Double free with per-command chroot sudoers rules

A flaw exists in sudo’s per-command chroot feature that could result in the variable that stores the command being freed more than once.

Sudo versions 1.9.8 through 1.9.13p1 inclusive are affected. Versions of sudo prior to 1.9.8 are not affected.

This vulnerability has been assigned CVE-2023-27320 in the Common Vulnerabilities and Exposures database.

Starting with Sudo 1.9.3, it is possible to specify an alternate root directory that sudo will change to before executing the command. For example:

someuser ALL = CHROOT=/var/www /bin/sh

will result in /bin/sh being run inside the chroot jail /var/www when the specific user user runs sudo sh.

Sudo 1.9.8 included a fix for a memory leak in the set_cmnd_path() function which can result in the user_cmnd variable being freed twice, but only when processing a sudoers rule that contains a CHROOT setting. This does not affect the chroot Defaults setting. Only a per-rule CHROOT setting will trigger the bug.

The bug can only be triggered by a user that has been granted sudo privileges using a sudoers rule that contain a CHROOT setting and the rule must match the current host. If no users have sudoers rules containing CHROOT there is no impact. This feature is not commonly used.

Remove rules from the sudoers file than contain a CHROOT setting if using an affected version of sudo.

The bug is fixed in sudo 1.9.13p2.

This bug was found internally.