diff --git a/Fix-memory-leak-in-fill_txt.patch b/Fix-memory-leak-in-fill_txt.patch new file mode 100644 index 0000000000000000000000000000000000000000..352a898a46c62a9d07e947a93aa8b83c459e2e54 --- /dev/null +++ b/Fix-memory-leak-in-fill_txt.patch @@ -0,0 +1,27 @@ +From 2d73f12e233155d3038a5d58126d6d0e655031eb Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 28 Nov 2022 03:37:06 +0000 +Subject: [PATCH] Fix memory leak in fill_txt. + +--- + plugins/sudoers/toke_util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/plugins/sudoers/toke_util.c b/plugins/sudoers/toke_util.c +index 22cad9e..7be3e07 100644 +--- a/plugins/sudoers/toke_util.c ++++ b/plugins/sudoers/toke_util.c +@@ -52,6 +52,10 @@ fill_txt(const char *src, size_t len, size_t olen) + sudoerserror(NULL); + debug_return_bool(false); + } ++ if (olen == 0 && sudoerslval.string != NULL) { ++ free(sudoerslval.string); ++ sudoerslval.string = NULL; ++ } + sudoerslval.string = dst; + + /* Copy the string and collapse any escaped characters. */ +-- +2.33.0 + diff --git a/sudo.spec b/sudo.spec index 9f4affc73cb9d8eacf16a4e36dfcc454e5ca2a20..b7eaafbc3c9c3f1dd7b8a0b30e62a19129a6938d 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.2 -Release: 8 +Release: 9 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -29,6 +29,7 @@ Patch15: backport-fix-CVE-2022-33070.patch Patch16: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch Patch17: backport-Fix-incorrect-SHA384-512-digest-calculation.patch Patch18: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch +Patch19: Fix-memory-leak-in-fill_txt.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -169,6 +170,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Mon Nov 28 2022 wangyu - 1.9.2-9 +- Fix memory leak in fill_txt(). + * Wed Nov 23 2022 wangyu - 1.9.2-8 - Backport patches from upstream community