diff --git a/0001-fix-cve-CVE-2025-32462.patch b/0001-fix-cve-CVE-2025-32462.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3527f03244b16503c6693d05eeb964be0f684a5 --- /dev/null +++ b/0001-fix-cve-CVE-2025-32462.patch @@ -0,0 +1,118 @@ +From 89798ca6193665387f540ec5a7b0650690ff9563 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Thu, 13 Nov 2025 10:43:44 +0800 +Subject: [PATCH] fix cve CVE-2025-32462 + +--- + plugins/sudoers/audit.c | 26 ++++++++++++++++++++ + plugins/sudoers/logging.c | 7 ++++++ + plugins/sudoers/logging.h | 2 ++ + plugins/sudoers/regress/testsudoers/test3.sh | 0 + plugins/sudoers/sudoers.c | 12 +++++++++ + 5 files changed, 47 insertions(+) + mode change 100755 => 100644 plugins/sudoers/regress/testsudoers/test3.sh + +diff --git a/plugins/sudoers/audit.c b/plugins/sudoers/audit.c +index 26a2819..295a0c4 100644 +--- a/plugins/sudoers/audit.c ++++ b/plugins/sudoers/audit.c +@@ -56,6 +56,32 @@ audit_success(int argc, char *argv[]) + debug_return_int(rc); + } + ++int ++vaudit_failure(char *const argv[], char const *const fmt, va_list ap) ++{ ++ int oldlocale, ret; ++ char *message; ++ debug_decl(vaudit_failure, SUDOERS_DEBUG_AUDIT); ++ ++ /* Audit messages should be in the sudoers locale. */ ++ sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); ++ ++ if ((ret = vasprintf(&message, _(fmt), ap)) == -1) ++ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++ ++ if (ret != -1) { ++ /* Set audit_msg for audit plugins. */ ++ free(audit_msg); ++ audit_msg = message; ++ ++ ret = audit_failure_int(argv, audit_msg); ++ } ++ ++ sudoers_setlocale(oldlocale, NULL); ++ ++ debug_return_int(ret); ++} ++ + int + audit_failure(int argc, char *argv[], char const *const fmt, ...) + { +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 7751a67..6034565 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -503,6 +503,13 @@ vlog_warning(int flags, const char *fmt, va_list ap) + int len; + debug_decl(vlog_error, SUDOERS_DEBUG_LOGGING) + ++ /* Do auditing first (audit_failure() handles the locale itself). */ ++ if (ISSET(flags, SLOG_AUDIT)) { ++ va_copy(ap2, ap); ++ vaudit_failure(NewArgv, fmt, ap2); ++ va_end(ap2); ++ } ++ + /* Need extra copy of ap for sudo_vwarn()/sudo_vwarnx() below. */ + va_copy(ap2, ap); + +diff --git a/plugins/sudoers/logging.h b/plugins/sudoers/logging.h +index 08202b3..e7e152b 100644 +--- a/plugins/sudoers/logging.h ++++ b/plugins/sudoers/logging.h +@@ -41,6 +41,7 @@ + #define SLOG_SEND_MAIL 0x04 /* log via mail */ + #define SLOG_NO_STDERR 0x08 /* do not log via stderr */ + #define SLOG_NO_LOG 0x10 /* do not log via file or syslog */ ++#define SLOG_AUDIT 0x40 /* send message to audit as well */ + + /* + * Maximum number of characters to log per entry. The syslogger +@@ -63,6 +64,7 @@ extern char **NewArgv; + + union sudo_defs_val; + ++int vaudit_failure(char *const argv[], char const *const fmt, va_list ap) __printflike(2, 0); + bool sudoers_warn_setlocale(bool restore, int *cookie); + bool sudoers_setlocale(int newlocale, int *prevlocale); + int sudoers_getlocale(void); +diff --git a/plugins/sudoers/regress/testsudoers/test3.sh b/plugins/sudoers/regress/testsudoers/test3.sh +old mode 100755 +new mode 100644 +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index a996fa7..1549c2d 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -302,6 +302,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], + } + } + ++ /* The user may only specify a host for "sudo -l". */ ++ if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) { ++ if (strcmp(user_runhost, user_host) != 0) { ++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT, ++ N_("user not allowed to set remote host for command")); ++ sudo_warnx("%s", ++ U_("a remote host may only be specified when listing privileges.")); ++ ret = false; ++ goto done; ++ } ++ } ++ + /* If given the -P option, set the "preserve_groups" flag. */ + if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS)) + def_preserve_groups = true; +-- +2.39.3 + diff --git a/sudo.spec b/sudo.spec index 7d689a2de02051ceb29f65f83015f327e5080f90..c21c60577dc4a786ad11605e0336ed9ed2741f7a 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 -Release: 10%{?dist}.3 +Release: 10%{?dist}.4 License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -85,6 +85,7 @@ Patch21: sudo-1.9.7-tty-relabel2.patch Patch24: sudo-1.9.12-CVE-2023-22809-whitelist.patch Patch25: sudo-1.9.12-CVE-2023-22809-backports.patch Patch26: sudo-1.9.12-CVE-2023-22809.patch +Patch27: 0001-fix-cve-CVE-2025-32462.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -142,6 +143,7 @@ plugins that use %{name}. %patch24 -p1 -b .whitelist %patch25 -p1 -b .backports %patch26 -p1 -b .cve +%patch27 -p1 -b .cve-CVE-2025-32462 %build autoreconf -I m4 -fv --install @@ -173,7 +175,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL --with-selinux \ --with-passprompt="[sudo] password for %p: " \ --with-linux-audit \ - --with-sssd + --with-sssd \ + --without-audit make @@ -278,6 +281,9 @@ rm -rf %{buildroot} %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Nov 12 2025 zhuhongbo - 1.8.23-10.4 +- fix: fix cve CVE-2025-32462 + * Wed Jan 11 2023 Radovan Sroka - 1.8.23-10.3 RHEL 7.9.Z ERRATUM - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user