/sudoers.cat 2015-07-05 13:44:11.610596042 +0200 |
|
|
@@ -1421,20 +1421,36 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N |
|
|
|
|
|
L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t: |
|
|
|
|
|
- env_check Environment variables to be removed from the user's |
|
|
- environment if the variable's value contains `%' or `/' |
|
|
+ env_check Environment variables to be removed from the user's |
|
|
+ environment if unless they are considered ``safe''. |
|
|
+ For all variables except TZ, ``safe'' means that the |
|
|
+ variable's value does not contain any `%' or `/' |
|
|
characters. This can be used to guard against printf- |
|
|
style format vulnerabilities in poorly-written |
|
|
- programs. The argument may be a double-quoted, space- |
|
|
- separated list or a single value without double-quotes. |
|
|
- The list can be replaced, added to, deleted from, or |
|
|
- disabled by using the =, +=, -=, and ! operators |
|
|
- respectively. Regardless of whether the env_reset |
|
|
- option is enabled or disabled, variables specified by |
|
|
- env_check will be preserved in the environment if they |
|
|
- pass the aforementioned check. The default list of |
|
|
- environment variables to check is displayed when s�su�ud�do�o |
|
|
- is run by root with the -�-V�V option. |
|
|
+ programs. The TZ variable is considerd unsafe if any |
|
|
+ of the following are true: |
|
|
+ |
|
|
+ +�+�o�o It consists of a fully-qualified path name, |
|
|
+ optionally prefixed with a colon (`:'), that does |
|
|
+ not match the location of the _�z_�o_�n_�e_�i_�n_�f_�o directory. |
|
|
+ |
|
|
+ +�+�o�o It contains a _�._�. path element. |
|
|
+ |
|
|
+ +�+�o�o It contains white space or non-printable |
|
|
+ characters. |
|
|
+ |
|
|
+ +�+�o�o It is longer than the value of PATH_MAX. |
|
|
+ |
|
|
+ The argument may be a double-quoted, space-separated |
|
|
+ list or a single value without double-quotes. The list |
|
|
+ can be replaced, added to, deleted from, or disabled by |
|
|
+ using the =, +=, -=, and ! operators respectively. |
|
|
+ Regardless of whether the env_reset option is enabled |
|
|
+ or disabled, variables specified by env_check will be |
|
|
+ preserved in the environment if they pass the |
|
|
+ aforementioned check. The default list of environment |
|
|
+ variables to check is displayed when s�su�ud�do�o is run by |
|
|
+ root with the -�-V�V option. |
|
|
|
|
|
env_delete Environment variables to be removed from the user's |
|
|
environment when the _�e_�n_�v_�__�r_�e_�s_�e_�t option is not in effect. |
|
|
diff -up sudo-1.8.6p7/doc/sudoers.man.in.CVE-2014-9680 sudo-1.8.6p7/doc/sudoers.man.in |
|
|
--- sudo-1.8.6p7/doc/sudoers.man.in.CVE-2014-9680 2015-07-05 13:44:11.586596402 +0200 |
|
|
+++ sudo-1.8.6p7/doc/sudoers.man.in 2015-07-05 13:44:11.611596027 +0200 |
|
|
@@ -3002,14 +3002,47 @@ The default value is |
|
|
\fBLists that can be used in a boolean context\fR: |
|
|
.TP 18n |
|
|
env_check |
|
|
-Environment variables to be removed from the user's environment if |
|
|
-the variable's value contains |
|
|
-`%' |
|
|
+ Environment variables to be removed from the user's environment if |
|
|
+unless they are considered |
|
|
+\(lqsafe\(rq. |
|
|
+For all variables except |
|
|
+\fRTZ\fR, |
|
|
+\(lqsafe\(rq |
|
|
+means that the variable's value does not contain any |
|
|
+\(oq%\(cq |
|
|
or |
|
|
-`/' |
|
|
+\(oq/\(cq |
|
|
characters. |
|
|
This can be used to guard against printf-style format vulnerabilities |
|
|
in poorly-written programs. |
|
|
+The |
|
|
+\fRTZ\fR |
|
|
+variable is considerd unsafe if any of the following are true: |
|
|
+.PP |
|
|
+.RS 18n |
|
|
+.PD 0 |
|
|
+.TP 4n |
|
|
+\fB\(bu\fR |
|
|
+It consists of a fully-qualified path name, |
|
|
+optionally prefixed with a colon |
|
|
+(\(oq:\&\(cq), |
|
|
+that does not match the location of the |
|
|
+\fIzoneinfo\fR |
|
|
+directory. |
|
|
+.PD |
|
|
+.TP 4n |
|
|
+\fB\(bu\fR |
|
|
+It contains a |
|
|
+\fI..\fR |
|
|
+path element. |
|
|
+.TP 4n |
|
|
+\fB\(bu\fR |
|
|
+It contains white space or non-printable characters. |
|
|
+.TP 4n |
|
|
+\fB\(bu\fR |
|
|
+It is longer than the value of |
|
|
+\fRPATH_MAX\fR. |
|
|
+.PP |
|
|
The argument may be a double-quoted, space-separated list or a |
|
|
single value without double-quotes. |
|
|
The list can be replaced, added to, deleted from, or disabled by using |
|
|
@@ -3031,6 +3064,7 @@ is run by root with |
|
|
the |
|
|
\fB\-V\fR |
|
|
option. |
|
|
+.RE |
|
|
.TP 18n |
|
|
env_delete |
|
|
Environment variables to be removed from the user's environment when the |
|
|
diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.CVE-2014-9680 sudo-1.8.6p7/doc/sudoers.mdoc.in |
|
|
--- sudo-1.8.6p7/doc/sudoers.mdoc.in.CVE-2014-9680 2015-07-05 13:44:11.586596402 +0200 |
|
|
+++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2015-07-05 13:44:11.611596027 +0200 |
|
|
@@ -2791,13 +2791,40 @@ The default value is |
|
|
.Bl -tag -width 16n |
|
|
.It env_check |
|
|
Environment variables to be removed from the user's environment if |
|
|
-the variable's value contains |
|
|
+unless they are considered |
|
|
+.Dq safe . |
|
|
+For all variables except |
|
|
+.Li TZ , |
|
|
+.Dq safe |
|
|
+means that the variable's value does not contain any |
|
|
.Ql % |
|
|
or |
|
|
.Ql / |
|
|
characters. |
|
|
This can be used to guard against printf-style format vulnerabilities |
|
|
in poorly-written programs. |
|
|
+The |
|
|
+.Li TZ |
|
|
+variable is considerd unsafe if any of the following are true: |
|
|
+.Bl -bullet |
|
|
+.It |
|
|
+It consists of a fully-qualified path name, |
|
|
+optionally prefixed with a colon |
|
|
+.Pq Ql :\& , |
|
|
+that does not match the location of the |
|
|
+.Pa zoneinfo |
|
|
+directory. |
|
|
+.It |
|
|
+It contains a |
|
|
+.Pa .. |
|
|
+path element. |
|
|
+.It |
|
|
+It contains white space or non-printable characters. |
|
|
+.It |
|
|
+It is longer than the value of |
|
|
+.Li PATH_MAX . |
|
|
+.El |
|
|
+.Pp |
|
|
The argument may be a double-quoted, space-separated list or a |
|
|
single value without double-quotes. |
|
|
The list can be replaced, added to, deleted from, or disabled by using |
|
|
diff -up sudo-1.8.6p7/INSTALL.CVE-2014-9680 sudo-1.8.6p7/INSTALL |
|
|
--- sudo-1.8.6p7/INSTALL.CVE-2014-9680 2013-02-25 20:42:43.000000000 +0100 |
|
|
+++ sudo-1.8.6p7/INSTALL 2015-07-05 13:44:11.611596027 +0200 |
|
|
@@ -461,6 +461,16 @@ The following options are also configura |
|
|
Override the default location of the sudo timestamp directory and |
|
|
use "path" instead. |
|
|
|
|
|
+ --with-tzdir=DIR |
|
|
+ Set the directory to the system's time zone data files. This |
|
|
+ is only used when sanitizing the TZ environment variable to |
|
|
+ allow for fully-qualified paths in TZ. |
|
|
+ By default, configure will look for an existing "zoneinfo" |
|
|
+ directory in the following locations: |
|
|
+ /usr/share /usr/share/lib /usr/lib /etc |
|
|
+ If no zoneinfo directory is found, the TZ variable may not |
|
|
+ contain a fully-qualified path. |
|
|
+ |
|
|
--with-sendmail=PATH |
|
|
Override configure's guess as to the location of sendmail. |
|
|
|
|
|
diff -up sudo-1.8.6p7/pathnames.h.in.CVE-2014-9680 sudo-1.8.6p7/pathnames.h.in |
|
|
--- sudo-1.8.6p7/pathnames.h.in.CVE-2014-9680 2012-09-18 15:56:28.000000000 +0200 |
|
|
+++ sudo-1.8.6p7/pathnames.h.in 2015-07-05 13:44:11.612596011 +0200 |
|
|
@@ -168,3 +168,7 @@ |
|
|
#ifndef _PATH_NETSVC_CONF |
|
|
#undef _PATH_NETSVC_CONF |
|
|
#endif /* _PATH_NETSVC_CONF */ |
|
|
+ |
|
|
+#ifndef _PATH_ZONEINFO |
|
|
+# undef _PATH_ZONEINFO |
|
|
+#endif /* _PATH_ZONEINFO */ |
|
|
diff -up sudo-1.8.6p7/plugins/sudoers/env.c.CVE-2014-9680 sudo-1.8.6p7/plugins/sudoers/env.c |
|
|
--- sudo-1.8.6p7/plugins/sudoers/env.c.CVE-2014-9680 2013-02-25 20:42:44.000000000 +0100 |
|
|
+++ sudo-1.8.6p7/plugins/sudoers/env.c 2015-07-05 13:44:11.612596011 +0200 |
|
|
@@ -198,6 +198,7 @@ static const char *initial_checkenv_tabl |
|
|
"LC_*", |
|
|
"LINGUAS", |
|
|
"TERM", |
|
|
+ "TZ", |
|
|
NULL |
|
|
}; |
|
|
|
|
|
@@ -213,7 +214,6 @@ static const char *initial_keepenv_table |
|
|
"PATH", |
|
|
"PS1", |
|
|
"PS2", |
|
|
- "TZ", |
|
|
"XAUTHORITY", |
|
|
"XAUTHORIZATION", |
|
|
NULL |
|
|
@@ -584,6 +584,54 @@ matches_env_delete(const char *var) |
|
|
} |
|
|
|
|
|
/* |
|
|
+ * Sanity-check the TZ environment variable. |
|
|
+ * On many systems it is possible to set this to a pathname. |
|
|
+ */ |
|
|
+static bool |
|
|
+tz_is_sane(const char *tzval) |
|
|
+{ |
|
|
+ const char *cp; |
|
|
+ char lastch; |
|
|
+ debug_decl(tz_is_sane, SUDO_DEBUG_ENV) |
|
|
+ |
|
|
+ /* tzcode treats a value beginning with a ':' as a path. */ |
|
|
+ if (tzval[0] == ':') |
|
|
+ tzval++; |
|
|
+ |
|
|
+ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */ |
|
|
+ if (tzval[0] == '/') { |
|
|
+#ifdef _PATH_ZONEINFO |
|
|
+ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 || |
|
|
+ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/') |
|
|
+ debug_return_bool(false); |
|
|
+#else |
|
|
+ /* Assume the worst. */ |
|
|
+ debug_return_bool(false); |
|
|
+#endif |
|
|
+ } |
|
|
+ |
|
|
+ /* |
|
|
+ * Make sure TZ only contains printable non-space characters |
|
|
+ * and does not contain a '..' path element. |
|
|
+ */ |
|
|
+ lastch = '/'; |
|
|
+ for (cp = tzval; *cp != '\0'; cp++) { |
|
|
+ if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp)) |
|
|
+ debug_return_bool(false); |
|
|
+ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' && |
|
|
+ (cp[2] == '/' || cp[2] == '\0')) |
|
|
+ debug_return_bool(false); |
|
|
+ lastch = *cp; |
|
|
+ } |
|
|
+ |
|
|
+ /* Reject extra long TZ values (even if not a path). */ |
|
|
+ if ((size_t)(cp - tzval) >= PATH_MAX) |
|
|
+ debug_return_bool(false); |
|
|
+ |
|
|
+ debug_return_bool(true); |
|
|
+} |
|
|
+ |
|
|
+/* |
|
|
* Apply the env_check list. |
|
|
* Returns true if the variable is allowed, false if denied |
|
|
* or -1 if no match. |
|
|
@@ -607,8 +655,13 @@ matches_env_check(const char *var) |
|
|
iswild = false; |
|
|
if (strncmp(cur->value, var, len) == 0 && |
|
|
(iswild || var[len] == '=')) { |
|
|
+ if (strncmp(var, "TZ=", 3) == 0 ) { |
|
|
+ /* Sperial case for TZ */ |
|
|
+ keepit = tz_is_sane(var + 3); |
|
|
+ } else { |
|
|
keepit = !strpbrk(var, "/%"); |
|
|
- break; |
|
|
+ } |
|
|
+ break; |
|
|
} |
|
|
} |
|
|
debug_return_bool(keepit);
|
|
|
|
