Bug 761

Summary: sudo caused symbol lookup error with noexec when wordexp is called
Product: Sudo Reporter: Balint Reczey <balint>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.18   
Hardware: PC   
OS: Linux   
Attachments: patch

Description Balint Reczey 2016-11-13 10:15:20 MST 
Created attachment 485 [details]
patch

The fix for CVE-2016-7076 made sudo_noexec.so call dlsym() without linking with libdl causing the symbol lookup error:

$ cat sudo-poc.c
#include <stdlib.h>
#include <stdio.h>
#include <wordexp.h>

int main () {
  wordexp_t p;
  printf("sudo CVE-2016-7032 & CVE-2016-7076 tests\n");
  printf("Set the noexec default setting in the sudoers file then run this binary with sudo.\n\n");
  if (-1 != system("ls /")) {
    printf("\nSystem's system() call is not protected, sudo is vulnerable to CVE-2016-7032\n");
  } else {
    printf("System's system() call is protected (CVE-2016-7032)\n");
  }
  if (NULL != popen("ls /", "r")) {
    printf("\nSystem's popen() call is not protected, sudo is vulnerable to CVE-2016-7032\n");
  } else {
    printf("System's popen() call is protected (CVE-2016-7032)\n");
  }
  if (WRDE_CMDSUB != wordexp("$(echo e)", &p, 0)) {
    printf("\nSystem's wordexp() call is not protected, sudo is vulnerable to CVE-2016-7076\n");
  } else {
    printf("System's wordexp() call is protected (CVE-2016-7076)\n");
  }

$ cc sudo-poc.c
$ sudo ./a.out
./a.out: symbol lookup error: /usr/lib/sudo/sudo_noexec.so: undefined symbol: dlsym

The attached patch fixed the issue for me.
Comment 1 Todd C. Miller 2016-11-13 16:02:47 MST 
Thanks for the patch, I've committed it.
https://www.sudo.ws/repos/sudo/rev/120a317ce25b
Comment 2 Todd C. Miller 2016-12-20 06:15:05 MST 
Fixed in sudo 1.8.19