From 353007cf40f3fc68e1cb2b8878d30f5cdc40ac6a Mon Sep 17 00:00:00 2001 From: Thomas Perale Date: Mon, 29 Jun 2026 23:06:00 +0200 Subject: [PATCH 1/2] package/openjpeg: add upstream patch for CVE-2026-6192 - CVE-2026-6192: A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2026-6192 - https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951 Signed-off-by: Thomas Perale Signed-off-by: Fiona Klute --- ...ng-to-insufficient-memory-allocation.patch | 35 +++++++++++++++++++ package/openjpeg/openjpeg.mk | 3 ++ 2 files changed, 38 insertions(+) create mode 100644 package/openjpeg/0001-opj-pi-initialise-encode-avoid-potential-integer-overflow-leading-to-insufficient-memory-allocation.patch diff --git a/package/openjpeg/0001-opj-pi-initialise-encode-avoid-potential-integer-overflow-leading-to-insufficient-memory-allocation.patch b/package/openjpeg/0001-opj-pi-initialise-encode-avoid-potential-integer-overflow-leading-to-insufficient-memory-allocation.patch new file mode 100644 index 00000000000..de5c925ec05 --- /dev/null +++ b/package/openjpeg/0001-opj-pi-initialise-encode-avoid-potential-integer-overflow-leading-to-insufficient-memory-allocation.patch @@ -0,0 +1,35 @@ +From 839936aa33eb8899bbbd80fda02796bb65068951 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Apr 2026 13:25:27 +0200 +Subject: [PATCH] opj_pi_initialise_encode() (write code path): avoid potential + integer overflow leading to insufficient memory allocation + +Fixes #1619 + +CVE: CVE-2026-6192 +Upstream: https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951 +Signed-off-by: Thomas Perale +--- + src/lib/openjp2/pi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c +index 15ac33142..4abb87af2 100644 +--- a/src/lib/openjp2/pi.c ++++ b/src/lib/openjp2/pi.c +@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image, + l_current_pi = l_pi; + + /* memory allocation for include*/ +- l_current_pi->include_size = l_tcp->numlayers * l_step_l; +- l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, +- sizeof(OPJ_INT16)); ++ l_current_pi->include = NULL; ++ if (l_step_l <= UINT_MAX / l_tcp->numlayers) { ++ l_current_pi->include_size = l_tcp->numlayers * l_step_l; ++ l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size, ++ sizeof(OPJ_INT16)); ++ } + if (!l_current_pi->include) { + opj_free(l_tmp_data); + opj_free(l_tmp_ptr); diff --git a/package/openjpeg/openjpeg.mk b/package/openjpeg/openjpeg.mk index bc5d8143a62..7ded9008566 100644 --- a/package/openjpeg/openjpeg.mk +++ b/package/openjpeg/openjpeg.mk @@ -11,6 +11,9 @@ OPENJPEG_LICENSE_FILES = LICENSE OPENJPEG_CPE_ID_VENDOR = uclouvain OPENJPEG_INSTALL_STAGING = YES +# 0001-opj-pi-initialise-encode-avoid-potential-integer-overflow-leading-to-insufficient-memory-allocation.patch +OPENJPEG_IGNORE_CVES += CVE-2026-6192 + OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib) OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng) OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff) From 54de8d26d0ec1d0b7651a0f9866f6846ebe0f758 Mon Sep 17 00:00:00 2001 From: Thomas Perale Date: Fri, 26 Jun 2026 22:45:20 +0200 Subject: [PATCH 2/2] package/sudo: backport patch CVE-2026-35535 This backport is provided thanks to the Debian community [1]. - CVE-2026-35535: In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation. For more information, see: https://www.cve.org/CVERecord?id=CVE-2026-35535 [1] https://salsa.debian.org/sudo-team/sudo/-/blob/debian/trixie/debian/patches/0006-exec_mailer-Set-group-as-well-as-uid-when-running-th.patch Signed-off-by: Thomas Perale Signed-off-by: Fiona Klute --- ...-well-as-uid-when-running-the-mailer.patch | 147 ++++++++++++++++++ package/sudo/sudo.mk | 4 + 2 files changed, 151 insertions(+) create mode 100644 package/sudo/0001-exec-mailer-set-group-as-well-as-uid-when-running-the-mailer.patch diff --git a/package/sudo/0001-exec-mailer-set-group-as-well-as-uid-when-running-the-mailer.patch b/package/sudo/0001-exec-mailer-set-group-as-well-as-uid-when-running-the-mailer.patch new file mode 100644 index 00000000000..0bfcdd6f932 --- /dev/null +++ b/package/sudo/0001-exec-mailer-set-group-as-well-as-uid-when-running-the-mailer.patch @@ -0,0 +1,147 @@ +From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Sat, 8 Nov 2025 15:34:02 -0700 +Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer + +Also make a setuid(), setgid() or setgroups() failure fatal. + +Found by the ZeroPath AI Security Engineer + +CVE: CVE-2026-35535 +Upstream: https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69 +Signed-off-by: Thomas Perale +--- + include/sudo_eventlog.h | 3 ++- + lib/eventlog/eventlog.c | 21 +++++++++++++++++---- + lib/eventlog/eventlog_conf.c | 4 +++- + plugins/sudoers/logging.c | 2 +- + plugins/sudoers/policy.c | 2 +- + 5 files changed, 24 insertions(+), 8 deletions(-) + +diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h +index eb9f4f4..485d259 100644 +--- a/include/sudo_eventlog.h ++++ b/include/sudo_eventlog.h +@@ -80,6 +80,7 @@ struct eventlog_config { + int syslog_rejectpri; + int syslog_alertpri; + uid_t mailuid; ++ gid_t mailgid; + bool omit_hostname; + const char *logpath; + const char *time_fmt; +@@ -151,7 +152,7 @@ void eventlog_set_syslog_rejectpri(int pri); + void eventlog_set_syslog_alertpri(int pri); + void eventlog_set_syslog_maxlen(size_t len); + void eventlog_set_file_maxlen(size_t len); +-void eventlog_set_mailuid(uid_t uid); ++void eventlog_set_mailuser(uid_t uid, gid_t gid); + void eventlog_set_omit_hostname(bool omit_hostname); + void eventlog_set_logpath(const char *path); + void eventlog_set_time_fmt(const char *fmt); +diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c +index 5a32824..d56c4e4 100644 +--- a/lib/eventlog/eventlog.c ++++ b/lib/eventlog/eventlog.c +@@ -304,15 +304,13 @@ exec_mailer(int pipein) + syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618 + sudo_debug_printf(SUDO_DEBUG_ERROR, + "unable to dup stdin: %s", strerror(errno)); +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + + /* Build up an argv based on the mailer path and flags */ + if ((mflags = strdup(evl_conf->mailerflags)) == NULL) { + syslog(LOG_ERR, _("unable to allocate memory")); // -V618 +- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +- _exit(127); ++ goto bad; + } + argv[0] = sudo_basename(mpath); + +@@ -331,11 +329,23 @@ exec_mailer(int pipein) + if (setuid(ROOT_UID) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + ROOT_UID); ++ goto bad; ++ } ++ if (setgid(evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; ++ } ++ if (setgroups(1, &evl_conf->mailgid) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u", ++ (unsigned int)evl_conf->mailgid); ++ goto bad; + } + if (evl_conf->mailuid != ROOT_UID) { + if (setuid(evl_conf->mailuid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", + (unsigned int)evl_conf->mailuid); ++ goto bad; + } + } + sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); +@@ -347,6 +357,9 @@ exec_mailer(int pipein) + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s", + mpath, strerror(errno)); + _exit(127); ++bad: ++ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); ++ _exit(127); + } + + /* Send a message to the mailto user */ +diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c +index 0663a38..ec3b569 100644 +--- a/lib/eventlog/eventlog_conf.c ++++ b/lib/eventlog/eventlog_conf.c +@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = { + MAXSYSLOGLEN, /* syslog_maxlen */ + 0, /* file_maxlen */ + ROOT_UID, /* mailuid */ ++ ROOT_GID, /* mailgid */ + false, /* omit_hostname */ + _PATH_SUDO_LOGFILE, /* logpath */ + "%h %e %T", /* time_fmt */ +@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(size_t len) + } + + void +-eventlog_set_mailuid(uid_t uid) ++eventlog_set_mailuser(uid_t uid, gid_t gid) + { + evl_conf.mailuid = uid; ++ evl_conf.mailgid = gid; + } + + void +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index bd4de92..9535289 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -1157,7 +1157,7 @@ init_eventlog_config(void) + eventlog_set_syslog_alertpri(def_syslog_badpri); + eventlog_set_syslog_maxlen(def_syslog_maxlen); + eventlog_set_file_maxlen(def_loglinelen); +- eventlog_set_mailuid(ROOT_UID); ++ eventlog_set_mailuser(ROOT_UID, ROOT_GID); + eventlog_set_omit_hostname(!def_log_host); + eventlog_set_logpath(def_logfile); + eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index f3adfb0..27f6e58 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -639,7 +639,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v, + } + + #ifdef NO_ROOT_MAILER +- eventlog_set_mailuid(ctx->user.uid); ++ eventlog_set_mailuser(ctx->user.uid, ctx->user.gid); + #endif + + /* Dump settings and user info (XXX - plugin args) */ diff --git a/package/sudo/sudo.mk b/package/sudo/sudo.mk index 8602e62b0b9..e28f7815f95 100644 --- a/package/sudo/sudo.mk +++ b/package/sudo/sudo.mk @@ -12,6 +12,10 @@ SUDO_LICENSE = ISC, BSD-3-Clause SUDO_LICENSE_FILES = LICENSE.md SUDO_CPE_ID_VERSION = $(SUDO_VERSION_MAJOR) SUDO_CPE_ID_UPDATE = $(SUDO_VERSION_MINOR) + +# 0001-exec-mailer-set-group-as-well-as-uid-when-running-the-mailer.patch +SUDO_IGNORE_CVES += CVE-2026-35535 + SUDO_SELINUX_MODULES = sudo # This is to avoid sudo's make install from chown()ing files which fails SUDO_INSTALL_TARGET_OPTS = INSTALL_OWNER="" DESTDIR="$(TARGET_DIR)" install