isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sudoedit: do not permit editor arguments to include "--" (CVE-2023-22809)

Browse Source 
We use "--" to separate the editor and arguments from the files to edit.
If the editor arguments include "--", sudo can be tricked into allowing
the user to edit a file not permitted by the security policy.
Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
(https://synacktiv.com) for finding this bug.
This commit is contained in:
Todd C. Miller
2023-01-12 15:55:27 -07:00
parent a960d2c45f
commit 0274a4f3b4
3 changed files with 38 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
plugins/sudoers/editor.c
View File

@@ -131,7 +131,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
const char *tmp, *cp, *ep = NULL;
const char *edend = ed + edlen;
struct stat user_editor_sb;
int nargc;
int nargc = 0;
debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
/*
@@ -149,10 +149,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
/* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
0, allowlist) != FOUND) {
sudoers_gc_remove(GC_PTR, editor);
free(editor);
errno = ENOENT;
debug_return_str(NULL);
goto bad;
}
/* Count rest of arguments and allocate editor argv. */
@@ -173,6 +170,17 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
nargv[nargc] = copy_arg(cp, ep - cp);
if (nargv[nargc] == NULL)
goto oom;
/*
* We use "--" to separate the editor and arguments from the files
* to edit. The editor arguments themselves may not contain "--".
*/
if (strcmp(nargv[nargc], "--") == 0) {
sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
errno = EINVAL;
goto bad;
}
}
if (nfiles != 0) {
nargv[nargc++] = (char *)"--";
@@ -186,6 +194,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
debug_return_str(editor_path);
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
bad:
sudoers_gc_remove(GC_PTR, editor);
free(editor);
free(editor_path);