!75 Upgrade to 1.9.12p2

From: @BornThisWay Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2023-01-31 12:59:52 +00:00 · 2023-01-31 12:59:52 +00:00 · f26cc37d25
commit f26cc37d25
parent 71701de75f 607954622d
21 changed files with 9 additions and 847 deletions
--- a/backport-0001-CVE-2022-37434.patch
+++ b/backport-0001-CVE-2022-37434.patch
@ -1,35 +0,0 @@
 From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
 From: Mark Adler <fork@madler.net>
 Date: Sat, 30 Jul 2022 15:51:11 -0700
 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
 inflate().
 If the extra field was larger than the space the user provided with
 inflateGetHeader(), and if multiple calls of inflate() delivered
 the extra header data, then there could be a buffer overflow of the
 provided space. This commit assures that provided space is not
 exceeded.
 ---
 inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
 index 2a0ac30..95a38f5 100644
 --- a/lib/zlib/inflate.c
 +++ b/lib/zlib/inflate.c
@@ -765,9 +765,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
 +                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
 -                        state->head->extra != Z_NULL) {
 -                        len = state->head->extra_len - state->length;
 +                        state->head->extra != Z_NULL &&
 +                        len < state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
 -- 
 2.27.0
--- a/backport-0002-CVE-2022-37434.patch
+++ b/backport-0002-CVE-2022-37434.patch
@ -1,32 +0,0 @@
 From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
 From: Mark Adler <fork@madler.net>
 Date: Mon, 8 Aug 2022 10:50:09 -0700
 Subject: [PATCH] Fix extra field processing bug that dereferences NULL
 state->head.
 The recent commit to fix a gzip header extra field processing bug
 introduced the new bug fixed here.
 ---
 inflate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
 index 95a38f5..9c5934e 100644
 --- a/lib/zlib/inflate.c
 +++ b/lib/zlib/inflate.c
@@ -765,10 +765,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
 -                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
                         state->head->extra != Z_NULL &&
 -                        len < state->head->extra_max) {
 +                        (len = state->head->extra_len - state->length) <
 +                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
 -- 
 2.27.0
--- a/backport-CVE-2022-33070.patch
+++ b/backport-CVE-2022-33070.patch
@ -1,73 +0,0 @@
 diff -Naru a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
 --- a/lib/protobuf-c/protobuf-c.c
 +++ b/lib/protobuf-c/protobuf-c.c
@@ -316,9 +316,8 @@
 static inline uint32_t
 zigzag32(int32_t v)
 {
 -	// Note:  the right-shift must be arithmetic
 -	// Note:  left shift must be unsigned because of overflow
 -	return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31);
 +	// Note:  Using unsigned types prevents undefined behavior
 +	return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31);
 }
 /**
@@ -380,9 +379,8 @@
 static inline uint64_t
 zigzag64(int64_t v)
 {
 -	// Note:  the right-shift must be arithmetic
 -	// Note:  left shift must be unsigned because of overflow
 -	return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63);
 +	// Note:  Using unsigned types prevents undefined behavior
 +	return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63);
 }
 /**
@@ -802,7 +800,8 @@
 }
 /**
 - * Pack a signed 32-bit integer and return the number of bytes written.
 + * Pack a signed 32-bit integer and return the number of bytes written,
 + * passed as unsigned to avoid implementation-specific behavior.
  * Negative numbers are encoded as two's complement 64-bit integers.
  *
  * \param value
@@ -813,14 +812,14 @@
  *      Number of bytes written to `out`.
  */
 static inline size_t
 -int32_pack(int32_t value, uint8_t *out)
 +int32_pack(uint32_t value, uint8_t *out)
 {
 -	if (value < 0) {
 +	if ((int32_t)value < 0) {
 		out[0] = value | 0x80;
 		out[1] = (value >> 7) | 0x80;
 		out[2] = (value >> 14) | 0x80;
 		out[3] = (value >> 21) | 0x80;
 -		out[4] = (value >> 28) | 0x80;
 +		out[4] = (value >> 28) | 0xf0;
 		out[5] = out[6] = out[7] = out[8] = 0xff;
 		out[9] = 0x01;
 		return 10;
@@ -2425,7 +2424,7 @@
 unzigzag32(uint32_t v)
 {
 	// Note:  Using unsigned types prevents undefined behavior
 -	return (int32_t)((v >> 1) ^ (~(v & 1) + 1));
 +	return (int32_t)((v >> 1) ^ -(v & 1));
 }
 static inline uint32_t
@@ -2467,7 +2466,7 @@
 unzigzag64(uint64_t v)
 {
 	// Note:  Using unsigned types prevents undefined behavior
 -	return (int64_t)((v >> 1) ^ (~(v & 1) + 1));
 +	return (int64_t)((v >> 1) ^ -(v & 1));
 }
 static inline uint64_t
--- a/backport-CVE-2023-22809.patch
+++ b/backport-CVE-2023-22809.patch
@ -1,143 +0,0 @@
 From 0274a4f3b403162a37a10f199c989f3727ed3ad4 Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Thu, 12 Jan 2023 15:55:27 -0700
 Subject: [PATCH] sudoedit: do not permit editor arguments to include "--"
 (CVE-2023-22809) We use "--" to separate the editor and arguments from the
 files to edit. If the editor arguments include "--", sudo can be tricked into
 allowing the user to edit a file not permitted by the security policy. Thanks
 to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com)
 for finding this bug.
 Reference:https://github.com/sudo-project/sudo/commit/0274a4f3b403162a37a10f199c989f3727ed3ad4
 Conflict:NA
 ---
 plugins/sudoers/editor.c  | 19 ++++++++++++++-----
 plugins/sudoers/sudoers.c | 25 ++++++++++++++++++-------
 plugins/sudoers/visudo.c  |  8 ++++++--
 3 files changed, 38 insertions(+), 14 deletions(-)
 diff --git a/plugins/sudoers/editor.c b/plugins/sudoers/editor.c
 index 5ca4eb0af..6d988ff68 100644
 --- a/plugins/sudoers/editor.c
 +++ b/plugins/sudoers/editor.c
@@ -133,7 +133,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
     const char *tmp, *cp, *ep = NULL;
     const char *edend = ed + edlen;
     struct stat user_editor_sb;
 -    int nargc;
 +    int nargc = 0;
     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
     /*
@@ -151,10 +151,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
     /* If we can't find the editor in the user's PATH, give up. */
     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
 	    0, allowlist) != FOUND) {
 -	sudoers_gc_remove(GC_PTR, editor);
 -	free(editor);
 -	errno = ENOENT;
 -	debug_return_str(NULL);
 +	goto bad;
     }
     /* Count rest of arguments and allocate editor argv. */
@@ -175,6 +172,17 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
 	nargv[nargc] = copy_arg(cp, ep - cp);
 	if (nargv[nargc] == NULL)
 	    goto oom;
 +
 +	/*
 +	 * We use "--" to separate the editor and arguments from the files
 +	 * to edit.  The editor arguments themselves may not contain "--".
 +	 */
 +	if (strcmp(nargv[nargc], "--") == 0) {
 +	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
 +	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
 +	    errno = EINVAL;
 +	    goto bad;
 +	}
     }
     if (nfiles != 0) {
 	nargv[nargc++] = "--";
@@ -188,6 +196,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
     debug_return_str(editor_path);
 oom:
     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 +bad:
     sudoers_gc_remove(GC_PTR, editor);
     free(editor);
     free(editor_path);
 diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
 index 7b97340ac..1f22853ff 100644
 --- a/plugins/sudoers/sudoers.c
 +++ b/plugins/sudoers/sudoers.c
@@ -759,21 +759,32 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* Note: must call audit before uid change. */
     if (ISSET(sudo_mode, MODE_EDIT)) {
 +	const char *env_editor = NULL;
 	char **edit_argv;
 	int edit_argc;
 -	const char *env_editor;
 	free(safe_cmnd);
 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
 	    &edit_argv, NULL, &env_editor, false);
 	if (safe_cmnd == NULL) {
 -	    if (errno != ENOENT)
 +	    switch (errno) {
 +	    case ENOENT:
 +		audit_failure(NewArgv, N_("%s: command not found"),
 +		    env_editor ? env_editor : def_editor);
 +		sudo_warnx(U_("%s: command not found"),
 +		    env_editor ? env_editor : def_editor);
 +		goto bad;
 +	    case EINVAL:
 +		if (def_env_editor && env_editor != NULL) {
 +		    /* User tried to do something funny with the editor. */
 +		    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
 +			"invalid user-specified editor: %s", env_editor);
 +		    goto bad;
 +		}
 +		FALLTHROUGH;
 +	    default:
 		goto done;
 -	    audit_failure(NewArgv, N_("%s: command not found"),
 -		env_editor ? env_editor : def_editor);
 -	    sudo_warnx(U_("%s: command not found"),
 -		env_editor ? env_editor : def_editor);
 -	    goto bad;
 +	    }
 	}
 	/* find_editor() already g/c'd edit_argv[] */
 	sudoers_gc_remove(GC_PTR, NewArgv);
 diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
 index 82f7f9e56..425071afd 100644
 --- a/plugins/sudoers/visudo.c
 +++ b/plugins/sudoers/visudo.c
@@ -301,7 +301,7 @@ static char *
 get_editor(int *editor_argc, char ***editor_argv)
 {
     char *editor_path = NULL, **allowlist = NULL;
 -    const char *env_editor;
 +    const char *env_editor = NULL;
     static char *files[] = { "+1", "sudoers" };
     unsigned int allowlist_len = 0;
     debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
@@ -335,7 +335,11 @@ get_editor(int *editor_argc, char ***editor_argv)
     if (editor_path == NULL) {
 	if (def_env_editor && env_editor != NULL) {
 	    /* We are honoring $EDITOR so this is a fatal error. */
 -	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
 +	    if (errno == ENOENT) {
 +		sudo_warnx(U_("specified editor (%s) doesn't exist"),
 +		    env_editor);
 +	    }
 +	    exit(EXIT_FAILURE);
 	}
 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
     }
 -- 
 2.27.0
--- a/backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
+++ b/backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
@ -1,55 +0,0 @@
 From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Fri, 28 Oct 2022 07:29:55 -0600
 Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
 characters. Starting with sudo 1.8.0 the plaintext password buffer is
 dynamically sized so it is not safe to assume that it is at least 9 bytes in
 size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
 Conflict:NA
 Reference:https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050
 ---
 plugins/sudoers/auth/passwd.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
 diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
 index b2046eca2..0416861e9 100644
 --- a/plugins/sudoers/auth/passwd.c
 +++ b/plugins/sudoers/auth/passwd.c
@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
 int
 sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
 {
 -    char sav, *epass;
 +    char des_pass[9], *epass;
     char *pw_epasswd = auth->data;
     size_t pw_len;
     int matched = 0;
@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
     /*
      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
 -     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
      */
 -    sav = pass[8];
     pw_len = strlen(pw_epasswd);
 -    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
 -	pass[8] = '\0';
 +    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
 +	strlcpy(des_pass, pass, sizeof(des_pass));
 +	pass = des_pass;
 +    }
     /*
      * Normal UN*X password check.
@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
      * only compare the first DESLEN characters in that case.
      */
     epass = (char *) crypt(pass, pw_epasswd);
 -    pass[8] = sav;
     if (epass != NULL) {
 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
 -- 
 2.27.0
--- a/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
+++ b/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
@ -1,26 +0,0 @@
 From bfc6249902d842626058e74074832930feaf2f80 Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Wed, 29 Jun 2022 11:18:16 -0600
 Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref.
 ---
 lib/protobuf-c/protobuf-c.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
 index 3cc22c5f0..9ee355df5 100644
 --- a/lib/protobuf-c/protobuf-c.c
 +++ b/lib/protobuf-c/protobuf-c.c
@@ -3246,6 +3246,9 @@ protobuf_c_message_unpack(const ProtobufCMessageDescriptor *desc,
 	/* allocate space for repeated fields, also check that all required fields have been set */
 	for (f = 0; f < desc->n_fields; f++) {
 		const ProtobufCFieldDescriptor *field = desc->fields + f;
 +		if (field == NULL) {
 +			continue;
 +		}
 		if (field->label == PROTOBUF_C_LABEL_REPEATED) {
 			size_t siz =
 			    sizeof_elt_in_repeated_array(field->type);
 -- 
 2.33.0
--- a/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
+++ b/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
@ -1,37 +0,0 @@
 From 264326de571e0eff1d8003f882bad4cdf1a9230d Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Thu, 10 Nov 2022 14:55:56 -0700
 Subject: [PATCH] Fix a potential use-after-free bug with cvtsudoers filtering.
 In role_to_sudoers() when merging a privilege to the previous one where the
 runas lists are the same we need to re-use the runas lists of the last
 command in the previous privilege, not the first. Otherwise, the check in
 free_cmndspec() will not notice the re-used runas lists.  Reported/analyzed
 by Sohom Datta.  GitHub issue #198.
 ---
 plugins/sudoers/parse_ldif.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
 index 5d2a79163..2b7109294 100644
 --- a/plugins/sudoers/parse_ldif.c
 +++ b/plugins/sudoers/parse_ldif.c
@@ -432,11 +432,11 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role,
 	struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list);
 	if (reuse_runas) {
 	    /* Runas users and groups same if as in previous privilege. */
 -	    struct member_list *runasuserlist =
 -		TAILQ_FIRST(&prev_priv->cmndlist)->runasuserlist;
 -	    struct member_list *runasgrouplist =
 -		TAILQ_FIRST(&prev_priv->cmndlist)->runasgrouplist;
 	    struct cmndspec *cmndspec = TAILQ_FIRST(&priv->cmndlist);
 +	    const struct cmndspec *prev_cmndspec =
 +		TAILQ_LAST(&prev_priv->cmndlist, cmndspec_list);
 +	    struct member_list *runasuserlist = prev_cmndspec->runasuserlist;
 +	    struct member_list *runasgrouplist = prev_cmndspec->runasgrouplist;
 	    /* Free duplicate runas lists. */
 	    if (cmndspec->runasuserlist != NULL) {
 -- 
 2.27.0
--- a/backport-Fix-incorrect-SHA384-512-digest-calculation.patch
+++ b/backport-Fix-incorrect-SHA384-512-digest-calculation.patch
@ -1,29 +0,0 @@
 From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
 From: Tim Shearer <timtimminz@gmail.com>
 Date: Tue, 2 Aug 2022 08:48:32 -0400
 Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
 Resolves an issue where certain message sizes result in an incorrect
 checksum. Specifically, when:
 (n*8) mod 1024 == 896
 where n is the file size in bytes.
 ---
 lib/util/sha2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/util/sha2.c b/lib/util/sha2.c
 index b7a28cca8..f769f77f2 100644
 --- a/lib/util/sha2.c
 +++ b/lib/util/sha2.c
@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
 	SHA512Update(ctx, (uint8_t *)"\200", 1);
 	/* Pad message such that the resulting length modulo 1024 is 896. */
 -	while ((ctx->count[0] & 1008) != 896)
 +	while ((ctx->count[0] & 1016) != 896)
 		SHA512Update(ctx, (uint8_t *)"\0", 1);
 	/* Append length of message in bits and do final SHA512Transform(). */
 -- 
 2.33.0
--- a/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
+++ b/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
@ -1,37 +0,0 @@
 From 263fdc6b067bd892df654377c0ea051289fce33f Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Mon, 6 Jun 2022 20:15:03 -0600
 Subject: [PATCH] Fix issue protobuf-c#499: unsigned integer overflow
 Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
 ---
 lib/protobuf-c/protobuf-c.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
 index 96b750650..73e120046 100644
 --- a/lib/protobuf-c/protobuf-c.c
 +++ b/lib/protobuf-c/protobuf-c.c
@@ -2619,11 +2619,14 @@ parse_required_member(ScannedMember *scanned_member,
 			return FALSE;
 		def_mess = scanned_member->field->default_value;
 -		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
 -						 allocator,
 -						 len - pref_len,
 -						 data + pref_len);
 -
 +		if (len > pref_len) {
 +			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
 +							 allocator,
 +							 len - pref_len,
 +							 data + pref_len);
 +		} else {
 +			subm = NULL;
 +		}
 		if (maybe_clear &&
 		    *pmessage != NULL &&
 		    *pmessage != def_mess)
 -- 
 2.33.0
--- a/backport-Fix-memory-leak-of-pass-in-converse.patch
+++ b/backport-Fix-memory-leak-of-pass-in-converse.patch
@ -1,26 +0,0 @@
 From f5cae905ca1a9f686f80aea45a34cea50fec0534 Mon Sep 17 00:00:00 2001
 From: modric <pioneerbtw7@163.com>
 Date: Thu, 17 Nov 2022 16:08:59 +0800
 Subject: [PATCH] Fix memory leak of pass in converse().
 ---
 plugins/sudoers/auth/pam.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
 index 339b7a5..f5580ea 100644
 --- a/plugins/sudoers/auth/pam.c
 +++ b/plugins/sudoers/auth/pam.c
@@ -722,7 +722,8 @@ converse(int num_msg, PAM_CONST struct pam_message **msg,
 		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 			"password longer than %d", PAM_MAX_RESP_SIZE);
 		    ret = PAM_CONV_ERR;
 -		    explicit_bzero(pass, strlen(pass));
 +		    freezero(pass, strlen(pass));
 +		    pass = NULL;
 		    goto done;
 		}
 		reply[n].resp = pass;	/* auth_getpass() malloc's a copy */
 -- 
 2.27.0
--- a/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
+++ b/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
@ -1,71 +0,0 @@
 From dc8311dae99c2e6d60ecd3db6730fe84c6fe9d5b Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Fri, 27 May 2022 15:47:32 -0600
 Subject: [PATCH] Fix potential signed integer overflow on 32-bit CPUs.
 Converting fractional minutes to nanoseconds could overflow a 32-bit integer,
 use long long instead.
 ---
 plugins/sudoers/defaults.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)
 diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
 index d5bd8080d..ec6b64fe9 100644
 --- a/plugins/sudoers/defaults.c
 +++ b/plugins/sudoers/defaults.c
@@ -935,38 +935,38 @@ store_timespec(const char *str, struct sudo_defs_types *def)
     sudo_timespecclear(&ts);
     if (str != NULL) {
 -	/* Convert from minutes to timespec. */
 +	/* Convert from minutes to seconds. */
 	if (*str == '+' || *str == '-')
 	    sign = *str++;
 	while (*str != '\0' && *str != '.') {
 		if (!isdigit((unsigned char)*str))
 		    debug_return_bool(false);	/* invalid number */
 -		/* Verify (ts.tv_sec * 10) + digit <= TIME_T_MAX. */
 -		i = *str++ - '0';
 +		/* Verify (ts.tv_sec * 10) + (digit * 60) <= TIME_T_MAX. */
 +		i = (*str++ - '0') * 60L;
 		if (ts.tv_sec > (TIME_T_MAX - i) / 10)
 		    debug_return_bool(false);	/* overflow */
 		ts.tv_sec *= 10;
 		ts.tv_sec += i;
 	}
 	if (*str++ == '.') {
 -	    /* Convert optional fractional component to nanosecs. */
 +	    long long nsec = 0;
 +
 +	    /* Convert optional fractional component to seconds and nanosecs. */
 	    for (i = 100000000; i > 0; i /= 10) {
 		if (*str == '\0')
 		    break;
 		if (!isdigit((unsigned char)*str))
 		    debug_return_bool(false);	/* invalid number */
 -		ts.tv_nsec += i * (*str++ - '0');
 +		nsec += i * (*str++ - '0') * 60LL;
 	    }
 -	}
 -	/* Convert from minutes to seconds. */
 -	if (ts.tv_sec > TIME_T_MAX / 60)
 -	    debug_return_bool(false);	/* overflow */
 -	ts.tv_sec *= 60;
 -	ts.tv_nsec *= 60;
 -	while (ts.tv_nsec >= 1000000000) {
 -	    ts.tv_sec++;
 -	    ts.tv_nsec -= 1000000000;
 +	    while (nsec >= 1000000000) {
 +		if (ts.tv_sec == TIME_T_MAX)
 +		    debug_return_bool(false);	/* overflow */
 +		ts.tv_sec++;
 +		nsec -= 1000000000;
 +	    }
 +	    ts.tv_nsec = nsec;
 	}
     }
     if (sign == '-') {
 -- 
 2.33.0
--- a/backport-Fix-regression-with-zero-length-messages-introduced-.patch
+++ b/backport-Fix-regression-with-zero-length-messages-introduced-.patch
@ -1,26 +0,0 @@
 From b6a6451482a3ff5e30f43ef888159d4b0d39143b Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Thu, 9 Jun 2022 07:34:55 -0600
 Subject: [PATCH] Fix regression with zero-length messages introduced in
 protobuf-c PR 500.
 ---
 lib/protobuf-c/protobuf-c.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c
 index 9d56e1fec..3cc22c5f0 100644
 --- a/lib/protobuf-c/protobuf-c.c
 +++ b/lib/protobuf-c/protobuf-c.c
@@ -2618,7 +2618,7 @@ parse_required_member(ScannedMember *scanned_member,
 			return FALSE;
 		def_mess = scanned_member->field->default_value;
 -		if (len > pref_len) {
 +		if (len >= pref_len) {
 			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
 							 allocator,
 							 len - pref_len,
 -- 
 2.33.0
--- a/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
+++ b/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
@ -1,29 +0,0 @@
 From 169e049821a68449b1c73918f13765ea1142b7f0 Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Fri, 10 Jun 2022 09:34:33 -0600
 Subject: [PATCH] =?UTF-8?q?Fix=20typo,=20we=20should=20define=20SSIZE=5FMA?=
 =?UTF-8?q?X=C2=A0if=20it=20is=20not=20defined.?=
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 ---
 include/sudo_compat.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/include/sudo_compat.h b/include/sudo_compat.h
 index d62dea7d6..ee3c22962 100644
 --- a/include/sudo_compat.h
 +++ b/include/sudo_compat.h
@@ -157,7 +157,7 @@
 #endif
 #if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX
 -# define SIZE_MAX	LONG_MAX
 +# define SSIZE_MAX	LONG_MAX
 #endif
 #if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX
 -- 
 2.33.0
--- a/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
+++ b/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
@ -1,25 +0,0 @@
 From 902271f441f61506392588fc26db992e64ae4ecd Mon Sep 17 00:00:00 2001
 From: Sohom <sohom.datta@learner.manipal.edu>
 Date: Wed, 9 Nov 2022 23:20:12 +0530
 Subject: [PATCH] [cvtsudoers]: Prevent sudo from reading into undefined memory
 ---
 plugins/sudoers/parse_ldif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
 index 6c2b74aa0..5d2a79163 100644
 --- a/plugins/sudoers/parse_ldif.c
 +++ b/plugins/sudoers/parse_ldif.c
@@ -688,7 +688,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
 		if (strncasecmp(attr, "cn=", 3) == 0) {
 		    for (attr += 3; *attr != '\0'; attr++) {
 			/* Handle escaped ',' chars. */
 -			if (*attr == '\\')
 +			if (*attr == '\\' && attr[1] != '\0')
 			    attr++;
 			if (*attr == ',') {
 			    attr++;
 -- 
 2.27.0
--- a/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
+++ b/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
@ -1,88 +0,0 @@
 From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Thu, 24 Feb 2022 07:56:38 -0700
 Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn
 string. Coverity CID 249976
 ---
 plugins/sudoers/ldap.c | 41 ++++++++++++++++++-----------------------
 1 file changed, 18 insertions(+), 23 deletions(-)
 diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
 index e3c47b9bc..13e74160b 100644
 --- a/plugins/sudoers/ldap.c
 +++ b/plugins/sudoers/ldap.c
@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc)
 static bool
 sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs)
 {
 -    struct berval **bv, **p;
 -    char *cn, *cp, *source = NULL;
 +    struct berval **p, **bv = NULL;
 +    char *cp, *cn = NULL, *source = NULL;
     bool ret = false;
     int rc;
     debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP);
     bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc);
     if (bv == NULL) {
 -	if (rc == LDAP_NO_MEMORY) {
 -	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	    debug_return_bool(false);
 -	}
 +	if (rc == LDAP_NO_MEMORY)
 +	    goto oom;
 	debug_return_bool(true);
     }
     /* Use sudoRole in place of file name in defaults. */
     cn = sudo_ldap_get_first_rdn(ld, entry, &rc);
     if (cn == NULL) {
 -	if (rc == LDAP_NO_MEMORY) {
 -	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	    goto done;
 -	}
 -    }
 -    if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) {
 -	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	goto done;
 -    }
 -    if ((source = sudo_rcstr_dup(cp)) == NULL) {
 -	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	free(cp);
 -	goto done;
 +	if (rc == LDAP_NO_MEMORY)
 +	    goto oom;
     }
 +    if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1)
 +	goto oom;
 +    source = sudo_rcstr_dup(cp);
 +    free(cp);
 +    if (source == NULL)
 +	goto oom;
     /* Walk through options, appending to defs. */
     for (p = bv; *p != NULL; p++) {
@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs
 	int op;
 	op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);
 -	if (!append_default(var, val, op, source, defs)) {
 -	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 -	    goto done;
 -	}
 +	if (!append_default(var, val, op, source, defs))
 +	    goto oom;
     }
     ret = true;
 +    goto done;
 +
 +oom:
 +    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 done:
     sudo_rcstr_delref(source);
 -- 
 2.33.0
--- a/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
+++ b/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
@ -1,35 +0,0 @@
 From b3834bbf248f3376ada8fc44166cba38c8ad4bcf Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Thu, 17 Nov 2022 08:10:35 -0700
 Subject: [PATCH] sudo_passwd_cleanup: Set auth->data to NULL after freeing.
 GitHub issue #201
 ---
 plugins/sudoers/auth/passwd.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
 index 89da96ff6..6967e4fff 100644
 --- a/plugins/sudoers/auth/passwd.c
 +++ b/plugins/sudoers/auth/passwd.c
@@ -117,11 +117,14 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
 int
 sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force)
 {
 -    char *pw_epasswd = auth->data;
     debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH);
 -    if (pw_epasswd != NULL)
 -	freezero(pw_epasswd, strlen(pw_epasswd));
 +    if (auth->data != NULL) {
 +	/* Zero out encrypted password before freeing. */
 +	size_t len = strlen((char *)auth->data);
 +	freezero(auth->data, len);
 +	auth->data = NULL;
 +    }
     debug_return_int(AUTH_SUCCESS);
 }
 -- 
 2.27.0
--- a/backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
+++ b/backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
@ -1,25 +0,0 @@
 From 9f948224acb911cbec1ed9041887c1fe62c59877 Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Tue, 8 Nov 2022 13:17:11 -0700
 Subject: [PATCH] sudo_passwd_verify: zero out des_pass before returning.
 ---
 plugins/sudoers/auth/passwd.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
 index 636c07bab..89da96ff6 100644
 --- a/plugins/sudoers/auth/passwd.c
 +++ b/plugins/sudoers/auth/passwd.c
@@ -95,6 +95,8 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
 	    matched = !strcmp(pw_epasswd, epass);
     }
 +    explicit_bzero(des_pass, sizeof(des_pass));
 +
     debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
 }
 #else
 -- 
 2.33.0
--- a/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
+++ b/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
@ -1,29 +0,0 @@
 From dbfd84301a9316018f7c5e42ff5b3a19dd13e5c5 Mon Sep 17 00:00:00 2001
 From: modric <pioneerbtw7@163.com>
 Date: Tue, 22 Nov 2022 10:12:29 +0800
 Subject: [PATCH] sudo_rcstr_dup: Fix potential NULL pointer deref
 ---
 lib/util/rcstr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/lib/util/rcstr.c b/lib/util/rcstr.c
 index d990a99e9..08b00bcd7 100644
 --- a/lib/util/rcstr.c
 +++ b/lib/util/rcstr.c
@@ -49,8 +49,10 @@ sudo_rcstr_dup(const char *src)
     debug_decl(sudo_rcstr_dup, SUDO_DEBUG_UTIL);
     dst = sudo_rcstr_alloc(len);
 -    memcpy(dst, src, len);
 -    dst[len] = '\0';
 +    if (dst != NULL) {
 +        memcpy(dst, src, len);
 +        dst[len] = '\0';
 +    }
     debug_return_ptr(dst);
 }
 -- 
 2.27.0
--- a/sudo-1.9.12p2.tar.gz
+++ b/sudo-1.9.12p2.tar.gz
--- a/sudo-1.9.8p2.tar.gz
+++ b/sudo-1.9.8p2.tar.gz
--- a/sudo.spec
+++ b/sudo.spec
@ -1,34 +1,15 @@
 Name: sudo
-Version: 1.9.8p2
+Version: 1.9.12p2
-Release: 8
+Release: 1
 Summary: Allows restricted root access for specified users
 License: ISC
-URL: http://www.courtesan.com/sudo/
+URL: https://www.sudo.ws
 Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
 Source1: sudoers
 Source2: sudo
 Source3: sudo-i
 Patch0: backport-0001-CVE-2022-37434.patch
 Patch1: backport-0002-CVE-2022-37434.patch
 Patch2: backport-CVE-2022-33070.patch
 Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
 Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
 Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
 Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
 Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch
 Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
 Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
 Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
 Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
 Patch12: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
 Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
 Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
 Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
 Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
 Patch17: backport-CVE-2023-22809.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: pam
 Recommends: vim-minimal
@ -40,7 +21,7 @@ BuildRequires: chrpath
 %description
 Sudo is a program designed to allow a sysadmin to give limited root privileges
-to users and log root activity.  The basic philosophy is to give as few
+to users and log root activity. The basic philosophy is to give as few
 privileges as possible but still allow people to get their work done.
 %package        devel
@ -91,7 +72,7 @@ make check
 rm -rf $RPM_BUILD_ROOT
 %make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
-chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
+chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
@ -146,7 +127,6 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
 %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
@ -154,7 +134,7 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %config(noreplace) /etc/ld.so.conf.d/*
-%license doc/LICENSE
+%license LICENSE.md
 %files devel
 %{_includedir}/sudo_plugin.h
@ -169,6 +149,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %exclude %{_pkgdocdir}/ChangeLog
 %changelog
 * Tue Jan 31 2023 wangyu <wangyu283@huawei.com> - 1.9.12p2-1
 - Upgrade to 1.9.12p2
 * Thu Jan 19 2023 houmingyong<houmingyong@huawei.com> - 1.9.8p2-8
 - Fix CVE-2023-22809