Hi, I have prepared an update for sudo in Wheezy.
Please see the diff to previous version and a small test program attached. Changes: sudo (1.8.5p2-1+nmu3+deb7u2) wheezy-security; urgency=medium . * LTS Team upload. * Fix noexec bypass via system() and popen() (CVE-2016-7032) * Fix noexec bypass via wordexp() (CVE-2016-7076) (Closes: #842507) I plan uploading the package tomorrow around 18:00 UTC. The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ Cheers, Balint
diff -Nru sudo-1.8.5p2/debian/changelog sudo-1.8.5p2/debian/changelog
--- sudo-1.8.5p2/debian/changelog 2016-01-05 19:48:04.000000000 +0100
+++ sudo-1.8.5p2/debian/changelog 2016-11-11 15:54:01.000000000 +0100
@@ -1,3 +1,11 @@
+sudo (1.8.5p2-1+nmu3+deb7u2) wheezy-security; urgency=medium
+
+ * LTS Team upload.
+ * Fix noexec bypass via system() and popen() (CVE-2016-7032)
+ * Fix noexec bypass via wordexp() (CVE-2016-7076) (Closes: #842507)
+
+ -- Balint Reczey <bal...@balintreczey.hu> Fri, 11 Nov 2016 15:52:14 +0100
+
sudo (1.8.5p2-1+nmu3+deb7u1) wheezy-security; urgency=medium
* Non-maintainer upload
diff -Nru sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch
--- sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/CVE-2016-7032-1.patch 2016-11-11 17:46:36.000000000 +0100
@@ -0,0 +1,39 @@
+From 31e5576a54a439c943f20998cb319f7101a609e3 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <todd.mil...@courtesan.com>
+Date: Mon, 28 Sep 2015 15:10:00 -0600
+Subject: [PATCH 1/3] Also interpose system(3). On glibc systems you cannot
+ interpose the syscalls used internally by libc.
+
+Conflicts:
+ src/sudo_noexec.c
+---
+ src/sudo_noexec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/sudo_noexec.c b/src/sudo_noexec.c
+index af1915f..c83df44 100644
+--- a/src/sudo_noexec.c
++++ b/src/sudo_noexec.c
+@@ -40,6 +40,11 @@
+ return -1; \
+ }
+
++#define DUMMY1(fn, t1) \
++int \
++fn(t1 a1) \
++DUMMY_BODY
++
+ #define DUMMY2(fn, t1, t2) \
+ int \
+ fn(t1 a1, t2 a2) \
+@@ -69,6 +74,7 @@ DUMMY_VA(__execle, const char *, const char *)
+ DUMMY_VA(execlp, const char *, const char *)
+ DUMMY_VA(_execlp, const char *, const char *)
+ DUMMY_VA(__execlp, const char *, const char *)
++DUMMY1(system, const char *)
+ DUMMY3(exect, const char *, char * const *, char * const *)
+ DUMMY3(_exect, const char *, char * const *, char * const *)
+ DUMMY3(__exect, const char *, char * const *, char * const *)
+--
+2.1.4
+
diff -Nru sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch
--- sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/CVE-2016-7032-2.patch 2016-11-11 17:46:36.000000000 +0100
@@ -0,0 +1,57 @@
+From 129bf12da13c4f095502ae36b1fc9726eaa23403 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <todd.mil...@courtesan.com>
+Date: Mon, 28 Sep 2015 15:34:16 -0600
+Subject: [PATCH 2/3] Also wrap popen(3).
+
+Back-ported to not use FN_NAME and INTERPOSE by Balint Reczey.
+
+Conflicts:
+ src/sudo_noexec.c
+---
+ src/sudo_noexec.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/sudo_noexec.c b/src/sudo_noexec.c
+index c83df44..c00006c 100644
+--- a/src/sudo_noexec.c
++++ b/src/sudo_noexec.c
+@@ -20,6 +20,8 @@
+
+ #include <errno.h>
+ #include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
+ #ifdef HAVE_SPAWN_H
+ #include <spawn.h>
+ #endif
+@@ -74,7 +76,6 @@ DUMMY_VA(__execle, const char *, const char *)
+ DUMMY_VA(execlp, const char *, const char *)
+ DUMMY_VA(_execlp, const char *, const char *)
+ DUMMY_VA(__execlp, const char *, const char *)
+-DUMMY1(system, const char *)
+ DUMMY3(exect, const char *, char * const *, char * const *)
+ DUMMY3(_exect, const char *, char * const *, char * const *)
+ DUMMY3(__exect, const char *, char * const *, char * const *)
+@@ -96,6 +97,7 @@ DUMMY3(__execvpe, const char *, char * const *, char * const *)
+ DUMMY3(fexecve, int , char * const *, char * const *)
+ DUMMY3(_fexecve, int , char * const *, char * const *)
+ DUMMY3(__fexecve, int , char * const *, char * const *)
++DUMMY1(system, const char *)
+ #ifdef HAVE_SPAWN_H
+ DUMMY6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+ DUMMY6(_posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+@@ -104,3 +106,11 @@ DUMMY6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *,
+ DUMMY6(_posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+ DUMMY6(__posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
+ #endif /* HAVE_SPAWN_H */
++
++/* popen(3) returns FILE *, not int so we can't use a wrapper. */
++FILE *
++popen(const char *c, const char *t)
++{
++ errno = EACCES;
++ return NULL;
++}
+--
+2.1.4
+
diff -Nru sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch
--- sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/CVE-2016-7076.patch 2016-11-13 15:53:24.000000000 +0100
@@ -0,0 +1,59 @@
+From 30038238114b747a4ede01b37a334f1420971453 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <todd.mil...@courtesan.com>
+Date: Wed, 5 Oct 2016 20:21:18 -0600
+Subject: [PATCH 3/3] Wrap wordexp(3) in sudo_noexec.
+
+Simplified patch for Debian Wheezy LTS by Balint Reczey.
+
+Conflicts:
+ aclocal.m4
+ configure
+ configure.in
+ src/sudo_noexec.c
+---
+ src/sudo_noexec.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/src/sudo_noexec.c
++++ b/src/sudo_noexec.c
+@@ -25,6 +25,16 @@
+ #ifdef HAVE_SPAWN_H
+ #include <spawn.h>
+ #endif
++#ifdef HAVE_STRING_H
++# include <string.h>
++#endif /* HAVE_STRING_H */
++#ifdef HAVE_STRINGS_H
++# include <strings.h>
++#endif /* HAVE_STRINGS_H */
++#include <wordexp.h>
++#if defined(HAVE_DLOPEN)
++# include <dlfcn.h>
++#endif
+
+ #include "missing.h"
+
+@@ -114,3 +124,23 @@
+ errno = EACCES;
+ return NULL;
+ }
++
++/* use real dlsym, not sudo_dlsym */
++#undef dlsym
++
++/*
++ * We can't use a wrapper for wordexp(3) since we still want to call
++ * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
++ */
++typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
++
++int
++wordexp(const char *words, wordexp_t *we, int flags)
++{
++ void *fn = dlsym(RTLD_NEXT, "wordexp");
++ if (fn == NULL) {
++ errno = EACCES;
++ return -1;
++ }
++ return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
++}
diff -Nru sudo-1.8.5p2/debian/patches/series sudo-1.8.5p2/debian/patches/series
--- sudo-1.8.5p2/debian/patches/series 2016-01-05 19:47:48.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/series 2016-11-13 16:23:56.000000000 +0100
@@ -15,3 +15,7 @@
CVE-2015-5602-5-generated.patch
CVE-2015-5602-6.patch
CVE-2015-5602-7.patch
+CVE-2016-7032-1.patch
+CVE-2016-7032-2.patch
+CVE-2016-7076.patch
+use_ldl_for_sudo_noexec.so.patch
diff -Nru sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch
--- sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.5p2/debian/patches/use_ldl_for_sudo_noexec.so.patch 2016-11-13 18:31:22.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Use -ldl when linking sudo_noexec.so
+ Without -ldl dlsym added in fix for CVE-2016-7076 can't be resolved.
+Author: Balint Reczey <bal...@balintreczey.hu>
+Bug-Debian: https://bugs.debian.org/842507
+
+Bug: https://bugzilla.sudo.ws/show_bug.cgi?id=761
+Forwarded: https://bugzilla.sudo.ws/show_bug.cgi?id=761
+
+--- sudo-1.8.5p2.orig/src/Makefile.in
++++ sudo-1.8.5p2/src/Makefile.in
+@@ -97,7 +97,7 @@ sudo: $(OBJS) $(LT_LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(LIBS)
+
+ libsudo_noexec.la: sudo_noexec.lo
+- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
+
+ sesh: sesh.o error.o exec_common.o @LIBINTL@ $(LT_LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) @LIBINTL@ $(LIBS)
#include <stdlib.h>
#include <stdio.h>
#include <wordexp.h>
int main () {
wordexp_t p;
printf("sudo CVE-2016-7032 & CVE-2016-7076 tests\n");
printf("Set the noexec default setting in the sudoers file then run this binary with sudo.\n\n");
if (-1 != system("ls /")) {
printf("\nSystem's system() call is not protected, sudo is vulnerable to CVE-2016-7032\n");
} else {
printf("System's system() call is protected (CVE-2016-7032)\n");
}
if (NULL != popen("ls /", "r")) {
printf("\nSystem's popen() call is not protected, sudo is vulnerable to CVE-2016-7032\n");
} else {
printf("System's popen() call is protected (CVE-2016-7032)\n");
}
if (WRDE_CMDSUB != wordexp("$(echo e)", &p, 0)) {
printf("\nSystem's wordexp() call is not protected, sudo is vulnerable to CVE-2016-7076\n");
} else {
printf("System's wordexp() call is protected (CVE-2016-7076)\n");
}
}
signature.asc
Description: OpenPGP digital signature
