[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] sudo: double free with per-command chroot sudoers rules
From:       "Todd C. Miller" <Todd.Miller () millert ! dev>
Date:       2023-02-28 14:31:11
Message-ID: 6ce790cbffb04331 () millert ! dev
[Download RAW message or body]

A flaw exists in sudo's per-command chroot feature that could result
in the variable that stores the command being freed more than once.

I believe this is a fairly low-impact bug as the per-command chroot
feature is not widely used.  The bug was caught by glibc's double-free
detection while I was performing some chroot-related testing.  No
one else has reported the bug which leads me to believe it probably
has not been encountered in the wild.

Sudo versions affected:

    Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected.
    Versions of sudo prior to 1.9.8 are not affected.

Details:

    Starting with Sudo 1.9.3, it is possible to specify an alternate
    root directory that sudo will change to before executing the
    command.  For example:

	someuser ALL = CHROOT=/var/www /bin/sh

    will result in /bin/sh being run inside the chroot jail /var/www
    when the specific user runs "sudo sh".

    Sudo 1.9.8 included a fix for a memory leak in the set_cmnd_path()
    function which can result in the "user_cmnd" variable being
    freed twice, but only when processing a sudoers rule that
    contains a "CHROOT" setting.  This does not affect the "chroot"
    Defaults setting.  Only a per-rule "CHROOT" setting will trigger
    the bug.

Impact:

    The bug can only be triggered by a user that has been granted
    sudo privileges using a sudoers rule that contain a "CHROOT"
    setting and the rule must match the current host.  If no users
    have sudoers rules containing "CHROOT" there is no impact.  This
    feature is not commonly used.

Workaround:

    Remove rules from the sudoers file than contain a "CHROOT"
    setting if using an affected version of sudo.

Fix:

    The bug is fixed in sudo 1.9.13p2.
[prev in list] [next in list] [prev in thread] [next in thread]