mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Fix a potential use-after-free bug with cvtsudoers filtering.

Browse Source 
In role_to_sudoers() when merging a privilege to the previous one
where the runas lists are the same we need to re-use the runas lists
of the last command in the previous privilege, not the first.
Otherwise, the check in free_cmndspec() will not notice the re-used
runas lists.  Reported/analyzed by Sohom Datta.  GitHub issue #198.
This commit is contained in:
Todd C. Miller 2022-11-10 14:55:56 -07:00
parent 5683fc6f7a
commit 264326de57
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/sudoers/parse_ldif.c
View File

@ -432,11 +432,11 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role,
struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list);
if (reuse_runas) {
/* Runas users and groups same if as in previous privilege. */
struct member_list *runasuserlist =
TAILQ_FIRST(&prev_priv->cmndlist)->runasuserlist;
struct member_list *runasgrouplist =
TAILQ_FIRST(&prev_priv->cmndlist)->runasgrouplist;
struct cmndspec *cmndspec = TAILQ_FIRST(&priv->cmndlist);
const struct cmndspec *prev_cmndspec =
TAILQ_LAST(&prev_priv->cmndlist, cmndspec_list);
struct member_list *runasuserlist = prev_cmndspec->runasuserlist;
struct member_list *runasgrouplist = prev_cmndspec->runasgrouplist;
/* Free duplicate runas lists. */
if (cmndspec->runasuserlist != NULL) {