This patch will upgrade Sudo version 1.8.31 to Sudo version 1.8.31 patchlevel 1. To apply: $ cd sudo-1.8.31 $ patch -p1 < sudo-1.8.31p1.patch diff -urNa sudo-1.8.31/ChangeLog sudo-1.8.31p1/ChangeLog --- sudo-1.8.31/ChangeLog Thu Jan 30 05:56:19 2020 +++ sudo-1.8.31p1/ChangeLog Sat Mar 14 11:25:43 2020 @@ -1,8 +1,25 @@ +2020-03-14 Todd C. Miller + + * .hgtags: + Added tag SUDO_1_8_31p1 for changeset c80864e62917 + [ec1850cd11a2] [tip] <1.8> + + * NEWS, configure, configure.ac: + Sudo 1.8.31p1 + [c80864e62917] [SUDO_1_8_31p1] <1.8> + + * src/limits.c: + Ignore a failure to restore the RLIMIT_CORE resource limit. Linux + containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY + if we set the limit to zero, even for root. This is not a problem + outside the container. + [314df33eea97] <1.8> + 2020-01-30 Todd C. Miller * .hgtags: Added tag SUDO_1_8_31 for changeset d14f7d0f6174 - [57a9df806149] [tip] <1.8> + [57a9df806149] <1.8> * configure, configure.ac, doc/LICENSE: Sudo 1.8.31 diff -urNa sudo-1.8.31/NEWS sudo-1.8.31p1/NEWS --- sudo-1.8.31/NEWS Thu Jan 30 05:51:46 2020 +++ sudo-1.8.31p1/NEWS Sat Mar 14 11:22:49 2020 @@ -1,3 +1,11 @@ +What's new in Sudo 1.8.31p1 + + * Sudo once again ignores a failure to restore the RLIMIT_CORE + resource limit, as it did prior to version 1.8.29. Linux + containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY + if we set the limit to zero, even for root, which resulted in a + warning from sudo. + What's new in Sudo 1.8.31 * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback" diff -urNa sudo-1.8.31/configure sudo-1.8.31p1/configure --- sudo-1.8.31/configure Thu Jan 30 05:52:43 2020 +++ sudo-1.8.31p1/configure Sat Mar 14 11:20:30 2020 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.31. +# Generated by GNU Autoconf 2.69 for sudo 1.8.31p1. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.31' -PACKAGE_STRING='sudo 1.8.31' +PACKAGE_VERSION='1.8.31p1' +PACKAGE_STRING='sudo 1.8.31p1' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1544,7 +1544,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.31 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.31p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1609,7 +1609,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.31:";; + short | recursive ) echo "Configuration of sudo 1.8.31p1:";; esac cat <<\_ACEOF @@ -1875,7 +1875,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.31 +sudo configure 1.8.31p1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2584,7 +2584,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.31, which was +It was created by sudo $as_me 1.8.31p1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -27543,7 +27543,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.31, which was +This file was extended by sudo $as_me 1.8.31p1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27609,7 +27609,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.31 +sudo config.status 1.8.31p1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.31/configure.ac sudo-1.8.31p1/configure.ac --- sudo-1.8.31/configure.ac Thu Jan 30 05:52:13 2020 +++ sudo-1.8.31p1/configure.ac Sat Mar 14 11:20:07 2020 @@ -18,7 +18,7 @@ dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.31], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.8.31p1], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl diff -urNa sudo-1.8.31/src/limits.c sudo-1.8.31p1/src/limits.c --- sudo-1.8.31/src/limits.c Wed Dec 25 19:16:37 2019 +++ sudo-1.8.31p1/src/limits.c Sat Mar 14 11:19:52 2020 @@ -114,13 +114,21 @@ if (getrlimit(RLIMIT_CORE, &corelimit) == -1) sudo_warn("getrlimit(RLIMIT_CORE)"); + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]", + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); if (setrlimit(RLIMIT_CORE, &rl) == -1) sudo_warn("setrlimit(RLIMIT_CORE)"); #ifdef __linux__ /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */ - if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) + if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)"); dumpflag = 0; - (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0); + } + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); + } #endif /* __linux__ */ coredump_disabled = true; @@ -136,10 +144,20 @@ debug_decl(restore_coredump, SUDO_DEBUG_UTIL) if (coredump_disabled) { - if (setrlimit(RLIMIT_CORE, &corelimit) == -1) - sudo_warn("setrlimit(RLIMIT_CORE)"); + /* + * Linux containers don't allow RLIMIT_CORE to be set back to + * RLIM_INFINITY if we set the limit to zero, even for root. + */ + if (setrlimit(RLIMIT_CORE, &corelimit) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(RLIMIT_CORE, [%lld, %lld])", + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max); + } #ifdef __linux__ - (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0); + if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag); + } #endif /* __linux__ */ } debug_return; @@ -162,8 +180,14 @@ if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0) sudo_warn("getrlimit(RLIMIT_NPROC)"); + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]", + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); if (setrlimit(RLIMIT_NPROC, &rl) == -1) { rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max; + sudo_debug_printf(SUDO_DEBUG_INFO, + "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]", + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max, + (long long)rl.rlim_cur, (long long)rl.rlim_max); if (setrlimit(RLIMIT_NPROC, &rl) != 0) sudo_warn("setrlimit(RLIMIT_NPROC)"); } @@ -180,8 +204,11 @@ #ifdef __linux__ debug_decl(restore_nproc, SUDO_DEBUG_UTIL) - if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) - sudo_warn("setrlimit(RLIMIT_NPROC)"); + if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(RLIMIT_NPROC, [%lld, %lld])", + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max); + } debug_return; #endif /* __linux__ */ @@ -203,6 +230,11 @@ struct saved_limit *lim = &saved_limits[idx]; if (getrlimit(lim->resource, &lim->oldlimit) == -1) continue; + sudo_debug_printf(SUDO_DEBUG_INFO, + "getrlimit(lim->name) -> [%lld, %lld]", + (long long)lim->oldlimit.rlim_cur, + (long long)lim->oldlimit.rlim_max); + lim->saved = true; if (lim->newlimit.rlim_cur != RLIM_INFINITY) { /* Don't reduce the soft resource limit. */ @@ -217,13 +249,28 @@ lim->newlimit.rlim_max = lim->oldlimit.rlim_max; } if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { - if (lim->fallback != NULL) - rc = setrlimit(lim->resource, lim->fallback); + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)lim->newlimit.rlim_cur, + (long long)lim->newlimit.rlim_max); + if (lim->fallback != NULL) { + if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)lim->fallback->rlim_cur, + (long long)lim->fallback->rlim_max); + } + } if (rc == -1) { /* Try setting new rlim_cur to old rlim_max. */ lim->newlimit.rlim_cur = lim->oldlimit.rlim_max; lim->newlimit.rlim_max = lim->oldlimit.rlim_max; - rc = setrlimit(lim->resource, &lim->newlimit); + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)lim->newlimit.rlim_cur, + (long long)lim->newlimit.rlim_max); + } } if (rc == -1) sudo_warn("setrlimit(%s)", lim->name); @@ -253,6 +300,10 @@ rc = setrlimit(lim->resource, &rl); if (rc != -1 || errno != EINVAL) break; + + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "setrlimit(%s, [%lld, %lld])", lim->name, + (long long)rl.rlim_cur, (long long)rl.rlim_max); /* * Soft limit could be lower than current resource usage.