From d17237855e2a5a3726972f334d3ee4342f51fb7f Mon Sep 17 00:00:00 2001 From: gcc-two Date: Fri, 17 Mar 2023 16:42:00 +0800 Subject: [PATCH 1/3] add patch for CVE-2022-43955 --- sudo-1.9.12p1-CVE-2022-43955.patch | 37 ++++++++++++++++++++++++++++++ sudo.spec | 2 ++ 2 files changed, 39 insertions(+) create mode 100644 sudo-1.9.12p1-CVE-2022-43955.patch diff --git a/sudo-1.9.12p1-CVE-2022-43955.patch b/sudo-1.9.12p1-CVE-2022-43955.patch new file mode 100644 index 0000000..57b9233 --- /dev/null +++ b/sudo-1.9.12p1-CVE-2022-43955.patch @@ -0,0 +1,37 @@ +diff -aruN sudo-1.8.29/plugins/sudoers/auth/passwd.c sudo-1.8.29-new/plugins/sudoers/auth/passwd.c +--- sudo-1.8.29/plugins/sudoers/auth/passwd.c 2023-03-17 03:39:35.003302022 +0800 ++++ sudo-1.8.29-new/plugins/sudoers/auth/passwd.c 2023-03-17 03:43:44.088284483 +0800 +@@ -63,7 +63,7 @@ + int + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) + { +- char sav, *epass; ++ char des_pass[9], *epass; + char *pw_epasswd = auth->data; + size_t pw_len; + int matched = 0; +@@ -75,20 +75,19 @@ + + /* + * Truncate to 8 chars if standard DES since not all crypt()'s do this. +- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). + */ +- sav = pass[8]; + pw_len = strlen(pw_epasswd); +- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) +- pass[8] = '\0'; + ++ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { ++ strlcpy(des_pass, pass, sizeof(des_pass)); ++ pass = des_pass; ++ } + /* + * Normal UN*X password check. + * HP-UX may add aging info (separated by a ',') at the end so + * only compare the first DESLEN characters in that case. + */ + epass = (char *) crypt(pass, pw_epasswd); +- pass[8] = sav; + if (epass != NULL) { + if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) + matched = !strncmp(pw_epasswd, epass, DESLEN); diff --git a/sudo.spec b/sudo.spec index e21f5bb..4b75e9c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -80,6 +80,7 @@ Patch22: sudo-1.9.7-utmp-leak.patch Patch24: sudo-1.9.12-CVE-2023-22809-whitelist.patch Patch25: sudo-1.9.12-CVE-2023-22809-backports.patch Patch26: sudo-1.9.12-CVE-2023-22809.patch +Patch27: sudo-1.9.12p1-CVE-2022-43955.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -136,6 +137,7 @@ plugins that use %{name}. %patch24 -p1 -b .whitelist %patch25 -p1 -b .backports %patch26 -p1 -b .cve +%patch27 -p1 -b .CVE-2022-43955 %build # Remove bundled copy of zlib -- Gitee From 258028582cb3276473f263a676919f04f26b0500 Mon Sep 17 00:00:00 2001 From: gcc_2023 Date: Thu, 23 Mar 2023 06:41:03 +0000 Subject: [PATCH 2/3] update sudo.spec. Signed-off-by: gcc_2023 --- sudo.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 4b75e9c..93fa247 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,8 @@ +%define anolis_release .0.1 Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.29 -Release: 8%{?dist}.1 +Release: 8%{anolis_release}%{?dist}.1 License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -297,6 +298,8 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Fri Mar 17 2023 guo chuang - 1.8.29-8.0.1 +- add patch for CVE-2022-43955 * Wed Jan 11 2023 Radovan Sroka - 1.8.29-8.1 RHEL 8.7.0.Z ERRATUM - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user -- Gitee From d8ab3eb9195cf238aafb147f9820b93b6c31b125 Mon Sep 17 00:00:00 2001 From: gcc_2023 Date: Thu, 23 Mar 2023 09:25:17 +0000 Subject: [PATCH 3/3] update sudo.spec. Signed-off-by: gcc_2023 --- sudo.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 93fa247..c2c996f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -298,8 +298,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Fri Mar 17 2023 guo chuang - 1.8.29-8.0.1 +* Fri Mar 17 2023 guo chuang - 1.8.29-8.0.1.1 - add patch for CVE-2022-43955 + * Wed Jan 11 2023 Radovan Sroka - 1.8.29-8.1 RHEL 8.7.0.Z ERRATUM - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user -- Gitee