packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!50 Backport patches form upstream community

Browse Source 
From: @BornThisWay 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2022-11-23 08:04:57 +00:00 committed by Gitee
commit 252acd5b24
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-Fix-incorrect-SHA384-512-digest-calculation.patch Normal file
View File

@ -0,0 +1,29 @@
From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
From: Tim Shearer <timtimminz@gmail.com>
Date: Tue, 2 Aug 2022 08:48:32 -0400
Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
Resolves an issue where certain message sizes result in an incorrect
checksum. Specifically, when:
(n*8) mod 1024 == 896
where n is the file size in bytes.
---
lib/util/sha2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/util/sha2.c b/lib/util/sha2.c
index b7a28cca8..f769f77f2 100644
--- a/lib/util/sha2.c
+++ b/lib/util/sha2.c
@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
SHA512Update(ctx, (uint8_t *)"\200", 1);
/* Pad message such that the resulting length modulo 1024 is 896. */
- while ((ctx->count[0] & 1008) != 896)
+ while ((ctx->count[0] & 1016) != 896)
SHA512Update(ctx, (uint8_t *)"\0", 1);
/* Append length of message in bits and do final SHA512Transform(). */
--
2.33.0

25
backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch Normal file
View File

@ -0,0 +1,25 @@
From 9f948224acb911cbec1ed9041887c1fe62c59877 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 8 Nov 2022 13:17:11 -0700
Subject: [PATCH] sudo_passwd_verify: zero out des_pass before returning.
---
plugins/sudoers/auth/passwd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
index 636c07bab..89da96ff6 100644
--- a/plugins/sudoers/auth/passwd.c
+++ b/plugins/sudoers/auth/passwd.c
@@ -95,6 +95,8 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
matched = !strcmp(pw_epasswd, epass);
}
+ explicit_bzero(des_pass, sizeof(des_pass));
+
debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
}
#else
--
2.33.0

7
sudo.spec
View File

@ -1,6 +1,6 @@
Name: sudo Name: sudo
Version: 1.9.8p2 Version: 1.9.8p2
Release: 4 Release: 5
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
License: ISC License: ISC
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -14,6 +14,8 @@ Patch0: backport-0001-CVE-2022-37434.patch
Patch1: backport-0002-CVE-2022-37434.patch Patch1: backport-0002-CVE-2022-37434.patch
Patch2: backport-CVE-2022-33070.patch Patch2: backport-CVE-2022-33070.patch
Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam Requires: pam
@ -155,6 +157,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%exclude %{_pkgdocdir}/ChangeLog %exclude %{_pkgdocdir}/ChangeLog
%changelog %changelog
* Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-5
- Backport patches from upstream community
* Sat Nov 5 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-4 * Sat Nov 5 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-4
- Fix CVE-2022-43995 - Fix CVE-2022-43995