oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sudo: double free with per-command chroot sudoers rules

From: Noryungi <noryungi () gmail com>
Date: Wed, 1 Mar 2023 14:04:08 +0100
https://www.sudo.ws/security/advisories/double_free/

says:

CVE ID
No CVE has been assigned to this issue due to its low impact.

Le mer. 1 mars 2023 à 13:15, John Helmert III <ajak () gentoo org> a écrit :


Has a CVE been requeested?

On Tue, Feb 28, 2023 at 07:31:11AM -0700, Todd C. Miller wrote:

A flaw exists in sudo's per-command chroot feature that could result
in the variable that stores the command being freed more than once.

I believe this is a fairly low-impact bug as the per-command chroot
feature is not widely used.  The bug was caught by glibc's double-free
detection while I was performing some chroot-related testing.  No
one else has reported the bug which leads me to believe it probably
has not been encountered in the wild.

Sudo versions affected:

    Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected.
    Versions of sudo prior to 1.9.8 are not affected.

Details:

    Starting with Sudo 1.9.3, it is possible to specify an alternate
    root directory that sudo will change to before executing the
    command.  For example:

      someuser ALL = CHROOT=/var/www /bin/sh

    will result in /bin/sh being run inside the chroot jail /var/www
    when the specific user runs "sudo sh".

    Sudo 1.9.8 included a fix for a memory leak in the set_cmnd_path()
    function which can result in the "user_cmnd" variable being
    freed twice, but only when processing a sudoers rule that
    contains a "CHROOT" setting.  This does not affect the "chroot"
    Defaults setting.  Only a per-rule "CHROOT" setting will trigger
    the bug.

Impact:

    The bug can only be triggered by a user that has been granted
    sudo privileges using a sudoers rule that contain a "CHROOT"
    setting and the rule must match the current host.  If no users
    have sudoers rules containing "CHROOT" there is no impact.  This
    feature is not commonly used.

Workaround:

    Remove rules from the sudoers file than contain a "CHROOT"
    setting if using an affected version of sudo.

Fix:

    The bug is fixed in sudo 1.9.13p2.
Previous By Date Next
Previous By Thread Next

Current thread: