--- /dev/null
+From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Tue, 1 Apr 2025 09:24:51 -0600
+Subject: [PATCH] Only allow a remote host to be specified when listing
+ privileges.
+
+This fixes a bug where a user with sudoers privileges on a different
+host could execute a command on the local host, even if the sudoers
+file would not otherwise allow this. CVE-2025-32462
+
+Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
+
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff]
+CVE: CVE-2025-32462
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ plugins/sudoers/sudoers.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 70a0c1a528..ad2fa2f61c 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
+ time_t now;
+ debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
+
++ /* The user may only specify a host for "sudo -l". */
++ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
++ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
++ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
++ N_("user not allowed to set remote host for command"));
++ sudo_warnx("%s",
++ U_("a remote host may only be specified when listing privileges."));
++ ret = false;
++ goto done;
++ }
++ }
++
+ /* If given the -P option, set the "preserve_groups" flag. */
+ if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
+ def_preserve_groups = true;
projects / thirdparty / openembedded / openembedded-core-contrib.git / commitdiff
