Bug#535792: Segfaults to bad sudoers file

Sat, 04 Jul 2009 22:19:51 -0700 

Package: sudo
Version: 1.7.0-1
Severity: normal


If the /etc/sudoers file mode is set to 0640, then executing the sudo
program will cause a Segmentation Fault. The segmentation fault
happens when ``fileno'' is called with a NULL parameter (line 1084 of
file sudo.c). That doesn't seem exploitable, althought certainly a
bug.

Attached is a patch which fixes that issue. I made it so all errors
handled by open_sudoers are fatal. That seems reasonable to me, but
someone with a better understanding of the whole code should probably
check it out.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo depends on:
ii  libc6                         2.9-18     GNU C Library: Shared libraries
ii  libpam-modules                1.0.1-9    Pluggable Authentication
Modules f
ii  libpam0g                      1.0.1-9    Pluggable Authentication
Modules l

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information

diff -ur sudo-1.7.0.orig/sudo.c sudo-1.7.0/sudo.c
--- sudo-1.7.0.orig/sudo.c	2009-07-05 00:11:50.000000000 -0400
+++ sudo-1.7.0/sudo.c	2009-07-04 23:56:33.000000000 -0400
@@ -1057,18 +1057,18 @@
     set_perms(PERM_SUDOERS);
 
     if (rootstat != 0 && stat_sudoers(sudoers, &statbuf) != 0)
-	log_error(USE_ERRNO|NO_EXIT, "can't stat %s", sudoers);
+	log_error(USE_ERRNO, "can't stat %s", sudoers);
     else if (!S_ISREG(statbuf.st_mode))
-	log_error(NO_EXIT, "%s is not a regular file", sudoers);
+	log_error(0, "%s is not a regular file", sudoers);
     else if ((statbuf.st_mode & 07777) != SUDOERS_MODE)
-	log_error(NO_EXIT, "%s is mode 0%o, should be 0%o", sudoers,
+	log_error(0, "%s is mode 0%o, should be 0%o", sudoers,
 	    (unsigned int) (statbuf.st_mode & 07777),
 	    (unsigned int) SUDOERS_MODE);
     else if (statbuf.st_uid != SUDOERS_UID)
-	log_error(NO_EXIT, "%s is owned by uid %lu, should be %lu", sudoers,
+	log_error(0, "%s is owned by uid %lu, should be %lu", sudoers,
 	    (unsigned long) statbuf.st_uid, (unsigned long) SUDOERS_UID);
     else if (statbuf.st_gid != SUDOERS_GID)
-	log_error(NO_EXIT, "%s is owned by gid %lu, should be %lu", sudoers,
+	log_error(0, "%s is owned by gid %lu, should be %lu", sudoers,
 	    (unsigned long) statbuf.st_gid, (unsigned long) SUDOERS_GID);
     else if ((fp = fopen(sudoers, "r")) == NULL)
 	log_error(USE_ERRNO, "can't open %s", sudoers);

Reply via email to