Bugzilla – Bug 761
sudo caused symbol lookup error with noexec when wordexp is called
Last modified: 2016-12-20 06:15:05 MST
Created attachment 485 [details] patch The fix for CVE-2016-7076 made sudo_noexec.so call dlsym() without linking with libdl causing the symbol lookup error: $ cat sudo-poc.c #include <stdlib.h> #include <stdio.h> #include <wordexp.h> int main () { wordexp_t p; printf("sudo CVE-2016-7032 & CVE-2016-7076 tests\n"); printf("Set the noexec default setting in the sudoers file then run this binary with sudo.\n\n"); if (-1 != system("ls /")) { printf("\nSystem's system() call is not protected, sudo is vulnerable to CVE-2016-7032\n"); } else { printf("System's system() call is protected (CVE-2016-7032)\n"); } if (NULL != popen("ls /", "r")) { printf("\nSystem's popen() call is not protected, sudo is vulnerable to CVE-2016-7032\n"); } else { printf("System's popen() call is protected (CVE-2016-7032)\n"); } if (WRDE_CMDSUB != wordexp("$(echo e)", &p, 0)) { printf("\nSystem's wordexp() call is not protected, sudo is vulnerable to CVE-2016-7076\n"); } else { printf("System's wordexp() call is protected (CVE-2016-7076)\n"); } $ cc sudo-poc.c $ sudo ./a.out ./a.out: symbol lookup error: /usr/lib/sudo/sudo_noexec.so: undefined symbol: dlsym The attached patch fixed the issue for me.
Thanks for the patch, I've committed it. https://www.sudo.ws/repos/sudo/rev/120a317ce25b
Fixed in sudo 1.8.19