1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Mon, 30 Jun 2025 07:52:43 +0200
Subject: upstream patch for CVE-2025-32462
---
plugins/sudoers/sudoers.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 47feb93..0f75c96 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
time_t now;
debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
+ /* The user may only specify a host for "sudo -l". */
+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+ N_("user not allowed to set remote host for command"));
+ sudo_warnx("%s",
+ U_("a remote host may only be specified when listing privileges."));
+ ret = false;
+ goto done;
+ }
+ }
+
/* If given the -P option, set the "preserve_groups" flag. */
if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
def_preserve_groups = true;
|
