Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
sudo.5098
sudo-1.8.10p3-CVE-2017-1000368.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sudo-1.8.10p3-CVE-2017-1000368.patch of Package sudo.5098
commit c13ebffbce208f02c27d8de90a1af95f0aae7fa9 Author: Todd C. Miller <Todd.Miller@courtesan.com> Date: Wed May 31 09:14:31 2017 -0600 A command name may also contain newline characters so read /proc/self/stat until EOF. It is not legal for /proc/self/stat to contain embedded NUL bytes so treat the file as corrupt if we see any. With help from Qualys. This is not exploitable due to the /dev traversal changes in sudo 1.8.20p1 (thanks Solar!). Index: sudo-1.8.10p3/src/ttyname.c =================================================================== --- sudo-1.8.10p3.orig/src/ttyname.c 2017-06-27 10:51:22.550942625 +0200 +++ sudo-1.8.10p3/src/ttyname.c 2017-06-27 10:57:56.797055167 +0200 @@ -429,24 +429,35 @@ get_process_ttyname(void) char * get_process_ttyname(void) { - char path[PATH_MAX], *line = NULL, *tty = NULL; - size_t linesize = 0; - ssize_t len; - FILE *fp; + char *tty = NULL; + const char path[] = "/proc/self/stat"; + char *cp, buf[1024]; + ssize_t nread; + int fd; debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL) - /* Try to determine the tty from tty_nr in /proc/pid/stat. */ - snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid()); - if ((fp = fopen(path, "r")) != NULL) { - len = getline(&line, &linesize, fp); - fclose(fp); - if (len != -1) { + /* + * Try to determine the tty from tty_nr in /proc/self/stat. + * Ignore /proc/self/stat if it contains embedded NUL bytes. + */ + if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) { + cp = buf; + while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) { + if (nread == -1) { + if (errno == EAGAIN || errno == EINTR) + continue; + break; + } + cp += nread; + if (cp >= buf + sizeof(buf)) + break; + } + if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) { /* * Field 7 is the tty dev (0 if no tty). - * Since the process name at field 2 "(comm)" may include spaces, - * start at the last ')' found. */ - char *cp = strrchr(line, ')'); + *cp = '\0'; + cp = strrchr(buf, ')'); if (cp != NULL) { char *ep = cp; const char *errstr; @@ -470,7 +481,7 @@ get_process_ttyname(void) } } } - efree(line); + close(fd); } debug_return_str(tty);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor