diff --git a/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch b/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch new file mode 100644 index 0000000000000000000000000000000000000000..967f47d064a6bcc4db763e67bb1e2d3846895f35 --- /dev/null +++ b/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch @@ -0,0 +1,26 @@ +From bfc6249902d842626058e74074832930feaf2f80 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 29 Jun 2022 11:18:16 -0600 +Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref. + +--- + lib/protobuf-c/protobuf-c.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c +index 3cc22c5f0..9ee355df5 100644 +--- a/lib/protobuf-c/protobuf-c.c ++++ b/lib/protobuf-c/protobuf-c.c +@@ -3246,6 +3246,9 @@ protobuf_c_message_unpack(const ProtobufCMessageDescriptor *desc, + /* allocate space for repeated fields, also check that all required fields have been set */ + for (f = 0; f < desc->n_fields; f++) { + const ProtobufCFieldDescriptor *field = desc->fields + f; ++ if (field == NULL) { ++ continue; ++ } + if (field->label == PROTOBUF_C_LABEL_REPEATED) { + size_t siz = + sizeof_elt_in_repeated_array(field->type); +-- +2.33.0 + diff --git a/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch b/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef9bc2cc5ab5ceed016d4b59fb3f6ee1ae6ecf4d --- /dev/null +++ b/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch @@ -0,0 +1,37 @@ +From 263fdc6b067bd892df654377c0ea051289fce33f Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Mon, 6 Jun 2022 20:15:03 -0600 +Subject: [PATCH] Fix issue protobuf-c#499: unsigned integer overflow + Signed-off-by: 10054172 + +--- + lib/protobuf-c/protobuf-c.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c +index 96b750650..73e120046 100644 +--- a/lib/protobuf-c/protobuf-c.c ++++ b/lib/protobuf-c/protobuf-c.c +@@ -2619,11 +2619,14 @@ parse_required_member(ScannedMember *scanned_member, + return FALSE; + + def_mess = scanned_member->field->default_value; +- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, +- allocator, +- len - pref_len, +- data + pref_len); +- ++ if (len > pref_len) { ++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, ++ allocator, ++ len - pref_len, ++ data + pref_len); ++ } else { ++ subm = NULL; ++ } + if (maybe_clear && + *pmessage != NULL && + *pmessage != def_mess) +-- +2.33.0 + diff --git a/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch b/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch new file mode 100644 index 0000000000000000000000000000000000000000..edbc850eae725ed0f25282c2523ccb4fa27c7926 --- /dev/null +++ b/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch @@ -0,0 +1,71 @@ +From dc8311dae99c2e6d60ecd3db6730fe84c6fe9d5b Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Fri, 27 May 2022 15:47:32 -0600 +Subject: [PATCH] Fix potential signed integer overflow on 32-bit CPUs. + Converting fractional minutes to nanoseconds could overflow a 32-bit integer, + use long long instead. + +--- + plugins/sudoers/defaults.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c +index d5bd8080d..ec6b64fe9 100644 +--- a/plugins/sudoers/defaults.c ++++ b/plugins/sudoers/defaults.c +@@ -935,38 +935,38 @@ store_timespec(const char *str, struct sudo_defs_types *def) + + sudo_timespecclear(&ts); + if (str != NULL) { +- /* Convert from minutes to timespec. */ ++ /* Convert from minutes to seconds. */ + if (*str == '+' || *str == '-') + sign = *str++; + while (*str != '\0' && *str != '.') { + if (!isdigit((unsigned char)*str)) + debug_return_bool(false); /* invalid number */ + +- /* Verify (ts.tv_sec * 10) + digit <= TIME_T_MAX. */ +- i = *str++ - '0'; ++ /* Verify (ts.tv_sec * 10) + (digit * 60) <= TIME_T_MAX. */ ++ i = (*str++ - '0') * 60L; + if (ts.tv_sec > (TIME_T_MAX - i) / 10) + debug_return_bool(false); /* overflow */ + ts.tv_sec *= 10; + ts.tv_sec += i; + } + if (*str++ == '.') { +- /* Convert optional fractional component to nanosecs. */ ++ long long nsec = 0; ++ ++ /* Convert optional fractional component to seconds and nanosecs. */ + for (i = 100000000; i > 0; i /= 10) { + if (*str == '\0') + break; + if (!isdigit((unsigned char)*str)) + debug_return_bool(false); /* invalid number */ +- ts.tv_nsec += i * (*str++ - '0'); ++ nsec += i * (*str++ - '0') * 60LL; + } +- } +- /* Convert from minutes to seconds. */ +- if (ts.tv_sec > TIME_T_MAX / 60) +- debug_return_bool(false); /* overflow */ +- ts.tv_sec *= 60; +- ts.tv_nsec *= 60; +- while (ts.tv_nsec >= 1000000000) { +- ts.tv_sec++; +- ts.tv_nsec -= 1000000000; ++ while (nsec >= 1000000000) { ++ if (ts.tv_sec == TIME_T_MAX) ++ debug_return_bool(false); /* overflow */ ++ ts.tv_sec++; ++ nsec -= 1000000000; ++ } ++ ts.tv_nsec = nsec; + } + } + if (sign == '-') { +-- +2.33.0 + diff --git a/backport-Fix-regression-with-zero-length-messages-introduced-.patch b/backport-Fix-regression-with-zero-length-messages-introduced-.patch new file mode 100644 index 0000000000000000000000000000000000000000..485884b985ae9f2ed1c9dec80a9abf4661f8973d --- /dev/null +++ b/backport-Fix-regression-with-zero-length-messages-introduced-.patch @@ -0,0 +1,26 @@ +From b6a6451482a3ff5e30f43ef888159d4b0d39143b Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 9 Jun 2022 07:34:55 -0600 +Subject: [PATCH] Fix regression with zero-length messages introduced in + protobuf-c PR 500. + +--- + lib/protobuf-c/protobuf-c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c +index 9d56e1fec..3cc22c5f0 100644 +--- a/lib/protobuf-c/protobuf-c.c ++++ b/lib/protobuf-c/protobuf-c.c +@@ -2618,7 +2618,7 @@ parse_required_member(ScannedMember *scanned_member, + return FALSE; + + def_mess = scanned_member->field->default_value; +- if (len > pref_len) { ++ if (len >= pref_len) { + subm = protobuf_c_message_unpack(scanned_member->field->descriptor, + allocator, + len - pref_len, +-- +2.33.0 + diff --git a/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch b/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch new file mode 100644 index 0000000000000000000000000000000000000000..5180a3852973884914370ce045c0095f070f901a --- /dev/null +++ b/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch @@ -0,0 +1,29 @@ +From 169e049821a68449b1c73918f13765ea1142b7f0 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Fri, 10 Jun 2022 09:34:33 -0600 +Subject: [PATCH] =?UTF-8?q?Fix=20typo,=20we=20should=20define=20SSIZE=5FMA?= + =?UTF-8?q?X=C2=A0if=20it=20is=20not=20defined.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + include/sudo_compat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/sudo_compat.h b/include/sudo_compat.h +index d62dea7d6..ee3c22962 100644 +--- a/include/sudo_compat.h ++++ b/include/sudo_compat.h +@@ -157,7 +157,7 @@ + #endif + + #if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX +-# define SIZE_MAX LONG_MAX ++# define SSIZE_MAX LONG_MAX + #endif + + #if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX +-- +2.33.0 + diff --git a/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch b/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch new file mode 100644 index 0000000000000000000000000000000000000000..5adf9fa17615f1e8ba0ae9a604aae390f17bcdee --- /dev/null +++ b/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch @@ -0,0 +1,88 @@ +From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 24 Feb 2022 07:56:38 -0700 +Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn + string. Coverity CID 249976 + +--- + plugins/sudoers/ldap.c | 41 ++++++++++++++++++----------------------- + 1 file changed, 18 insertions(+), 23 deletions(-) + +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index e3c47b9bc..13e74160b 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc) + static bool + sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs) + { +- struct berval **bv, **p; +- char *cn, *cp, *source = NULL; ++ struct berval **p, **bv = NULL; ++ char *cp, *cn = NULL, *source = NULL; + bool ret = false; + int rc; + debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP); + + bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc); + if (bv == NULL) { +- if (rc == LDAP_NO_MEMORY) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- debug_return_bool(false); +- } ++ if (rc == LDAP_NO_MEMORY) ++ goto oom; + debug_return_bool(true); + } + + /* Use sudoRole in place of file name in defaults. */ + cn = sudo_ldap_get_first_rdn(ld, entry, &rc); + if (cn == NULL) { +- if (rc == LDAP_NO_MEMORY) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- goto done; +- } +- } +- if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- goto done; +- } +- if ((source = sudo_rcstr_dup(cp)) == NULL) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- free(cp); +- goto done; ++ if (rc == LDAP_NO_MEMORY) ++ goto oom; + } ++ if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) ++ goto oom; ++ source = sudo_rcstr_dup(cp); ++ free(cp); ++ if (source == NULL) ++ goto oom; + + /* Walk through options, appending to defs. */ + for (p = bv; *p != NULL; p++) { +@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs + int op; + + op = sudo_ldap_parse_option((*p)->bv_val, &var, &val); +- if (!append_default(var, val, op, source, defs)) { +- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- goto done; +- } ++ if (!append_default(var, val, op, source, defs)) ++ goto oom; + } + + ret = true; ++ goto done; ++ ++oom: ++ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + + done: + sudo_rcstr_delref(source); +-- +2.33.0 + diff --git a/sudo.spec b/sudo.spec index 8fdcf6db1a102ece41ecdabaafee78c8bb7fbb23..3c9be66df72e2d726c4faeff64e5332a05650023 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 5 +Release: 6 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -16,6 +16,12 @@ Patch2: backport-CVE-2022-33070.patch Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch +Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch +Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch +Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch +Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch +Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch +Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -166,6 +172,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Fri Nov 25 2022 wangyu - 1.9.8p2-6 +- Backport patches from upstream community + * Wed Nov 23 2022 wangyu - 1.9.8p2-5 - Backport patches from upstream community