oss-sec mailing list archives
Re: sudo: double free with per-command chroot sudoers rules
From: Noryungi <noryungi () gmail com>
Date: Wed, 1 Mar 2023 14:04:08 +0100
https://www.sudo.ws/security/advisories/double_free/ says: CVE ID No CVE has been assigned to this issue due to its low impact. Le mer. 1 mars 2023 à 13:15, John Helmert III <ajak () gentoo org> a écrit :
Has a CVE been requeested? On Tue, Feb 28, 2023 at 07:31:11AM -0700, Todd C. Miller wrote:A flaw exists in sudo's per-command chroot feature that could result in the variable that stores the command being freed more than once. I believe this is a fairly low-impact bug as the per-command chroot feature is not widely used. The bug was caught by glibc's double-free detection while I was performing some chroot-related testing. No one else has reported the bug which leads me to believe it probably has not been encountered in the wild. Sudo versions affected: Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected. Versions of sudo prior to 1.9.8 are not affected. Details: Starting with Sudo 1.9.3, it is possible to specify an alternate root directory that sudo will change to before executing the command. For example: someuser ALL = CHROOT=/var/www /bin/sh will result in /bin/sh being run inside the chroot jail /var/www when the specific user runs "sudo sh". Sudo 1.9.8 included a fix for a memory leak in the set_cmnd_path() function which can result in the "user_cmnd" variable being freed twice, but only when processing a sudoers rule that contains a "CHROOT" setting. This does not affect the "chroot" Defaults setting. Only a per-rule "CHROOT" setting will trigger the bug. Impact: The bug can only be triggered by a user that has been granted sudo privileges using a sudoers rule that contain a "CHROOT" setting and the rule must match the current host. If no users have sudoers rules containing "CHROOT" there is no impact. This feature is not commonly used. Workaround: Remove rules from the sudoers file than contain a "CHROOT" setting if using an affected version of sudo. Fix: The bug is fixed in sudo 1.9.13p2.
Current thread:
- sudo: double free with per-command chroot sudoers rules Todd C. Miller (Feb 28)
- Re: sudo: double free with per-command chroot sudoers rules John Helmert III (Mar 01)
- Re: sudo: double free with per-command chroot sudoers rules Noryungi (Mar 01)
- Re: sudo: double free with per-command chroot sudoers rules Todd C. Miller (Mar 01)
- Re: sudo: double free with per-command chroot sudoers rules Marc Deslauriers (Mar 01)
- Re: sudo: double free with per-command chroot sudoers rules John Helmert III (Mar 01)