diff --git a/backport-0001-CVE-2022-37434.patch b/backport-0001-CVE-2022-37434.patch new file mode 100644 index 0000000000000000000000000000000000000000..56a97ccf88578dd9ef71491a863fbf1e406bdabd --- /dev/null +++ b/backport-0001-CVE-2022-37434.patch @@ -0,0 +1,35 @@ +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c +index 2a0ac30..95a38f5 100644 +--- a/lib/zlib/inflate.c ++++ b/lib/zlib/inflate.c +@@ -765,9 +765,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-37434.patch b/backport-0002-CVE-2022-37434.patch new file mode 100644 index 0000000000000000000000000000000000000000..ad2318b6bcec0f2ff538a2a3fdaf576d64f79ef0 --- /dev/null +++ b/backport-0002-CVE-2022-37434.patch @@ -0,0 +1,32 @@ +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c +index 95a38f5..9c5934e 100644 +--- a/lib/zlib/inflate.c ++++ b/lib/zlib/inflate.c +@@ -765,10 +765,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.27.0 + diff --git a/backport-CVE-2022-33070.patch b/backport-CVE-2022-33070.patch new file mode 100644 index 0000000000000000000000000000000000000000..2310f14dfc46d8f3d1fbd2677d0daaf3571a7045 --- /dev/null +++ b/backport-CVE-2022-33070.patch @@ -0,0 +1,73 @@ +diff -Naru a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c +--- a/lib/protobuf-c/protobuf-c.c ++++ b/lib/protobuf-c/protobuf-c.c +@@ -316,9 +316,8 @@ + static inline uint32_t + zigzag32(int32_t v) + { +- // Note: the right-shift must be arithmetic +- // Note: left shift must be unsigned because of overflow +- return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31); ++ // Note: Using unsigned types prevents undefined behavior ++ return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31); + } + + /** +@@ -380,9 +379,8 @@ + static inline uint64_t + zigzag64(int64_t v) + { +- // Note: the right-shift must be arithmetic +- // Note: left shift must be unsigned because of overflow +- return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63); ++ // Note: Using unsigned types prevents undefined behavior ++ return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63); + } + + /** +@@ -802,7 +800,8 @@ + } + + /** +- * Pack a signed 32-bit integer and return the number of bytes written. ++ * Pack a signed 32-bit integer and return the number of bytes written, ++ * passed as unsigned to avoid implementation-specific behavior. + * Negative numbers are encoded as two's complement 64-bit integers. + * + * \param value +@@ -813,14 +812,14 @@ + * Number of bytes written to `out`. + */ + static inline size_t +-int32_pack(int32_t value, uint8_t *out) ++int32_pack(uint32_t value, uint8_t *out) + { +- if (value < 0) { ++ if ((int32_t)value < 0) { + out[0] = value | 0x80; + out[1] = (value >> 7) | 0x80; + out[2] = (value >> 14) | 0x80; + out[3] = (value >> 21) | 0x80; +- out[4] = (value >> 28) | 0x80; ++ out[4] = (value >> 28) | 0xf0; + out[5] = out[6] = out[7] = out[8] = 0xff; + out[9] = 0x01; + return 10; +@@ -2425,7 +2424,7 @@ + unzigzag32(uint32_t v) + { + // Note: Using unsigned types prevents undefined behavior +- return (int32_t)((v >> 1) ^ (~(v & 1) + 1)); ++ return (int32_t)((v >> 1) ^ -(v & 1)); + } + + static inline uint32_t +@@ -2467,7 +2466,7 @@ + unzigzag64(uint64_t v) + { + // Note: Using unsigned types prevents undefined behavior +- return (int64_t)((v >> 1) ^ (~(v & 1) + 1)); ++ return (int64_t)((v >> 1) ^ -(v & 1)); + } + + static inline uint64_t diff --git a/sudo.spec b/sudo.spec index 4c906e0a0fa660b085f2d5946ea35aed28dc1d4f..bfa3e25d704bfd17dc07978ce605f660024eec4e 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 2 +Release: 3 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -10,6 +10,10 @@ Source1: sudoers Source2: sudo Source3: sudo-i +Patch0: backport-0001-CVE-2022-37434.patch +Patch1: backport-0002-CVE-2022-37434.patch +Patch2: backport-CVE-2022-33070.patch + Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam Recommends: vim-minimal @@ -159,6 +163,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Sat Sep 03 2022 wangyu - 1.9.8p2-3 +- Fix CVE-2022-37434 and CVE-2022-33070 + * Mon Mar 7 2022 panxiaohe - 1.9.8p2-2 - remove rpath and runpath of exec files and libraries