Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
From 839936aa33eb8899bbbd80fda02796bb65068951 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Apr 2026 13:25:27 +0200
Subject: [PATCH] opj_pi_initialise_encode() (write code path): avoid potential
integer overflow leading to insufficient memory allocation

Fixes #1619

CVE: CVE-2026-6192
Upstream: https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
src/lib/openjp2/pi.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lib/openjp2/pi.c b/src/lib/openjp2/pi.c
index 15ac33142..4abb87af2 100644
--- a/src/lib/openjp2/pi.c
+++ b/src/lib/openjp2/pi.c
@@ -1694,9 +1694,12 @@ opj_pi_iterator_t *opj_pi_initialise_encode(const opj_image_t *p_image,
l_current_pi = l_pi;

/* memory allocation for include*/
- l_current_pi->include_size = l_tcp->numlayers * l_step_l;
- l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
- sizeof(OPJ_INT16));
+ l_current_pi->include = NULL;
+ if (l_step_l <= UINT_MAX / l_tcp->numlayers) {
+ l_current_pi->include_size = l_tcp->numlayers * l_step_l;
+ l_current_pi->include = (OPJ_INT16*) opj_calloc(l_current_pi->include_size,
+ sizeof(OPJ_INT16));
+ }
if (!l_current_pi->include) {
opj_free(l_tmp_data);
opj_free(l_tmp_ptr);
3 changes: 3 additions & 0 deletions package/openjpeg/openjpeg.mk
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ OPENJPEG_LICENSE_FILES = LICENSE
OPENJPEG_CPE_ID_VENDOR = uclouvain
OPENJPEG_INSTALL_STAGING = YES

# 0001-opj-pi-initialise-encode-avoid-potential-integer-overflow-leading-to-insufficient-memory-allocation.patch
OPENJPEG_IGNORE_CVES += CVE-2026-6192

OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng)
OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Sat, 8 Nov 2025 15:34:02 -0700
Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer

Also make a setuid(), setgid() or setgroups() failure fatal.

Found by the ZeroPath AI Security Engineer <https://zeropath.com>

CVE: CVE-2026-35535
Upstream: https://github.com/sudo-project/sudo/commit/3e474c2f201484be83d994ae10a4e20e8c81bb69
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
include/sudo_eventlog.h | 3 ++-
lib/eventlog/eventlog.c | 21 +++++++++++++++++----
lib/eventlog/eventlog_conf.c | 4 +++-
plugins/sudoers/logging.c | 2 +-
plugins/sudoers/policy.c | 2 +-
5 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
index eb9f4f4..485d259 100644
--- a/include/sudo_eventlog.h
+++ b/include/sudo_eventlog.h
@@ -80,6 +80,7 @@ struct eventlog_config {
int syslog_rejectpri;
int syslog_alertpri;
uid_t mailuid;
+ gid_t mailgid;
bool omit_hostname;
const char *logpath;
const char *time_fmt;
@@ -151,7 +152,7 @@ void eventlog_set_syslog_rejectpri(int pri);
void eventlog_set_syslog_alertpri(int pri);
void eventlog_set_syslog_maxlen(size_t len);
void eventlog_set_file_maxlen(size_t len);
-void eventlog_set_mailuid(uid_t uid);
+void eventlog_set_mailuser(uid_t uid, gid_t gid);
void eventlog_set_omit_hostname(bool omit_hostname);
void eventlog_set_logpath(const char *path);
void eventlog_set_time_fmt(const char *fmt);
diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
index 5a32824..d56c4e4 100644
--- a/lib/eventlog/eventlog.c
+++ b/lib/eventlog/eventlog.c
@@ -304,15 +304,13 @@ exec_mailer(int pipein)
syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618
sudo_debug_printf(SUDO_DEBUG_ERROR,
"unable to dup stdin: %s", strerror(errno));
- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
- _exit(127);
+ goto bad;
}

/* Build up an argv based on the mailer path and flags */
if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
syslog(LOG_ERR, _("unable to allocate memory")); // -V618
- sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
- _exit(127);
+ goto bad;
}
argv[0] = sudo_basename(mpath);

@@ -331,11 +329,23 @@ exec_mailer(int pipein)
if (setuid(ROOT_UID) != 0) {
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
ROOT_UID);
+ goto bad;
+ }
+ if (setgid(evl_conf->mailgid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
+ (unsigned int)evl_conf->mailgid);
+ goto bad;
+ }
+ if (setgroups(1, &evl_conf->mailgid) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
+ (unsigned int)evl_conf->mailgid);
+ goto bad;
}
if (evl_conf->mailuid != ROOT_UID) {
if (setuid(evl_conf->mailuid) != 0) {
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
(unsigned int)evl_conf->mailuid);
+ goto bad;
}
}
sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
@@ -347,6 +357,9 @@ exec_mailer(int pipein)
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
mpath, strerror(errno));
_exit(127);
+bad:
+ sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
+ _exit(127);
}

/* Send a message to the mailto user */
diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c
index 0663a38..ec3b569 100644
--- a/lib/eventlog/eventlog_conf.c
+++ b/lib/eventlog/eventlog_conf.c
@@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = {
MAXSYSLOGLEN, /* syslog_maxlen */
0, /* file_maxlen */
ROOT_UID, /* mailuid */
+ ROOT_GID, /* mailgid */
false, /* omit_hostname */
_PATH_SUDO_LOGFILE, /* logpath */
"%h %e %T", /* time_fmt */
@@ -151,9 +152,10 @@ eventlog_set_file_maxlen(size_t len)
}

void
-eventlog_set_mailuid(uid_t uid)
+eventlog_set_mailuser(uid_t uid, gid_t gid)
{
evl_conf.mailuid = uid;
+ evl_conf.mailgid = gid;
}

void
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
index bd4de92..9535289 100644
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -1157,7 +1157,7 @@ init_eventlog_config(void)
eventlog_set_syslog_alertpri(def_syslog_badpri);
eventlog_set_syslog_maxlen(def_syslog_maxlen);
eventlog_set_file_maxlen(def_loglinelen);
- eventlog_set_mailuid(ROOT_UID);
+ eventlog_set_mailuser(ROOT_UID, ROOT_GID);
eventlog_set_omit_hostname(!def_log_host);
eventlog_set_logpath(def_logfile);
eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
index f3adfb0..27f6e58 100644
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -639,7 +639,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
}

#ifdef NO_ROOT_MAILER
- eventlog_set_mailuid(ctx->user.uid);
+ eventlog_set_mailuser(ctx->user.uid, ctx->user.gid);
#endif

/* Dump settings and user info (XXX - plugin args) */
4 changes: 4 additions & 0 deletions package/sudo/sudo.mk
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ SUDO_LICENSE = ISC, BSD-3-Clause
SUDO_LICENSE_FILES = LICENSE.md
SUDO_CPE_ID_VERSION = $(SUDO_VERSION_MAJOR)
SUDO_CPE_ID_UPDATE = $(SUDO_VERSION_MINOR)

# 0001-exec-mailer-set-group-as-well-as-uid-when-running-the-mailer.patch
SUDO_IGNORE_CVES += CVE-2026-35535

SUDO_SELINUX_MODULES = sudo
# This is to avoid sudo's make install from chown()ing files which fails
SUDO_INSTALL_TARGET_OPTS = INSTALL_OWNER="" DESTDIR="$(TARGET_DIR)" install
Expand Down