From d530367828e3713d09489872743eb92d31fb11ff Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 1 Apr 2025 09:24:51 -0600
Subject: [PATCH] Only allow a remote host to be specified when listing
 privileges.

This fixes a bug where a user with sudoers privileges on a different
host could execute a command on the local host, even if the sudoers
file would not otherwise allow this.  CVE-2025-32462

Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
---
 plugins/sudoers/sudoers.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 70a0c1a52..ad2fa2f61 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
     time_t now;
     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
 
+    /* The user may only specify a host for "sudo -l". */
+    if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+	if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+	    log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+		N_("user not allowed to set remote host for command"));
+	    sudo_warnx("%s",
+		U_("a remote host may only be specified when listing privileges."));
+	    ret = false;
+	    goto done;
+	}
+    }
+
     /* If given the -P option, set the "preserve_groups" flag. */
     if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
 	def_preserve_groups = true;