From d01f888a5ec43fdc8e7bd496ae9317c0fa28da9b Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Tue, 8 Jul 2025 18:05:31 +0530 Subject: [PATCH] sudo: Fix CVE-2025-32462 Upstream-Status: Backport from https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../sudo/files/CVE-2025-32462.patch | 42 +++++++++++++++++++ meta/recipes-extended/sudo/sudo_1.9.15p5.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-extended/sudo/files/CVE-2025-32462.patch diff --git a/meta/recipes-extended/sudo/files/CVE-2025-32462.patch b/meta/recipes-extended/sudo/files/CVE-2025-32462.patch new file mode 100644 index 00000000000..04610d40fd3 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2025-32462.patch @@ -0,0 +1,42 @@ +From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 1 Apr 2025 09:24:51 -0600 +Subject: [PATCH] Only allow a remote host to be specified when listing + privileges. + +This fixes a bug where a user with sudoers privileges on a different +host could execute a command on the local host, even if the sudoers +file would not otherwise allow this. CVE-2025-32462 + +Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU). + +Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/d530367828e3713d09489872743eb92d31fb11ff] +CVE: CVE-2025-32462 +Signed-off-by: Vijay Anusuri +--- + plugins/sudoers/sudoers.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 70a0c1a528..ad2fa2f61c 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag) + time_t now; + debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN); + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(ctx->runas.host, ctx->user.host) != 0) { ++ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; diff --git a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb b/meta/recipes-extended/sudo/sudo_1.9.15p5.bb index 8e542015ad5..30860eb75e1 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.15p5.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.15p5.bb @@ -3,6 +3,7 @@ require sudo.inc SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ + file://CVE-2025-32462.patch \ " PAM_SRC_URI = "file://sudo.pam" -- 2.47.2