Backport patches from upstream community

backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch

@@ -0,0 +1,26 @@
+From bfc6249902d842626058e74074832930feaf2f80 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 29 Jun 2022 11:18:16 -0600
+Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref.
+
+---
+ lib/protobuf-c/protobuf-c.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
+index 3cc22c5f0..9ee355df5 100644
+--- a/lib/protobuf-c/protobuf-c.c
++++ b/lib/protobuf-c/protobuf-c.c
+@@ -3246,6 +3246,9 @@ protobuf_c_message_unpack(const ProtobufCMessageDescriptor *desc,
+ 	/* allocate space for repeated fields, also check that all required fields have been set */
+ 	for (f = 0; f < desc->n_fields; f++) {
+ 		const ProtobufCFieldDescriptor *field = desc->fields + f;
++		if (field == NULL) {
++			continue;
++		}
+ 		if (field->label == PROTOBUF_C_LABEL_REPEATED) {
+ 			size_t siz =
+ 			    sizeof_elt_in_repeated_array(field->type);
+-- 
+2.33.0
+

backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch

@@ -0,0 +1,37 @@
+From 263fdc6b067bd892df654377c0ea051289fce33f Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Mon, 6 Jun 2022 20:15:03 -0600
+Subject: [PATCH] Fix issue protobuf-c#499: unsigned integer overflow
+ Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
+
+---
+ lib/protobuf-c/protobuf-c.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
+index 96b750650..73e120046 100644
+--- a/lib/protobuf-c/protobuf-c.c
++++ b/lib/protobuf-c/protobuf-c.c
+@@ -2619,11 +2619,14 @@ parse_required_member(ScannedMember *scanned_member,
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+-						 allocator,
+-						 len - pref_len,
+-						 data + pref_len);
+-
++		if (len > pref_len) {
++			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++							 allocator,
++							 len - pref_len,
++							 data + pref_len);
++		} else {
++			subm = NULL;
++		}
+ 		if (maybe_clear &&
+ 		    *pmessage != NULL &&
+ 		    *pmessage != def_mess)
+-- 
+2.33.0
+

backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch

@@ -0,0 +1,71 @@
+From dc8311dae99c2e6d60ecd3db6730fe84c6fe9d5b Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Fri, 27 May 2022 15:47:32 -0600
+Subject: [PATCH] Fix potential signed integer overflow on 32-bit CPUs.
+ Converting fractional minutes to nanoseconds could overflow a 32-bit integer,
+ use long long instead.
+
+---
+ plugins/sudoers/defaults.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index d5bd8080d..ec6b64fe9 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -935,38 +935,38 @@ store_timespec(const char *str, struct sudo_defs_types *def)
+ 
+     sudo_timespecclear(&ts);
+     if (str != NULL) {
+-	/* Convert from minutes to timespec. */
++	/* Convert from minutes to seconds. */
+ 	if (*str == '+' || *str == '-')
+ 	    sign = *str++;
+ 	while (*str != '\0' && *str != '.') {
+ 		if (!isdigit((unsigned char)*str))
+ 		    debug_return_bool(false);	/* invalid number */
+ 
+-		/* Verify (ts.tv_sec * 10) + digit <= TIME_T_MAX. */
+-		i = *str++ - '0';
++		/* Verify (ts.tv_sec * 10) + (digit * 60) <= TIME_T_MAX. */
++		i = (*str++ - '0') * 60L;
+ 		if (ts.tv_sec > (TIME_T_MAX - i) / 10)
+ 		    debug_return_bool(false);	/* overflow */
+ 		ts.tv_sec *= 10;
+ 		ts.tv_sec += i;
+ 	}
+ 	if (*str++ == '.') {
+-	    /* Convert optional fractional component to nanosecs. */
++	    long long nsec = 0;
++
++	    /* Convert optional fractional component to seconds and nanosecs. */
+ 	    for (i = 100000000; i > 0; i /= 10) {
+ 		if (*str == '\0')
+ 		    break;
+ 		if (!isdigit((unsigned char)*str))
+ 		    debug_return_bool(false);	/* invalid number */
+-		ts.tv_nsec += i * (*str++ - '0');
++		nsec += i * (*str++ - '0') * 60LL;
+ 	    }
+-	}
+-	/* Convert from minutes to seconds. */
+-	if (ts.tv_sec > TIME_T_MAX / 60)
+-	    debug_return_bool(false);	/* overflow */
+-	ts.tv_sec *= 60;
+-	ts.tv_nsec *= 60;
+-	while (ts.tv_nsec >= 1000000000) {
+-	    ts.tv_sec++;
+-	    ts.tv_nsec -= 1000000000;
++	    while (nsec >= 1000000000) {
++		if (ts.tv_sec == TIME_T_MAX)
++		    debug_return_bool(false);	/* overflow */
++		ts.tv_sec++;
++		nsec -= 1000000000;
++	    }
++	    ts.tv_nsec = nsec;
+ 	}
+     }
+     if (sign == '-') {
+-- 
+2.33.0
+

backport-Fix-regression-with-zero-length-messages-introduced-.patch

@@ -0,0 +1,26 @@
+From b6a6451482a3ff5e30f43ef888159d4b0d39143b Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 9 Jun 2022 07:34:55 -0600
+Subject: [PATCH] Fix regression with zero-length messages introduced in
+ protobuf-c PR 500.
+
+---
+ lib/protobuf-c/protobuf-c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
+index 9d56e1fec..3cc22c5f0 100644
+--- a/lib/protobuf-c/protobuf-c.c
++++ b/lib/protobuf-c/protobuf-c.c
+@@ -2618,7 +2618,7 @@ parse_required_member(ScannedMember *scanned_member,
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		if (len > pref_len) {
++		if (len >= pref_len) {
+ 			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+ 							 allocator,
+ 							 len - pref_len,
+-- 
+2.33.0
+

backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch

@@ -0,0 +1,29 @@
+From 169e049821a68449b1c73918f13765ea1142b7f0 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Fri, 10 Jun 2022 09:34:33 -0600
+Subject: [PATCH] =?UTF-8?q?Fix=20typo,=20we=20should=20define=20SSIZE=5FMA?=
+ =?UTF-8?q?X=C2=A0if=20it=20is=20not=20defined.?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ include/sudo_compat.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/sudo_compat.h b/include/sudo_compat.h
+index d62dea7d6..ee3c22962 100644
+--- a/include/sudo_compat.h
++++ b/include/sudo_compat.h
+@@ -157,7 +157,7 @@
+ #endif
+ 
+ #if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX
+-# define SIZE_MAX	LONG_MAX
++# define SSIZE_MAX	LONG_MAX
+ #endif
+ 
+ #if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX
+-- 
+2.33.0
+

backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch

@@ -0,0 +1,88 @@
+From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 24 Feb 2022 07:56:38 -0700
+Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn
+ string. Coverity CID 249976
+
+---
+ plugins/sudoers/ldap.c | 41 ++++++++++++++++++-----------------------
+ 1 file changed, 18 insertions(+), 23 deletions(-)
+
+diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
+index e3c47b9bc..13e74160b 100644
+--- a/plugins/sudoers/ldap.c
++++ b/plugins/sudoers/ldap.c
+@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc)
+ static bool
+ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs)
+ {
+-    struct berval **bv, **p;
+-    char *cn, *cp, *source = NULL;
++    struct berval **p, **bv = NULL;
++    char *cp, *cn = NULL, *source = NULL;
+     bool ret = false;
+     int rc;
+     debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP);
+ 
+     bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc);
+     if (bv == NULL) {
+-	if (rc == LDAP_NO_MEMORY) {
+-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	    debug_return_bool(false);
+-	}
++	if (rc == LDAP_NO_MEMORY)
++	    goto oom;
+ 	debug_return_bool(true);
+     }
+ 
+     /* Use sudoRole in place of file name in defaults. */
+     cn = sudo_ldap_get_first_rdn(ld, entry, &rc);
+     if (cn == NULL) {
+-	if (rc == LDAP_NO_MEMORY) {
+-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	    goto done;
+-	}
+-    }
+-    if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) {
+-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	goto done;
+-    }
+-    if ((source = sudo_rcstr_dup(cp)) == NULL) {
+-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	free(cp);
+-	goto done;
++	if (rc == LDAP_NO_MEMORY)
++	    goto oom;
+     }
++    if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1)
++	goto oom;
++    source = sudo_rcstr_dup(cp);
++    free(cp);
++    if (source == NULL)
++	goto oom;
+ 
+     /* Walk through options, appending to defs. */
+     for (p = bv; *p != NULL; p++) {
+@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs
+ 	int op;
+ 
+ 	op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);
+-	if (!append_default(var, val, op, source, defs)) {
+-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+-	    goto done;
+-	}
++	if (!append_default(var, val, op, source, defs))
++	    goto oom;
+     }
+ 
+     ret = true;
++    goto done;
++
++oom:
++    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ 
+ done:
+     sudo_rcstr_delref(source);
+-- 
+2.33.0
+

sudo.spec

@@ -1,6 +1,6 @@
 Name: sudo
 Version: 1.9.8p2
-Release: 5
+Release: 6
 Summary: Allows restricted root access for specified users
 License: ISC
 URL: http://www.courtesan.com/sudo/
@@ -16,6 +16,12 @@ Patch2: backport-CVE-2022-33070.patch
 Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
 Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
 Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
+Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
+Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch
+Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
+Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
+Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
+Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: pam
@@ -157,6 +163,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %exclude %{_pkgdocdir}/ChangeLog
 
 %changelog
+* Fri Nov 25 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-6
+- Backport patches from upstream community
+
 * Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-5
 - Backport patches from upstream community