Bug 970135
| Summary: | visudo memory corruption causes corrupt output | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Philip Rowlands <phr> |
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.9 | CC: | dkopecek, phr |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-02 13:18:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Filed as RH Support Case 914277. This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug. Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support). Not sure why this has been tagged NEEDINFO against me when already closed, so I'm adding this comment to clear the flag and stop the nagmails. |
We use a centralized sudoers file which is sanity-checked by various scripts. By using duplicate aliases (see below), we can provoke visudo -c to generate corrupt output. $ visudo -V visudo version 1.7.2p1 $ rpm -q sudo sudo-1.7.2p1-22.el5 # sudoers.test is based on a real file, although some tokens have been # sanitised for this bug $ cat sudoers.test Cmnd_Alias XXXSU = /usr/bin/su - user11, \ /usr/bin/su - user22, \ /usr/bin/su - user33 XYZ LOCAL= NOPASSWD: YYYSU User_Alias BBBADMIN = %bbbadmin Cmnd_Alias ZZZADMIN = !/usr/bin/passwd root, /usr/bin/change_password Cmnd_Alias USERADMIN = /home/foo XXSUP LOCAL = NOPASSWD: XXBATCH Cmnd_Alias XXXSU = /usr/bin/su - user22, \ /usr/bin/su - user33, \ /usr/bin/su - user66 User_Alias BBBADMIN = %bbbadmin Cmnd_Alias ZZZADMIN = !/usr/bin/passwd root, /usr/bin/change_password Cmnd_Alias USERADMIN = /home/foo $ visudo -c -f sudoers.test 2>&1 | cat -v >>> sudoers.test: Alias `' already defined near line 12 <<< >>> sudoers.test: Alias `M-@4M--M-v^S+' already defined near line 13 <<< >>> sudoers.test: Alias `04M--M-v^S+' already defined near line 14 <<< >>> sudoers.test: Alias `^P5M--M-v^S+' already defined near line 15 <<< parse error in sudoers.test near line 12 # strangely, running under valgrind works OK $ valgrind --log-file=/tmp/valgrind.out visudo -c -f sudoers.test >>> sudoers.test: Alias `XXXSU' already defined near line 12 <<< >>> sudoers.test: Alias `BBBADMIN' already defined near line 13 <<< >>> sudoers.test: Alias `ZZZADMIN' already defined near line 14 <<< >>> sudoers.test: Alias `USERADMIN' already defined near line 15 <<< parse error in sudoers.test near line 12 # although with evidence of memory corruption in /tmp/valgrind.out ==3117== LEAK SUMMARY: ==3117== definitely lost: 56 bytes in 1 blocks ==3117== indirectly lost: 97 bytes in 2 blocks ==3117== possibly lost: 0 bytes in 0 blocks ==3117== still reachable: 69,048 bytes in 282 blocks ==3117== suppressed: 0 bytes in 0 blocks