Only allow a remote host to be specified when listing privileges.

millert · millert · commit d530367828e3 · 2025-06-28T10:21:28.000-06:00
This fixes a bug where a user with sudoers privileges on a different host could execute a command on the local host, even if the sudoers file would not otherwise allow this. CVE-2025-32462 Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
     time_t now;
     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
 
+    /* The user may only specify a host for "sudo -l". */
+    if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+	if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+	    log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+		N_("user not allowed to set remote host for command"));
+	    sudo_warnx("%s",
+		U_("a remote host may only be specified when listing privileges."));
+	    ret = false;
+	    goto done;
+	}
+    }
+
     /* If given the -P option, set the "preserve_groups" flag. */
     if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
 	def_preserve_groups = true;
