Package: sudo / 1.8.19p1-2.1

CVE-2017-1000367.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
diff --git a/src/ttyname.c b/src/ttyname.c
index 9b94ba8..ab0f2d3 100644
--- a/src/ttyname.c
+++ b/src/ttyname.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -145,20 +145,22 @@ sudo_ttyname_dev(dev_t tdev, char *name, size_t namelen)
 }
 #elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__)
 /*
- * Devices to search before doing a breadth-first scan.
+ * Device nodes and directories to search before searching all of /dev
  */
 static char *search_devs[] = {
     "/dev/console",
-    "/dev/wscons",
-    "/dev/pts/",
-    "/dev/vt/",
-    "/dev/term/",
-    "/dev/zcons/",
+    "/dev/pts/",	/* POSIX pty */
+    "/dev/vt/",		/* Solaris virtual console */
+    "/dev/term/",	/* Solaris serial ports */
+    "/dev/zcons/",	/* Solaris zone console */
+    "/dev/pty/",	/* HP-UX old-style pty */
     NULL
 };
 
+/*
+ * Device nodes to ignore when searching all of /dev
+ */
 static char *ignore_devs[] = {
-    "/dev/fd/",
     "/dev/stdin",
     "/dev/stdout",
     "/dev/stderr",
@@ -166,16 +168,18 @@ static char *ignore_devs[] = {
 };
 
 /*
- * Do a breadth-first scan of dir looking for the specified device.
+ * Do a scan of a directory looking for the specified device.
+ * Does not descend into subdirectories.
  * Returns name on success and NULL on failure, setting errno.
  */
 static char *
-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen)
+sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen)
 {
-    size_t sdlen, num_subdirs = 0, max_subdirs = 0;
-    char pathbuf[PATH_MAX], **subdirs = NULL;
+    size_t sdlen;
+    char pathbuf[PATH_MAX];
     char *ret = NULL;
     struct dirent *dp;
+    struct stat sb;
     unsigned int i;
     DIR *d = NULL;
     debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL)
@@ -183,6 +187,18 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
     if (dir[0] == '\0' || (d = opendir(dir)) == NULL)
 	goto done;
 
+    if (fstat(dirfd(d), &sb) == -1) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+	    "unable to fstat %s", dir);
+	goto done;
+    }
+    if ((sb.st_mode & S_IWOTH) != 0) {
+	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+	    "ignoring world-writable directory %s", dir);
+	errno = ENOENT;
+	goto done;
+    }
+
     sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 	"scanning for dev %u in %s", (unsigned int)rdev, dir);
 
@@ -220,18 +236,6 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
 	}
 	if (ignore_devs[i] != NULL)
 	    continue;
-	if (!builtin) {
-	    /* Skip entries in search_devs; we already checked them. */
-	    for (i = 0; search_devs[i] != NULL; i++) {
-		len = strlen(search_devs[i]);
-		if (search_devs[i][len - 1] == '/')
-		    len--;
-		if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0)
-		    break;
-	    }
-	    if (search_devs[i] != NULL)
-		continue;
-	}
 # if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF)
 	/*
 	 * Avoid excessive stat() calls by checking dp->d_type.
@@ -244,39 +248,14 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
 		if (stat(pathbuf, &sb) == -1)
 		    continue;
 		break;
-	    case DT_DIR:
-		/* Directory, no need to stat() it. */
-		sb.st_mode = DTTOIF(dp->d_type);
-		sb.st_rdev = 0;		/* quiet ccc-analyzer false positive */
-		break;
 	    default:
-		/* Not a character device, link or directory, skip it. */
+		/* Not a character device or link, skip it. */
 		continue;
 	}
 # else
 	if (stat(pathbuf, &sb) == -1)
 	    continue;
 # endif
-	if (S_ISDIR(sb.st_mode)) {
-	    if (!builtin) {
-		/* Add to list of subdirs to search. */
-		if (num_subdirs + 1 > max_subdirs) {
-		    char **new_subdirs;
-
-		    new_subdirs = reallocarray(subdirs, max_subdirs + 64,
-			sizeof(char *));
-		    if (new_subdirs == NULL)
-			goto done;
-		    subdirs = new_subdirs;
-		    max_subdirs += 64;
-		}
-		subdirs[num_subdirs] = strdup(pathbuf);
-		if (subdirs[num_subdirs] == NULL)
-		    goto done;
-		num_subdirs++;
-	    }
-	    continue;
-	}
 	if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
 	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 		"resolved dev %u as %s", (unsigned int)rdev, pathbuf);
@@ -292,16 +271,9 @@ sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t
 	}
     }
 
-    /* Search subdirs if we didn't find it in the root level. */
-    for (i = 0; ret == NULL && i < num_subdirs; i++)
-	ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen);
-
 done:
     if (d != NULL)
 	closedir(d);
-    for (i = 0; i < num_subdirs; i++)
-	free(subdirs[i]);
-    free(subdirs);
     debug_return_str(ret);
 }
 
@@ -320,7 +292,7 @@ sudo_ttyname_dev(dev_t rdev, char *name, size_t namelen)
     debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL)
 
     /*
-     * First check search_devs for common tty devices.
+     * First check search_devs[] for common tty devices.
      */
     for (sd = search_devs; (devname = *sd) != NULL; sd++) {
 	len = strlen(devname);
@@ -345,7 +317,7 @@ sudo_ttyname_dev(dev_t rdev, char *name, size_t namelen)
 		    "comparing dev %u to %s: no", (unsigned int)rdev, buf);
 	    } else {
 		/* Traverse directory */
-		ret = sudo_ttyname_scan(devname, rdev, true, name, namelen);
+		ret = sudo_ttyname_scan(devname, rdev, name, namelen);
 		if (ret != NULL || errno == ENOMEM)
 		    goto done;
 	    }
@@ -363,9 +335,9 @@ sudo_ttyname_dev(dev_t rdev, char *name, size_t namelen)
     }
 
     /*
-     * Not found?  Do a breadth-first traversal of /dev/.
+     * Not found?  Check all device nodes in /dev.
      */
-    ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen);
+    ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen);
 
 done:
     debug_return_str(ret);
@@ -489,28 +461,35 @@ get_process_ttyname(char *name, size_t namelen)
 	len = getline(&line, &linesize, fp);
 	fclose(fp);
 	if (len != -1) {
-	    /* Field 7 is the tty dev (0 if no tty) */
-	    char *cp = line;
-	    char *ep = line;
-	    const char *errstr;
-	    int field = 0;
-	    while (*++ep != '\0') {
-		if (*ep == ' ') {
-		    *ep = '\0';
-		    if (++field == 7) {
-			dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
-			if (errstr) {
-			    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-				"%s: tty device %s: %s", path, cp, errstr);
-			}
-			if (tdev > 0) {
-			    errno = serrno;
-			    ret = sudo_ttyname_dev(tdev, name, namelen);
-			    goto done;
+	    /*
+	     * Field 7 is the tty dev (0 if no tty).
+	     * Since the process name at field 2 "(comm)" may include spaces,
+	     * start at the last ')' found.
+	     */
+	    char *cp = strrchr(line, ')');
+	    if (cp != NULL) {
+		char *ep = cp;
+		const char *errstr;
+		int field = 1;
+
+		while (*++ep != '\0') {
+		    if (*ep == ' ') {
+			*ep = '\0';
+			if (++field == 7) {
+			    dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
+			    if (errstr) {
+				sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+				    "%s: tty device %s: %s", path, cp, errstr);
+			    }
+			    if (tdev > 0) {
+				errno = serrno;
+				ret = sudo_ttyname_dev(tdev, name, namelen);
+				goto done;
+			    }
+			    break;
 			}
-			break;
+			cp = ep + 1;
 		    }
-		    cp = ep + 1;
 		}
 	    }
 	}