Bug 970135 - visudo memory corruption causes corrupt output
Summary: visudo memory corruption causes corrupt output
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo
Version: 5.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-03 14:06 UTC by Philip Rowlands
Modified: 2014-07-06 15:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-02 13:18:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Philip Rowlands 2013-06-03 14:06:08 UTC 
We use a centralized sudoers file which is sanity-checked by various scripts. By using duplicate aliases (see below), we can provoke visudo -c to generate corrupt output.

$ visudo -V
visudo version 1.7.2p1

$ rpm -q sudo
sudo-1.7.2p1-22.el5

# sudoers.test is based on a real file, although some tokens have been
# sanitised for this bug
$ cat sudoers.test
Cmnd_Alias      XXXSU = /usr/bin/su - user11, \
                        /usr/bin/su - user22, \
                        /usr/bin/su - user33
XYZ             LOCAL= NOPASSWD: YYYSU
User_Alias      BBBADMIN = %bbbadmin
Cmnd_Alias      ZZZADMIN = !/usr/bin/passwd root, /usr/bin/change_password
Cmnd_Alias      USERADMIN = /home/foo
XXSUP           LOCAL = NOPASSWD: XXBATCH

Cmnd_Alias      XXXSU = /usr/bin/su - user22, \
                        /usr/bin/su - user33, \
                        /usr/bin/su - user66
User_Alias      BBBADMIN = %bbbadmin
Cmnd_Alias      ZZZADMIN = !/usr/bin/passwd root, /usr/bin/change_password
Cmnd_Alias      USERADMIN = /home/foo

$ visudo -c -f sudoers.test 2>&1 | cat -v
>>> sudoers.test: Alias `' already defined near line 12 <<<
>>> sudoers.test: Alias `M-@4M--M-v^S+' already defined near line 13 <<<
>>> sudoers.test: Alias `04M--M-v^S+' already defined near line 14 <<<
>>> sudoers.test: Alias `^P5M--M-v^S+' already defined near line 15 <<<
parse error in sudoers.test near line 12

# strangely, running under valgrind works OK
$ valgrind --log-file=/tmp/valgrind.out visudo -c -f sudoers.test
>>> sudoers.test: Alias `XXXSU' already defined near line 12 <<<
>>> sudoers.test: Alias `BBBADMIN' already defined near line 13 <<<
>>> sudoers.test: Alias `ZZZADMIN' already defined near line 14 <<<
>>> sudoers.test: Alias `USERADMIN' already defined near line 15 <<<
parse error in sudoers.test near line 12

# although with evidence of memory corruption in /tmp/valgrind.out
==3117== LEAK SUMMARY:
==3117==    definitely lost: 56 bytes in 1 blocks
==3117==    indirectly lost: 97 bytes in 2 blocks
==3117==      possibly lost: 0 bytes in 0 blocks
==3117==    still reachable: 69,048 bytes in 282 blocks
==3117==         suppressed: 0 bytes in 0 blocks
Comment 1 Philip Rowlands 2013-07-31 09:38:40 UTC 
Filed as RH Support Case 914277.
Comment 2 RHEL Program Management 2014-03-07 12:49:07 UTC 
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 3 RHEL Program Management 2014-06-02 13:18:58 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).
Comment 4 Philip Rowlands 2014-07-06 15:53:08 UTC 
Not sure why this has been tagged NEEDINFO against me when already closed, so I'm adding this comment to clear the flag and stop the nagmails.
Note You need to log in before you can comment on or make changes to this bug.