packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade to 1.9.12p2

Browse Source
This commit is contained in:
modric 2023-01-31 20:10:31 +08:00
parent 71701de75f
commit 607954622d
21 changed files with 9 additions and 847 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-0001-CVE-2022-37434.patch
View File

@ -1,35 +0,0 @@
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Sat, 30 Jul 2022 15:51:11 -0700
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
index 2a0ac30..95a38f5 100644
--- a/lib/zlib/inflate.c
+++ b/lib/zlib/inflate.c
@@ -765,9 +765,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.27.0

32
backport-0002-CVE-2022-37434.patch
View File

@ -1,32 +0,0 @@
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Mon, 8 Aug 2022 10:50:09 -0700
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
index 95a38f5..9c5934e 100644
--- a/lib/zlib/inflate.c
+++ b/lib/zlib/inflate.c
@@ -765,10 +765,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.27.0

73
backport-CVE-2022-33070.patch
View File

@ -1,73 +0,0 @@
diff -Naru a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
--- a/lib/protobuf-c/protobuf-c.c
+++ b/lib/protobuf-c/protobuf-c.c
@@ -316,9 +316,8 @@
static inline uint32_t
zigzag32(int32_t v)
{
- // Note: the right-shift must be arithmetic
- // Note: left shift must be unsigned because of overflow
- return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31);
+ // Note: Using unsigned types prevents undefined behavior
+ return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31);
}
/**
@@ -380,9 +379,8 @@
static inline uint64_t
zigzag64(int64_t v)
{
- // Note: the right-shift must be arithmetic
- // Note: left shift must be unsigned because of overflow
- return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63);
+ // Note: Using unsigned types prevents undefined behavior
+ return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63);
}
/**
@@ -802,7 +800,8 @@
}
/**
- * Pack a signed 32-bit integer and return the number of bytes written.
+ * Pack a signed 32-bit integer and return the number of bytes written,
+ * passed as unsigned to avoid implementation-specific behavior.
* Negative numbers are encoded as two's complement 64-bit integers.
*
* \param value
@@ -813,14 +812,14 @@
* Number of bytes written to `out`.
*/
static inline size_t
-int32_pack(int32_t value, uint8_t *out)
+int32_pack(uint32_t value, uint8_t *out)
{
- if (value < 0) {
+ if ((int32_t)value < 0) {
out[0] = value | 0x80;
out[1] = (value >> 7) | 0x80;
out[2] = (value >> 14) | 0x80;
out[3] = (value >> 21) | 0x80;
- out[4] = (value >> 28) | 0x80;
+ out[4] = (value >> 28) | 0xf0;
out[5] = out[6] = out[7] = out[8] = 0xff;
out[9] = 0x01;
return 10;
@@ -2425,7 +2424,7 @@
unzigzag32(uint32_t v)
{
// Note: Using unsigned types prevents undefined behavior
- return (int32_t)((v >> 1) ^ (~(v & 1) + 1));
+ return (int32_t)((v >> 1) ^ -(v & 1));
}
static inline uint32_t
@@ -2467,7 +2466,7 @@
unzigzag64(uint64_t v)
{
// Note: Using unsigned types prevents undefined behavior
- return (int64_t)((v >> 1) ^ (~(v & 1) + 1));
+ return (int64_t)((v >> 1) ^ -(v & 1));
}
static inline uint64_t

143
backport-CVE-2023-22809.patch
View File

@ -1,143 +0,0 @@
From 0274a4f3b403162a37a10f199c989f3727ed3ad4 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 12 Jan 2023 15:55:27 -0700
Subject: [PATCH] sudoedit: do not permit editor arguments to include "--"
(CVE-2023-22809) We use "--" to separate the editor and arguments from the
files to edit. If the editor arguments include "--", sudo can be tricked into
allowing the user to edit a file not permitted by the security policy. Thanks
to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com)
for finding this bug.
Reference:https://github.com/sudo-project/sudo/commit/0274a4f3b403162a37a10f199c989f3727ed3ad4
Conflict:NA
---
plugins/sudoers/editor.c | 19 ++++++++++++++-----
plugins/sudoers/sudoers.c | 25 ++++++++++++++++++-------
plugins/sudoers/visudo.c | 8 ++++++--
3 files changed, 38 insertions(+), 14 deletions(-)
diff --git a/plugins/sudoers/editor.c b/plugins/sudoers/editor.c
index 5ca4eb0af..6d988ff68 100644
--- a/plugins/sudoers/editor.c
+++ b/plugins/sudoers/editor.c
@@ -133,7 +133,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
const char *tmp, *cp, *ep = NULL;
const char *edend = ed + edlen;
struct stat user_editor_sb;
- int nargc;
+ int nargc = 0;
debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
/*
@@ -151,10 +151,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
/* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
0, allowlist) != FOUND) {
- sudoers_gc_remove(GC_PTR, editor);
- free(editor);
- errno = ENOENT;
- debug_return_str(NULL);
+ goto bad;
}
/* Count rest of arguments and allocate editor argv. */
@@ -175,6 +172,17 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
nargv[nargc] = copy_arg(cp, ep - cp);
if (nargv[nargc] == NULL)
goto oom;
+
+ /*
+ * We use "--" to separate the editor and arguments from the files
+ * to edit. The editor arguments themselves may not contain "--".
+ */
+ if (strcmp(nargv[nargc], "--") == 0) {
+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
+ sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
+ errno = EINVAL;
+ goto bad;
+ }
}
if (nfiles != 0) {
nargv[nargc++] = "--";
@@ -188,6 +196,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
debug_return_str(editor_path);
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+bad:
sudoers_gc_remove(GC_PTR, editor);
free(editor);
free(editor_path);
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 7b97340ac..1f22853ff 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -759,21 +759,32 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
/* Note: must call audit before uid change. */
if (ISSET(sudo_mode, MODE_EDIT)) {
+ const char *env_editor = NULL;
char **edit_argv;
int edit_argc;
- const char *env_editor;
free(safe_cmnd);
safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
&edit_argv, NULL, &env_editor, false);
if (safe_cmnd == NULL) {
- if (errno != ENOENT)
+ switch (errno) {
+ case ENOENT:
+ audit_failure(NewArgv, N_("%s: command not found"),
+ env_editor ? env_editor : def_editor);
+ sudo_warnx(U_("%s: command not found"),
+ env_editor ? env_editor : def_editor);
+ goto bad;
+ case EINVAL:
+ if (def_env_editor && env_editor != NULL) {
+ /* User tried to do something funny with the editor. */
+ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
+ "invalid user-specified editor: %s", env_editor);
+ goto bad;
+ }
+ FALLTHROUGH;
+ default:
goto done;
- audit_failure(NewArgv, N_("%s: command not found"),
- env_editor ? env_editor : def_editor);
- sudo_warnx(U_("%s: command not found"),
- env_editor ? env_editor : def_editor);
- goto bad;
+ }
}
/* find_editor() already g/c'd edit_argv[] */
sudoers_gc_remove(GC_PTR, NewArgv);
diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
index 82f7f9e56..425071afd 100644
--- a/plugins/sudoers/visudo.c
+++ b/plugins/sudoers/visudo.c
@@ -301,7 +301,7 @@ static char *
get_editor(int *editor_argc, char ***editor_argv)
{
char *editor_path = NULL, **allowlist = NULL;
- const char *env_editor;
+ const char *env_editor = NULL;
static char *files[] = { "+1", "sudoers" };
unsigned int allowlist_len = 0;
debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
@@ -335,7 +335,11 @@ get_editor(int *editor_argc, char ***editor_argv)
if (editor_path == NULL) {
if (def_env_editor && env_editor != NULL) {
/* We are honoring $EDITOR so this is a fatal error. */
- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
+ if (errno == ENOENT) {
+ sudo_warnx(U_("specified editor (%s) doesn't exist"),
+ env_editor);
+ }
+ exit(EXIT_FAILURE);
}
sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
}
--
2.27.0

55
backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
View File

@ -1,55 +0,0 @@
From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Fri, 28 Oct 2022 07:29:55 -0600
Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
characters. Starting with sudo 1.8.0 the plaintext password buffer is
dynamically sized so it is not safe to assume that it is at least 9 bytes in
size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
Conflict:NA
Reference:https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050
---
plugins/sudoers/auth/passwd.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
index b2046eca2..0416861e9 100644
--- a/plugins/sudoers/auth/passwd.c
+++ b/plugins/sudoers/auth/passwd.c
@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
int
sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
{
- char sav, *epass;
+ char des_pass[9], *epass;
char *pw_epasswd = auth->data;
size_t pw_len;
int matched = 0;
@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
/*
* Truncate to 8 chars if standard DES since not all crypt()'s do this.
- * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
*/
- sav = pass[8];
pw_len = strlen(pw_epasswd);
- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
- pass[8] = '\0';
+ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
+ strlcpy(des_pass, pass, sizeof(des_pass));
+ pass = des_pass;
+ }
/*
* Normal UN*X password check.
@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
* only compare the first DESLEN characters in that case.
*/
epass = (char *) crypt(pass, pw_epasswd);
- pass[8] = sav;
if (epass != NULL) {
if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
matched = !strncmp(pw_epasswd, epass, DESLEN);
--
2.27.0

26
backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
View File

@ -1,26 +0,0 @@
From bfc6249902d842626058e74074832930feaf2f80 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 29 Jun 2022 11:18:16 -0600
Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref.
---
lib/protobuf-c/protobuf-c.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
index 3cc22c5f0..9ee355df5 100644
--- a/lib/protobuf-c/protobuf-c.c
+++ b/lib/protobuf-c/protobuf-c.c
@@ -3246,6 +3246,9 @@ protobuf_c_message_unpack(const ProtobufCMessageDescriptor *desc,
/* allocate space for repeated fields, also check that all required fields have been set */
for (f = 0; f < desc->n_fields; f++) {
const ProtobufCFieldDescriptor *field = desc->fields + f;
+ if (field == NULL) {
+ continue;
+ }
if (field->label == PROTOBUF_C_LABEL_REPEATED) {
size_t siz =
sizeof_elt_in_repeated_array(field->type);
--
2.33.0

37
backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
View File

@ -1,37 +0,0 @@
From 264326de571e0eff1d8003f882bad4cdf1a9230d Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 10 Nov 2022 14:55:56 -0700
Subject: [PATCH] Fix a potential use-after-free bug with cvtsudoers filtering.
In role_to_sudoers() when merging a privilege to the previous one where the
runas lists are the same we need to re-use the runas lists of the last
command in the previous privilege, not the first. Otherwise, the check in
free_cmndspec() will not notice the re-used runas lists. Reported/analyzed
by Sohom Datta. GitHub issue #198.
---
plugins/sudoers/parse_ldif.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
index 5d2a79163..2b7109294 100644
--- a/plugins/sudoers/parse_ldif.c
+++ b/plugins/sudoers/parse_ldif.c
@@ -432,11 +432,11 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role,
struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list);
if (reuse_runas) {
/* Runas users and groups same if as in previous privilege. */
- struct member_list *runasuserlist =
- TAILQ_FIRST(&prev_priv->cmndlist)->runasuserlist;
- struct member_list *runasgrouplist =
- TAILQ_FIRST(&prev_priv->cmndlist)->runasgrouplist;
struct cmndspec *cmndspec = TAILQ_FIRST(&priv->cmndlist);
+ const struct cmndspec *prev_cmndspec =
+ TAILQ_LAST(&prev_priv->cmndlist, cmndspec_list);
+ struct member_list *runasuserlist = prev_cmndspec->runasuserlist;
+ struct member_list *runasgrouplist = prev_cmndspec->runasgrouplist;
/* Free duplicate runas lists. */
if (cmndspec->runasuserlist != NULL) {
--
2.27.0

29
backport-Fix-incorrect-SHA384-512-digest-calculation.patch
View File

@ -1,29 +0,0 @@
From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
From: Tim Shearer <timtimminz@gmail.com>
Date: Tue, 2 Aug 2022 08:48:32 -0400
Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
Resolves an issue where certain message sizes result in an incorrect
checksum. Specifically, when:
(n*8) mod 1024 == 896
where n is the file size in bytes.
---
lib/util/sha2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/util/sha2.c b/lib/util/sha2.c
index b7a28cca8..f769f77f2 100644
--- a/lib/util/sha2.c
+++ b/lib/util/sha2.c
@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
SHA512Update(ctx, (uint8_t *)"\200", 1);
/* Pad message such that the resulting length modulo 1024 is 896. */
- while ((ctx->count[0] & 1008) != 896)
+ while ((ctx->count[0] & 1016) != 896)
SHA512Update(ctx, (uint8_t *)"\0", 1);
/* Append length of message in bits and do final SHA512Transform(). */
--
2.33.0

37
backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
View File

@ -1,37 +0,0 @@
From 263fdc6b067bd892df654377c0ea051289fce33f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 6 Jun 2022 20:15:03 -0600
Subject: [PATCH] Fix issue protobuf-c#499: unsigned integer overflow
Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
---
lib/protobuf-c/protobuf-c.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
index 96b750650..73e120046 100644
--- a/lib/protobuf-c/protobuf-c.c
+++ b/lib/protobuf-c/protobuf-c.c
@@ -2619,11 +2619,14 @@ parse_required_member(ScannedMember *scanned_member,
return FALSE;
def_mess = scanned_member->field->default_value;
- subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
- allocator,
- len - pref_len,
- data + pref_len);
-
+ if (len > pref_len) {
+ subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+ allocator,
+ len - pref_len,
+ data + pref_len);
+ } else {
+ subm = NULL;
+ }
if (maybe_clear &&
*pmessage != NULL &&
*pmessage != def_mess)
--
2.33.0

26
backport-Fix-memory-leak-of-pass-in-converse.patch
View File

@ -1,26 +0,0 @@
From f5cae905ca1a9f686f80aea45a34cea50fec0534 Mon Sep 17 00:00:00 2001
From: modric <pioneerbtw7@163.com>
Date: Thu, 17 Nov 2022 16:08:59 +0800
Subject: [PATCH] Fix memory leak of pass in converse().
---
plugins/sudoers/auth/pam.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 339b7a5..f5580ea 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -722,7 +722,8 @@ converse(int num_msg, PAM_CONST struct pam_message **msg,
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"password longer than %d", PAM_MAX_RESP_SIZE);
ret = PAM_CONV_ERR;
- explicit_bzero(pass, strlen(pass));
+ freezero(pass, strlen(pass));
+ pass = NULL;
goto done;
}
reply[n].resp = pass; /* auth_getpass() malloc's a copy */
--
2.27.0

71
backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
View File

@ -1,71 +0,0 @@
From dc8311dae99c2e6d60ecd3db6730fe84c6fe9d5b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Fri, 27 May 2022 15:47:32 -0600
Subject: [PATCH] Fix potential signed integer overflow on 32-bit CPUs.
Converting fractional minutes to nanoseconds could overflow a 32-bit integer,
use long long instead.
---
plugins/sudoers/defaults.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
index d5bd8080d..ec6b64fe9 100644
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -935,38 +935,38 @@ store_timespec(const char *str, struct sudo_defs_types *def)
sudo_timespecclear(&ts);
if (str != NULL) {
- /* Convert from minutes to timespec. */
+ /* Convert from minutes to seconds. */
if (*str == '+' || *str == '-')
sign = *str++;
while (*str != '\0' && *str != '.') {
if (!isdigit((unsigned char)*str))
debug_return_bool(false); /* invalid number */
- /* Verify (ts.tv_sec * 10) + digit <= TIME_T_MAX. */
- i = *str++ - '0';
+ /* Verify (ts.tv_sec * 10) + (digit * 60) <= TIME_T_MAX. */
+ i = (*str++ - '0') * 60L;
if (ts.tv_sec > (TIME_T_MAX - i) / 10)
debug_return_bool(false); /* overflow */
ts.tv_sec *= 10;
ts.tv_sec += i;
}
if (*str++ == '.') {
- /* Convert optional fractional component to nanosecs. */
+ long long nsec = 0;
+
+ /* Convert optional fractional component to seconds and nanosecs. */
for (i = 100000000; i > 0; i /= 10) {
if (*str == '\0')
break;
if (!isdigit((unsigned char)*str))
debug_return_bool(false); /* invalid number */
- ts.tv_nsec += i * (*str++ - '0');
+ nsec += i * (*str++ - '0') * 60LL;
}
- }
- /* Convert from minutes to seconds. */
- if (ts.tv_sec > TIME_T_MAX / 60)
- debug_return_bool(false); /* overflow */
- ts.tv_sec *= 60;
- ts.tv_nsec *= 60;
- while (ts.tv_nsec >= 1000000000) {
- ts.tv_sec++;
- ts.tv_nsec -= 1000000000;
+ while (nsec >= 1000000000) {
+ if (ts.tv_sec == TIME_T_MAX)
+ debug_return_bool(false); /* overflow */
+ ts.tv_sec++;
+ nsec -= 1000000000;
+ }
+ ts.tv_nsec = nsec;
}
}
if (sign == '-') {
--
2.33.0

26
backport-Fix-regression-with-zero-length-messages-introduced-.patch
View File

@ -1,26 +0,0 @@
From b6a6451482a3ff5e30f43ef888159d4b0d39143b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 9 Jun 2022 07:34:55 -0600
Subject: [PATCH] Fix regression with zero-length messages introduced in
protobuf-c PR 500.
---
lib/protobuf-c/protobuf-c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
index 9d56e1fec..3cc22c5f0 100644
--- a/lib/protobuf-c/protobuf-c.c
+++ b/lib/protobuf-c/protobuf-c.c
@@ -2618,7 +2618,7 @@ parse_required_member(ScannedMember *scanned_member,
return FALSE;
def_mess = scanned_member->field->default_value;
- if (len > pref_len) {
+ if (len >= pref_len) {
subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
allocator,
len - pref_len,
--
2.33.0

29
backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
View File

@ -1,29 +0,0 @@
From 169e049821a68449b1c73918f13765ea1142b7f0 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Fri, 10 Jun 2022 09:34:33 -0600
Subject: [PATCH] =?UTF-8?q?Fix=20typo,=20we=20should=20define=20SSIZE=5FMA?=
=?UTF-8?q?X=C2=A0if=20it=20is=20not=20defined.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
include/sudo_compat.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/sudo_compat.h b/include/sudo_compat.h
index d62dea7d6..ee3c22962 100644
--- a/include/sudo_compat.h
+++ b/include/sudo_compat.h
@@ -157,7 +157,7 @@
#endif
#if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX
-# define SIZE_MAX LONG_MAX
+# define SSIZE_MAX LONG_MAX
#endif
#if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX
--
2.33.0

25
backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
View File

@ -1,25 +0,0 @@
From 902271f441f61506392588fc26db992e64ae4ecd Mon Sep 17 00:00:00 2001
From: Sohom <sohom.datta@learner.manipal.edu>
Date: Wed, 9 Nov 2022 23:20:12 +0530
Subject: [PATCH] [cvtsudoers]: Prevent sudo from reading into undefined memory
---
plugins/sudoers/parse_ldif.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
index 6c2b74aa0..5d2a79163 100644
--- a/plugins/sudoers/parse_ldif.c
+++ b/plugins/sudoers/parse_ldif.c
@@ -688,7 +688,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
if (strncasecmp(attr, "cn=", 3) == 0) {
for (attr += 3; *attr != '\0'; attr++) {
/* Handle escaped ',' chars. */
- if (*attr == '\\')
+ if (*attr == '\\' && attr[1] != '\0')
attr++;
if (*attr == ',') {
attr++;
--
2.27.0

88
backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
View File

@ -1,88 +0,0 @@
From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 24 Feb 2022 07:56:38 -0700
Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn
string. Coverity CID 249976
---
plugins/sudoers/ldap.c | 41 ++++++++++++++++++-----------------------
1 file changed, 18 insertions(+), 23 deletions(-)
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index e3c47b9bc..13e74160b 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc)
static bool
sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs)
{
- struct berval **bv, **p;
- char *cn, *cp, *source = NULL;
+ struct berval **p, **bv = NULL;
+ char *cp, *cn = NULL, *source = NULL;
bool ret = false;
int rc;
debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP);
bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc);
if (bv == NULL) {
- if (rc == LDAP_NO_MEMORY) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- debug_return_bool(false);
- }
+ if (rc == LDAP_NO_MEMORY)
+ goto oom;
debug_return_bool(true);
}
/* Use sudoRole in place of file name in defaults. */
cn = sudo_ldap_get_first_rdn(ld, entry, &rc);
if (cn == NULL) {
- if (rc == LDAP_NO_MEMORY) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- goto done;
- }
- }
- if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- goto done;
- }
- if ((source = sudo_rcstr_dup(cp)) == NULL) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- free(cp);
- goto done;
+ if (rc == LDAP_NO_MEMORY)
+ goto oom;
}
+ if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1)
+ goto oom;
+ source = sudo_rcstr_dup(cp);
+ free(cp);
+ if (source == NULL)
+ goto oom;
/* Walk through options, appending to defs. */
for (p = bv; *p != NULL; p++) {
@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs
int op;
op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);
- if (!append_default(var, val, op, source, defs)) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- goto done;
- }
+ if (!append_default(var, val, op, source, defs))
+ goto oom;
}
ret = true;
+ goto done;
+
+oom:
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
done:
sudo_rcstr_delref(source);
--
2.33.0

35
backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
View File

@ -1,35 +0,0 @@
From b3834bbf248f3376ada8fc44166cba38c8ad4bcf Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 17 Nov 2022 08:10:35 -0700
Subject: [PATCH] sudo_passwd_cleanup: Set auth->data to NULL after freeing.
GitHub issue #201
---
plugins/sudoers/auth/passwd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
index 89da96ff6..6967e4fff 100644
--- a/plugins/sudoers/auth/passwd.c
+++ b/plugins/sudoers/auth/passwd.c
@@ -117,11 +117,14 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
int
sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force)
{
- char *pw_epasswd = auth->data;
debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH);
- if (pw_epasswd != NULL)
- freezero(pw_epasswd, strlen(pw_epasswd));
+ if (auth->data != NULL) {
+ /* Zero out encrypted password before freeing. */
+ size_t len = strlen((char *)auth->data);
+ freezero(auth->data, len);
+ auth->data = NULL;
+ }
debug_return_int(AUTH_SUCCESS);
}
--
2.27.0

25
backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
View File

@ -1,25 +0,0 @@
From 9f948224acb911cbec1ed9041887c1fe62c59877 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 8 Nov 2022 13:17:11 -0700
Subject: [PATCH] sudo_passwd_verify: zero out des_pass before returning.
---
plugins/sudoers/auth/passwd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
index 636c07bab..89da96ff6 100644
--- a/plugins/sudoers/auth/passwd.c
+++ b/plugins/sudoers/auth/passwd.c
@@ -95,6 +95,8 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
matched = !strcmp(pw_epasswd, epass);
}
+ explicit_bzero(des_pass, sizeof(des_pass));
+
debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
}
#else
--
2.33.0

29
backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
View File

@ -1,29 +0,0 @@
From dbfd84301a9316018f7c5e42ff5b3a19dd13e5c5 Mon Sep 17 00:00:00 2001
From: modric <pioneerbtw7@163.com>
Date: Tue, 22 Nov 2022 10:12:29 +0800
Subject: [PATCH] sudo_rcstr_dup: Fix potential NULL pointer deref
---
lib/util/rcstr.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/util/rcstr.c b/lib/util/rcstr.c
index d990a99e9..08b00bcd7 100644
--- a/lib/util/rcstr.c
+++ b/lib/util/rcstr.c
@@ -49,8 +49,10 @@ sudo_rcstr_dup(const char *src)
debug_decl(sudo_rcstr_dup, SUDO_DEBUG_UTIL);
dst = sudo_rcstr_alloc(len);
- memcpy(dst, src, len);
- dst[len] = '\0';
+ if (dst != NULL) {
+ memcpy(dst, src, len);
+ dst[len] = '\0';
+ }
debug_return_ptr(dst);
}
--
2.27.0

BIN
sudo-1.9.12p2.tar.gz Normal file
View File

Binary file not shown.

BIN
sudo-1.9.8p2.tar.gz
View File

Binary file not shown.

35
sudo.spec
View File

@ -1,34 +1,15 @@
Name: sudo
Version: 1.9.8p2
Release: 8
Version: 1.9.12p2
Release: 1
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/
URL: https://www.sudo.ws
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: sudoers
Source2: sudo
Source3: sudo-i
Patch0: backport-0001-CVE-2022-37434.patch
Patch1: backport-0002-CVE-2022-37434.patch
Patch2: backport-CVE-2022-33070.patch
Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch
Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
Patch12: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
Patch17: backport-CVE-2023-22809.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
Recommends: vim-minimal
@ -40,7 +21,7 @@ BuildRequires: chrpath
%description
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity. The basic philosophy is to give as few
to users and log root activity. The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.
%package devel
@ -91,7 +72,7 @@ make check
rm -rf $RPM_BUILD_ROOT
%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
@ -146,7 +127,6 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
%dir /var/db/sudo
%dir /var/db/sudo/lectured
@ -154,7 +134,7 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%config(noreplace) /etc/ld.so.conf.d/*
%license doc/LICENSE
%license LICENSE.md
%files devel
%{_includedir}/sudo_plugin.h
@ -169,6 +149,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%exclude %{_pkgdocdir}/ChangeLog
%changelog
* Tue Jan 31 2023 wangyu <wangyu283@huawei.com> - 1.9.12p2-1
- Upgrade to 1.9.12p2
* Thu Jan 19 2023 houmingyong<houmingyong@huawei.com> - 1.9.8p2-8
- Fix CVE-2023-22809