summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/admin.scm9
-rw-r--r--gnu/packages/patches/sudo-CVE-2015-5602.patch372
3 files changed, 4 insertions, 378 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 3a0d5c2557..947d1b0efc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -774,7 +774,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/slim-sigusr1.patch			\
   %D%/packages/patches/slurm-configure-remove-nonfree-contribs.patch \
   %D%/packages/patches/soprano-find-clucene.patch		\
-  %D%/packages/patches/sudo-CVE-2015-5602.patch			\
   %D%/packages/patches/superlu-dist-scotchmetis.patch		\
   %D%/packages/patches/synfig-build-fix.patch			\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 9afe1f8ee0..7ece6bdcb5 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -789,18 +789,17 @@ system administrator.")
 (define-public sudo
   (package
     (name "sudo")
-    (version "1.8.15")
+    (version "1.8.17p1")
     (source (origin
               (method url-fetch)
               (uri
-               (list (string-append "http://www.sudo.ws/sudo/dist/sudo-"
+               (list (string-append "https://www.sudo.ws/sudo/dist/sudo-"
                                     version ".tar.gz")
                      (string-append "ftp://ftp.sudo.ws/pub/sudo/OLD/sudo-"
                                     version ".tar.gz")))
               (sha256
                (base32
-                "0263gi6i19fyzzc488n0qw3m518i39f6a7qmrfvahk9j10bkh5j3"))
-              (patches (search-patches "sudo-CVE-2015-5602.patch"))))
+                "1k2mn65l1kmsxm8wh0gjxy496xhbpiimbpm6yv6kw6snzc3xg466"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
@@ -849,7 +848,7 @@ system administrator.")
      `(("groff" ,groff)
        ("linux-pam" ,linux-pam)
        ("coreutils" ,coreutils)))
-    (home-page "http://www.sudo.ws/")
+    (home-page "https://www.sudo.ws/")
     (synopsis "Run commands as root")
     (description
      "Sudo (su \"do\") allows a system administrator to delegate authority to
diff --git a/gnu/packages/patches/sudo-CVE-2015-5602.patch b/gnu/packages/patches/sudo-CVE-2015-5602.patch
deleted file mode 100644
index 36c90fbee7..0000000000
--- a/gnu/packages/patches/sudo-CVE-2015-5602.patch
+++ /dev/null
@@ -1,372 +0,0 @@
-Based on the patch from https://www.sudo.ws/repos/sudo/raw-rev/c2e36a80a279
-Backported to 1.8.15 by Mark H Weaver <mhw@netris.org>
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@courtesan.com>
-# Date 1452475889 25200
-# Node ID c2e36a80a27927c32cba55afae78b8dc830cddc3
-# Parent  94ffd6b18431fa4b9ed0a0c3f0b7b9582a4f6bde
-Rewritten sudoedit_checkdir support that checks all the dirs in the
-path and refuses to follow symlinks in writable directories.
-This is a better fix for CVE-2015-5602.
-Adapted from a diff by Ben Hutchings.  Bug #707
-
-diff -r 94ffd6b18431 -r c2e36a80a279 doc/CONTRIBUTORS
---- a/doc/CONTRIBUTORS	Mon Jan 04 10:47:11 2016 -0700
-+++ b/doc/CONTRIBUTORS	Sun Jan 10 18:31:29 2016 -0700
-@@ -58,6 +58,7 @@
-     Holloway, Nick
-     Hoover, Adam
-     Hunter, Michael T.
-+    Hutchings, Ben
-     Irrgang, Eric
-     Jackson, Brian
-     Jackson, John R.
-diff -r 94ffd6b18431 -r c2e36a80a279 doc/UPGRADE
---- a/doc/UPGRADE	Mon Jan 04 10:47:11 2016 -0700
-+++ b/doc/UPGRADE	Sun Jan 10 18:31:29 2016 -0700
-@@ -1,6 +1,15 @@
- Notes on upgrading from an older release
- ========================================
- 
-+o Upgrading from a version prior to the post-1.8.15 fix for CVE-2015-5602.
-+
-+    The meaning of the sudoedit_checkdir sudoers option has changed.
-+    Previously, it would only check the parent directory
-+    of the file to be edited.  After the CVE fix, all directories
-+    in the path to be edited are checked and sudoedit will refuse
-+    to follow a symbolic link in a directory that is writable by
-+    the invoking user.
-+
- o Upgrading from a version prior to 1.8.15:
- 
-     Prior to version 1.8.15, when env_reset was enabled (the default)
-diff -r 94ffd6b18431 -r c2e36a80a279 doc/sudoers.cat
---- a/doc/sudoers.cat	Mon Jan 04 10:47:11 2016 -0700
-+++ b/doc/sudoers.cat	Sun Jan 10 18:31:29 2016 -0700
-@@ -1275,12 +1275,15 @@
-                        system call.  This flag is _o_f_f by default.
- 
-      sudoedit_checkdir
--                       If set, ssuuddooeeddiitt will refuse to edit files located in a
--                       directory that is writable by the invoking user unless
--                       it is run by root.  On many systems, this option
--                       requires that the parent directory of the file to be
--                       edited be readable by the target user.  This flag is
--                       _o_f_f by default.
-+                       If set, ssuuddooeeddiitt will check directories in the path to
-+                       be edited for writability by the invoking user.
-+                       Symbolic links will not be followed in writable
-+                       directories and ssuuddooeeddiitt will also refuse to edit a
-+                       file located in a writable directory.  Theses
-+                       restrictions are not enforced when ssuuddooeeddiitt is invoked
-+                       as root.  On many systems, this option requires that
-+                       all directories in the path to be edited be readable by
-+                       the target user.  This flag is _o_f_f by default.
- 
-      sudoedit_follow   By default, ssuuddooeeddiitt will not follow symbolic links
-                        when opening files.  The _s_u_d_o_e_d_i_t___f_o_l_l_o_w option can be
-diff -r 94ffd6b18431 -r c2e36a80a279 doc/sudoers.man.in
---- a/doc/sudoers.man.in	Mon Jan 04 10:47:11 2016 -0700
-+++ b/doc/sudoers.man.in	Sun Jan 10 18:31:29 2016 -0700
-@@ -2715,10 +2715,16 @@
- .br
- If set,
- \fBsudoedit\fR
--will refuse to edit files located in a directory that is writable
--by the invoking user unless it is run by root.
--On many systems, this option requires that the parent directory
--of the file to be edited be readable by the target user.
-+will check directories in the path to be edited for writability
-+by the invoking user.
-+Symbolic links will not be followed in writable directories and
-+\fBsudoedit\fR
-+will also refuse to edit a file located in a writable directory.
-+Theses restrictions are not enforced when
-+\fBsudoedit\fR
-+is invoked as root.
-+On many systems, this option requires that all directories
-+in the path to be edited be readable by the target user.
- This flag is
- \fIoff\fR
- by default.
-diff -r 94ffd6b18431 -r c2e36a80a279 doc/sudoers.mdoc.in
---- a/doc/sudoers.mdoc.in	Mon Jan 04 10:47:11 2016 -0700
-+++ b/doc/sudoers.mdoc.in	Sun Jan 10 18:31:29 2016 -0700
-@@ -2549,10 +2549,16 @@
- .It sudoedit_checkdir
- If set,
- .Nm sudoedit
--will refuse to edit files located in a directory that is writable
--by the invoking user unless it is run by root.
--On many systems, this option requires that the parent directory
--of the file to be edited be readable by the target user.
-+will check directories in the path to be edited for writability
-+by the invoking user.
-+Symbolic links will not be followed in writable directories and
-+.Nm sudoedit
-+will also refuse to edit a file located in a writable directory.
-+Theses restrictions are not enforced when
-+.Nm sudoedit
-+is invoked as root.
-+On many systems, this option requires that all directories
-+in the path to be edited be readable by the target user.
- This flag is
- .Em off
- by default.
-diff -r 94ffd6b18431 -r c2e36a80a279 include/sudo_compat.h
---- a/include/sudo_compat.h	Mon Jan 04 10:47:11 2016 -0700
-+++ b/include/sudo_compat.h	Sun Jan 10 18:31:29 2016 -0700
-@@ -182,6 +182,8 @@
- # ifndef UTIME_NOW
- #  define UTIME_NOW	-2L
- # endif
-+#endif
-+#if !defined(HAVE_OPENAT) || (!defined(HAVE_FUTIMENS) && !defined(HAVE_UTIMENSAT))
- # ifndef AT_FDCWD
- #  define AT_FDCWD	-100
- # endif
-diff -r 94ffd6b18431 -r c2e36a80a279 src/sudo_edit.c
---- a/src/sudo_edit.c	Mon Jan 04 10:47:11 2016 -0700
-+++ b/src/sudo_edit.c	Sun Jan 10 18:31:29 2016 -0700
-@@ -179,13 +179,15 @@
- }
- 
- #ifndef HAVE_OPENAT
--/* This does not support AT_FDCWD... */
- static int
- sudo_openat(int dfd, const char *path, int flags, mode_t mode)
- {
-     int fd, odfd;
-     debug_decl(sudo_openat, SUDO_DEBUG_EDIT)
- 
-+    if (dfd == AT_FDCWD)
-+	debug_return_int(open(path, flags, mode));
-+
-     /* Save cwd */
-     if ((odfd = open(".", O_RDONLY)) == -1)
- 	debug_return_int(-1);
-@@ -207,6 +209,64 @@
- #define openat sudo_openat
- #endif /* HAVE_OPENAT */
- 
-+#ifdef O_NOFOLLOW
-+static int
-+sudo_edit_openat_nofollow(int dfd, char *path, int oflags, mode_t mode)
-+{
-+    debug_decl(sudo_edit_open_nofollow, SUDO_DEBUG_EDIT)
-+
-+    debug_return_int(openat(dfd, path, oflags|O_NOFOLLOW, mode));
-+}
-+#else
-+/*
-+ * Returns true if fd and path don't match or path is a symlink.
-+ * Used on older systems without O_NOFOLLOW.
-+ */
-+static bool
-+sudo_edit_is_symlink(int fd, char *path)
-+{
-+    struct stat sb1, sb2;
-+    debug_decl(sudo_edit_is_symlink, SUDO_DEBUG_EDIT)
-+
-+    /*
-+     * Treat [fl]stat() failure like there was a symlink.
-+     */
-+    if (fstat(fd, &sb1) == -1 || lstat(path, &sb2) == -1)
-+	debug_return_bool(true);
-+
-+    /*
-+     * Make sure we did not open a link and that what we opened
-+     * matches what is currently on the file system.
-+     */
-+    if (S_ISLNK(sb2.st_mode) ||
-+	sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
-+	debug_return_bool(true);
-+    }
-+
-+    debug_return_bool(false);
-+}
-+
-+static int
-+sudo_edit_openat_nofollow(char *path, int oflags, mode_t mode)
-+{
-+    struct stat sb1, sb2;
-+    int fd;
-+    debug_decl(sudo_edit_openat_nofollow, SUDO_DEBUG_EDIT)
-+
-+    fd = openat(dfd, path, oflags, mode);
-+    if (fd == -1)
-+	debug_return_int(-1);
-+
-+    if (sudo_edit_is_symlink(fd, path)) {
-+	close(fd);
-+	fd = -1;
-+	errno = ELOOP;
-+    }
-+
-+    debug_return_int(fd);
-+}
-+#endif /* O_NOFOLLOW */
-+
- /*
-  * Returns true if the directory described by sb is writable
-  * by the user.  We treat directories with the sticky bit as
-@@ -245,49 +305,94 @@
-     debug_return_bool(false);
- }
- 
-+/*
-+ * Directory open flags for use with openat(2) and fstat(2).
-+ * Use O_PATH and O_DIRECTORY where possible.
-+ */
-+#if defined(O_PATH) && defined(O_DIRECTORY)
-+# define DIR_OPEN_FLAGS	(O_PATH|O_DIRECTORY)
-+#elif defined(O_PATH) && !defined(O_DIRECTORY)
-+# define DIR_OPEN_FLAGS	O_PATH
-+#elif !defined(O_PATH) && defined(O_DIRECTORY)
-+# define DIR_OPEN_FLAGS	(O_RDONLY|O_DIRECTORY)
-+#else
-+# define DIR_OPEN_FLAGS	(O_RDONLY|O_NONBLOCK)
-+#endif
-+
- static int
- sudo_edit_open_nonwritable(char *path, int oflags, mode_t mode)
- {
--    char *base, *dir;
-+    int dfd, fd, dflags = DIR_OPEN_FLAGS;
-+#if defined(__linux__) && defined(O_PATH)
-+    char *opath = path;
-+#endif
-+    bool is_writable;
-     struct stat sb;
--    int dfd, fd;
-     debug_decl(sudo_edit_open_nonwritable, SUDO_DEBUG_EDIT)
- 
--    base = strrchr(path, '/');
--    if (base != NULL) {
--	*base++ = '\0';
--	dir = path;
-+#if defined(__linux__) && defined(O_PATH)
-+restart:
-+#endif
-+    if (path[0] == '/') {
-+	dfd = open("/", dflags);
-+	path++;
-     } else {
--	base = path;
--	dir = ".";
-+	dfd = open(".", dflags);
-+	if (path[0] == '.' && path[1] == '/')
-+	    path += 2;
-     }
--#ifdef O_PATH
--    if ((dfd = open(dir, O_PATH)) != -1) {
--	/* Linux kernels < 3.6 can't do fstat on O_PATH fds. */
--	if (fstat(dfd, &sb) == -1) {
--	    close(dfd);
--	    dfd = open(dir, O_RDONLY);
--	    if (fstat(dfd, &sb) == -1) {
--		close(dfd);
--		dfd = -1;
--	    }
--	}
--    }
--#else
--    if ((dfd = open(dir, O_RDONLY)) != -1) {
--	if (fstat(dfd, &sb) == -1) {
--	    close(dfd);
--	    dfd = -1;
--	}
--    }
--#endif
--    if (base != path)
--	base[-1] = '/';			/* restore path */
-     if (dfd == -1)
- 	debug_return_int(-1);
- 
--    if (dir_is_writable(&sb, user_details.uid, user_details.gid,
--	user_details.ngroups, user_details.groups)) {
-+    for (;;) {
-+	char *slash;
-+	int subdfd;
-+
-+	/*
-+	 * Look up one component at a time, avoiding symbolic links in
-+	 * writable directories.
-+	 */
-+	if (fstat(dfd, &sb) == -1) {
-+	    close(dfd);
-+#if defined(__linux__) && defined(O_PATH)
-+	    /* Linux prior to 3.6 can't fstat an O_PATH fd */
-+	    if (ISSET(dflags, O_PATH)) {
-+		CLR(dflags, O_PATH);
-+		path = opath;
-+		goto restart;
-+	    }
-+#endif
-+	    debug_return_int(-1);
-+	}
-+#ifndef O_DIRECTORY
-+	if (!S_ISDIR(sb.st_mode)) {
-+	    close(dfd);
-+	    errno = ENOTDIR;
-+	    debug_return_int(-1);
-+	}
-+#endif
-+	is_writable = dir_is_writable(&sb, user_details.uid, user_details.gid,
-+	    user_details.ngroups, user_details.groups);
-+
-+	while (path[0] == '/')
-+	    path++;
-+	slash = strchr(path, '/');
-+	if (slash == NULL)
-+	    break;
-+	*slash = '\0';
-+	if (is_writable)
-+	    subdfd = sudo_edit_openat_nofollow(dfd, path, dflags, 0);
-+	else
-+	    subdfd = openat(dfd, path, dflags, 0);
-+	*slash = '/';			/* restore path */
-+	close(dfd);
-+	if (subdfd == -1)
-+	    debug_return_int(-1);
-+	path = slash + 1;
-+	dfd = subdfd;
-+    }
-+
-+    if (is_writable) {
- 	close(dfd);
- 	errno = EISDIR;
- 	debug_return_int(-1);
-@@ -332,27 +437,10 @@
-     if (!ISSET(oflags, O_NONBLOCK))
- 	(void) fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
- 
--    /*
--     * Treat [fl]stat() failure like an open() failure.
--     */
--    if (fstat(fd, &sb1) == -1 || lstat(path, &sb2) == -1) {
--	const int serrno = errno;
-+    if (!ISSET(sflags, CD_SUDOEDIT_FOLLOW) && sudo_edit_is_symlink(fd, path)) {
- 	close(fd);
--	errno = serrno;
--	debug_return_int(-1);
--    }
--
--    /*
--     * Make sure we did not open a link and that what we opened
--     * matches what is currently on the file system.
--     */
--    if (!ISSET(sflags, CD_SUDOEDIT_FOLLOW)) {
--	if (S_ISLNK(sb2.st_mode) ||
--	    sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
--	    close(fd);
--	    errno = ELOOP;
--	    debug_return_int(-1);
--	}
-+	fd = -1;
-+	errno = ELOOP;
-     }
- 
-     debug_return_int(fd);
-