diff --git a/0001-fix-cve-CVE-2025-32462.patch b/0001-fix-cve-CVE-2025-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..96ed9b5d5b8de48d968b4a7283e8a8c35a88c102 --- /dev/null +++ b/0001-fix-cve-CVE-2025-32462.patch @@ -0,0 +1,162 @@ +From d60dba2a62f7742f18b7a92cf0e2e8f2ef88db1c Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 13 Nov 2025 11:39:43 +0800 +Subject: [PATCH] fix cve CVE-2025-32462 + +--- + plugins/sudoers/audit.c | 54 ++++++++++++++++++++++++++++++++++++++ + plugins/sudoers/def_data.h | 2 ++ + plugins/sudoers/logging.c | 7 +++++ + plugins/sudoers/logging.h | 2 ++ + plugins/sudoers/sudoers.c | 12 +++++++++ + 5 files changed, 77 insertions(+) + +diff --git a/plugins/sudoers/audit.c b/plugins/sudoers/audit.c +index 26a2819..45605bc 100644 +--- a/plugins/sudoers/audit.c ++++ b/plugins/sudoers/audit.c +@@ -32,6 +32,8 @@ + # include "solaris_audit.h" + #endif + ++char *audit_msg = NULL; ++ + int + audit_success(int argc, char *argv[]) + { +@@ -56,6 +58,58 @@ audit_success(int argc, char *argv[]) + debug_return_int(rc); + } + ++static int ++audit_failure_int(char *const argv[], const char *message) ++{ ++ int ret = 0; ++ debug_decl(audit_failure_int, SUDOERS_DEBUG_AUDIT); ++ ++#if defined(HAVE_BSM_AUDIT) || defined(HAVE_LINUX_AUDIT) ++ if (def_log_denied && argv != NULL) { ++#ifdef HAVE_BSM_AUDIT ++ if (bsm_audit_failure(argv, message) == -1) ++ ret = -1; ++#endif ++#ifdef HAVE_LINUX_AUDIT ++ if (linux_audit_command(argv, 0) == -1) ++ ret = -1; ++#endif ++#ifdef HAVE_SOLARIS_AUDIT ++ if (solaris_audit_failure(argv, message) == -1) ++ ret = -1; ++#endif ++ } ++#endif /* HAVE_BSM_AUDIT || HAVE_LINUX_AUDIT */ ++ ++ debug_return_int(ret); ++} ++ ++int ++vaudit_failure(char *const argv[], char const *const fmt, va_list ap) ++{ ++ int oldlocale, ret; ++ char *message; ++ debug_decl(vaudit_failure, SUDOERS_DEBUG_AUDIT); ++ ++ /* Audit messages should be in the sudoers locale. */ ++ sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); ++ ++ if ((ret = vasprintf(&message, _(fmt), ap)) == -1) ++ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++ ++ if (ret != -1) { ++ /* Set audit_msg for audit plugins. */ ++ free(audit_msg); ++ audit_msg = message; ++ ++ ret = audit_failure_int(argv, audit_msg); ++ } ++ ++ sudoers_setlocale(oldlocale, NULL); ++ ++ debug_return_int(ret); ++} ++ + int + audit_failure(int argc, char *argv[], char const *const fmt, ...) + { +diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h +index 8f2eb3e..855965e 100644 +--- a/plugins/sudoers/def_data.h ++++ b/plugins/sudoers/def_data.h +@@ -232,6 +232,8 @@ + #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + #define I_PAM_ACCT_MGMT 116 + #define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag) ++#define I_LOG_DENIED 116 ++#define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag) + + enum def_tuple { + never, +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 7751a67..6034565 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -503,6 +503,13 @@ vlog_warning(int flags, const char *fmt, va_list ap) + int len; + debug_decl(vlog_error, SUDOERS_DEBUG_LOGGING) + ++ /* Do auditing first (audit_failure() handles the locale itself). */ ++ if (ISSET(flags, SLOG_AUDIT)) { ++ va_copy(ap2, ap); ++ vaudit_failure(NewArgv, fmt, ap2); ++ va_end(ap2); ++ } ++ + /* Need extra copy of ap for sudo_vwarn()/sudo_vwarnx() below. */ + va_copy(ap2, ap); + +diff --git a/plugins/sudoers/logging.h b/plugins/sudoers/logging.h +index 08202b3..e7e152b 100644 +--- a/plugins/sudoers/logging.h ++++ b/plugins/sudoers/logging.h +@@ -41,6 +41,7 @@ + #define SLOG_SEND_MAIL 0x04 /* log via mail */ + #define SLOG_NO_STDERR 0x08 /* do not log via stderr */ + #define SLOG_NO_LOG 0x10 /* do not log via file or syslog */ ++#define SLOG_AUDIT 0x40 /* send message to audit as well */ + + /* + * Maximum number of characters to log per entry. The syslogger +@@ -63,6 +64,7 @@ extern char **NewArgv; + + union sudo_defs_val; + ++int vaudit_failure(char *const argv[], char const *const fmt, va_list ap) __printflike(2, 0); + bool sudoers_warn_setlocale(bool restore, int *cookie); + bool sudoers_setlocale(int newlocale, int *prevlocale); + int sudoers_getlocale(void); +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index a996fa7..1549c2d 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -302,6 +302,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], + } + } + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(user_runhost, user_host) != 0) { ++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; +-- +2.39.3 + diff --git a/sudo.spec b/sudo.spec index 7d689a2de02051ceb29f65f83015f327e5080f90..820929e4b417ecf1835a4bd147a178e235d261a6 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 -Release: 10%{?dist}.3 +Release: 10%{?dist}.4 License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -85,6 +85,7 @@ Patch21: sudo-1.9.7-tty-relabel2.patch Patch24: sudo-1.9.12-CVE-2023-22809-whitelist.patch Patch25: sudo-1.9.12-CVE-2023-22809-backports.patch Patch26: sudo-1.9.12-CVE-2023-22809.patch +Patch27: 0001-fix-cve-CVE-2025-32462.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -142,6 +143,7 @@ plugins that use %{name}. %patch24 -p1 -b .whitelist %patch25 -p1 -b .backports %patch26 -p1 -b .cve +%patch27 -p1 -b .cve-CVE-2025-32462 %build autoreconf -I m4 -fv --install @@ -278,6 +280,9 @@ rm -rf %{buildroot} %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Nov 12 2025 zhuhongbo - 1.8.23-10.4 +- fix: fix cve CVE-2025-32462 + * Wed Jan 11 2023 Radovan Sroka - 1.8.23-10.3 RHEL 7.9.Z ERRATUM - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user