File sudo-1.8.10p3-CVE-2016-7076.patch of Package sudo.4837

Overview Repositories Revisions Requests Users Attributes Meta

File sudo-1.8.10p3-CVE-2016-7076.patch of Package sudo.4837

# HG changeset patch
# User Todd C. Miller <Todd.Miller@courtesan.com>
# Date 1475720478 21600
# Node ID e7d09243e51b03f27a150fa527f380a893002cae
# Parent  d214117fbda1c9813488a3ff746c52bd56bb3bd0
Wrap wordexp(3) in sudo_noexec.

Index: sudo-1.8.10p3/config.h.in
===================================================================
--- sudo-1.8.10p3.orig/config.h.in
+++ sudo-1.8.10p3/config.h.in
@@ -751,6 +751,12 @@
 /* Define to 1 if you have the `vsnprintf' function. */
 #undef HAVE_VSNPRINTF
 
+/* Define to 1 if you have the `wordexp' function. */
+#undef HAVE_WORDEXP
+
+/* Define to 1 if you have the <wordexp.h> header file. */
+#undef HAVE_WORDEXP_H
+
 /* Define to 1 if you have the <zlib.h> header file. */
 #undef HAVE_ZLIB_H
 
Index: sudo-1.8.10p3/configure
===================================================================
--- sudo-1.8.10p3.orig/configure
+++ sudo-1.8.10p3/configure
@@ -15737,6 +15737,8 @@ fi
 
 done
 
+
+
 for ac_header in endian.h sys/endian.h machine/endian.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
Index: sudo-1.8.10p3/src/sudo_noexec.c
===================================================================
--- sudo-1.8.10p3.orig/src/sudo_noexec.c
+++ sudo-1.8.10p3/src/sudo_noexec.c
@@ -28,8 +28,23 @@
 #ifdef HAVE_SPAWN_H
 #include <spawn.h>
 #endif
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#ifdef HAVE_WORDEXP_H
+#include <wordexp.h>
+#endif
+#if defined(HAVE_SHL_LOAD)
+# include <dl.h>
+#elif defined(HAVE_DLOPEN)
+# include <dlfcn.h>
+#endif
 
 #include "missing.h"
+#include "pathnames.h"
 
 #ifdef HAVE___INTERPOSE
 /*
@@ -220,3 +235,53 @@ FN_NAME(popen)(const char *c, const char
     return NULL;
 }
 INTERPOSE(popen)
+
+#if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) || defined(HAVE_SHL_LOAD) || defined(HAVE___INTERPOSE))
+/*
+ * We can't use a wrapper for wordexp(3) since we still want to call
+ * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
+ */
+typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
+
+__dso_public int
+FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags)
+{
+#if defined(HAVE___INTERPOSE)
+    return wordexp(words, we, flags | WRDE_NOCMD);
+#else
+# if defined(HAVE_DLOPEN)
+    void *fn = dlsym(RTLD_NEXT, "wordexp");
+# elif defined(HAVE_SHL_LOAD)
+    const char *name, *myname = _PATH_SUDO_NOEXEC;
+    struct shl_descriptor *desc;
+    void *fn = NULL;
+    int idx = 0;
+
+    name = strrchr(myname, '/');
+    if (name != NULL)
+	myname = name + 1;
+
+    /* Search for wordexp() but skip this shared object. */
+    while (shl_get(idx++, &desc) == 0) {
+	name = strrchr(desc->filename, '/');
+	if (name == NULL)
+		name = desc->filename;
+	else
+		name++;
+	if (strcmp(name, myname) == 0)
+	    continue;
+	if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)
+	    break;
+    }
+# else
+    void *fn = NULL;
+# endif
+    if (fn == NULL) {
+	errno = EACCES;
+	return -1;
+    }
+    return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
+#endif /* HAVE___INTERPOSE */
+}
+INTERPOSE(wordexp)
+#endif /* HAVE_WORDEXP && (RTLD_NEXT || HAVE_SHL_LOAD || HAVE___INTERPOSE) */
Index: sudo-1.8.10p3/configure.ac
===================================================================
--- sudo-1.8.10p3.orig/configure.ac
+++ sudo-1.8.10p3/configure.ac
@@ -2153,7 +2153,7 @@ AC_HEADER_DIRENT
 AC_HEADER_TIME
 AC_HEADER_STDBOOL
 AC_HEADER_MAJOR
-AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
+AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h wordexp.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
 AC_CHECK_HEADERS([endian.h] [sys/endian.h] [machine/endian.h], [break])
 AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
 #ifdef HAVE_PROCFS_H
@@ -2305,7 +2305,7 @@ dnl Function checks
 dnl
 AC_FUNC_GETGROUPS
 AC_CHECK_FUNCS(glob nl_langinfo regcomp setenv strftime strrchr strtoll \
-	       sysconf tzset)
+	       sysconf tzset wordexp)
 AC_CHECK_FUNCS(getgrouplist, [], [
     case "$host_os" in
     aix*)

Places

File sudo-1.8.10p3-CVE-2016-7076.patch of Package sudo.4837

Places