oss-sec mailing list archives

Re: sudo: double free with per-command chroot sudoers rules

From: John Helmert III <ajak () gentoo org>
Date: Tue, 28 Feb 2023 19:55:43 -0600

Has a CVE been requeested?

On Tue, Feb 28, 2023 at 07:31:11AM -0700, Todd C. Miller wrote:

A flaw exists in sudo's per-command chroot feature that could result
in the variable that stores the command being freed more than once.

I believe this is a fairly low-impact bug as the per-command chroot
feature is not widely used.  The bug was caught by glibc's double-free
detection while I was performing some chroot-related testing.  No
one else has reported the bug which leads me to believe it probably
has not been encountered in the wild.

Sudo versions affected:

    Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected.
    Versions of sudo prior to 1.9.8 are not affected.

Details:

    Starting with Sudo 1.9.3, it is possible to specify an alternate
    root directory that sudo will change to before executing the
    command.  For example:

      someuser ALL = CHROOT=/var/www /bin/sh

    will result in /bin/sh being run inside the chroot jail /var/www
    when the specific user runs "sudo sh".

    Sudo 1.9.8 included a fix for a memory leak in the set_cmnd_path()
    function which can result in the "user_cmnd" variable being
    freed twice, but only when processing a sudoers rule that
    contains a "CHROOT" setting.  This does not affect the "chroot"
    Defaults setting.  Only a per-rule "CHROOT" setting will trigger
    the bug.

Impact:

    The bug can only be triggered by a user that has been granted
    sudo privileges using a sudoers rule that contain a "CHROOT"
    setting and the rule must match the current host.  If no users
    have sudoers rules containing "CHROOT" there is no impact.  This
    feature is not commonly used.

Workaround:

    Remove rules from the sudoers file than contain a "CHROOT"
    setting if using an affected version of sudo.

Fix:

    The bug is fixed in sudo 1.9.13p2.

Attachment: signature.asc
Description:

Current thread:

sudo: double free with per-command chroot sudoers rules Todd C. Miller (Feb 28)
- Re: sudo: double free with per-command chroot sudoers rules John Helmert III (Mar 01)
  - Re: sudo: double free with per-command chroot sudoers rules Noryungi (Mar 01)
  - Re: sudo: double free with per-command chroot sudoers rules Todd C. Miller (Mar 01)
    - Re: sudo: double free with per-command chroot sudoers rules Marc Deslauriers (Mar 01)