+++ /dev/null
-From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Tue, 1 Apr 2025 09:24:51 -0600
-Subject: [PATCH] Only allow a remote host to be specified when listing
- privileges.
-
-This fixes a bug where a user with sudoers privileges on a different
-host could execute a command on the local host, even if the sudoers
-file would not otherwise allow this. CVE-2025-32462
-
-Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
-
-Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff]
-CVE: CVE-2025-32462
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- plugins/sudoers/sudoers.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
-index 70a0c1a528..ad2fa2f61c 100644
---- a/plugins/sudoers/sudoers.c
-+++ b/plugins/sudoers/sudoers.c
-@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
- time_t now;
- debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
-
-+ /* The user may only specify a host for "sudo -l". */
-+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
-+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
-+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
-+ N_("user not allowed to set remote host for command"));
-+ sudo_warnx("%s",
-+ U_("a remote host may only be specified when listing privileges."));
-+ ret = false;
-+ goto done;
-+ }
-+ }
-+
- /* If given the -P option, set the "preserve_groups" flag. */
- if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
- def_preserve_groups = true;
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
