From 32ad4f8eb7bb94c165d17d33a03a6acfdef6a6ce Mon Sep 17 00:00:00 2001
From: modric <wangyu283@huawei.com>
Date: Thu, 8 Dec 2022 19:45:15 +0800
Subject: [PATCH] Backport patches from upstream community.

(cherry picked from commit 14f90c690daa14cb78bce5397ba214bb8155e56e)
---
 ...use-after-free-bug-with-cvtsudoers-f.patch | 37 +++++++++++++++++++
 ...-Fix-memory-leak-of-pass-in-converse.patch | 26 +++++++++++++
 ...nt-sudo-from-reading-into-undefined-.patch | 25 +++++++++++++
 ...nup-Set-auth-data-to-NULL-after-free.patch | 35 ++++++++++++++++++
 ...dup-Fix-potential-NULL-pointer-deref.patch | 29 +++++++++++++++
 sudo.spec                                     | 10 ++++-
 6 files changed, 161 insertions(+), 1 deletion(-)
 create mode 100644 backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
 create mode 100644 backport-Fix-memory-leak-of-pass-in-converse.patch
 create mode 100644 backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
 create mode 100644 backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
 create mode 100644 backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch

diff --git a/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch b/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
new file mode 100644
index 0000000..2af4b2c
--- /dev/null
+++ b/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
@@ -0,0 +1,37 @@
+From 264326de571e0eff1d8003f882bad4cdf1a9230d Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 10 Nov 2022 14:55:56 -0700
+Subject: [PATCH] Fix a potential use-after-free bug with cvtsudoers filtering.
+ In role_to_sudoers() when merging a privilege to the previous one where the
+ runas lists are the same we need to re-use the runas lists of the last
+ command in the previous privilege, not the first. Otherwise, the check in
+ free_cmndspec() will not notice the re-used runas lists.  Reported/analyzed
+ by Sohom Datta.  GitHub issue #198.
+
+---
+ plugins/sudoers/parse_ldif.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
+index 5d2a79163..2b7109294 100644
+--- a/plugins/sudoers/parse_ldif.c
++++ b/plugins/sudoers/parse_ldif.c
+@@ -432,11 +432,11 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role,
+ 	struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list);
+ 	if (reuse_runas) {
+ 	    /* Runas users and groups same if as in previous privilege. */
+-	    struct member_list *runasuserlist =
+-		TAILQ_FIRST(&prev_priv->cmndlist)->runasuserlist;
+-	    struct member_list *runasgrouplist =
+-		TAILQ_FIRST(&prev_priv->cmndlist)->runasgrouplist;
+ 	    struct cmndspec *cmndspec = TAILQ_FIRST(&priv->cmndlist);
++	    const struct cmndspec *prev_cmndspec =
++		TAILQ_LAST(&prev_priv->cmndlist, cmndspec_list);
++	    struct member_list *runasuserlist = prev_cmndspec->runasuserlist;
++	    struct member_list *runasgrouplist = prev_cmndspec->runasgrouplist;
+ 
+ 	    /* Free duplicate runas lists. */
+ 	    if (cmndspec->runasuserlist != NULL) {
+-- 
+2.27.0
+
diff --git a/backport-Fix-memory-leak-of-pass-in-converse.patch b/backport-Fix-memory-leak-of-pass-in-converse.patch
new file mode 100644
index 0000000..dde3bcf
--- /dev/null
+++ b/backport-Fix-memory-leak-of-pass-in-converse.patch
@@ -0,0 +1,26 @@
+From f5cae905ca1a9f686f80aea45a34cea50fec0534 Mon Sep 17 00:00:00 2001
+From: modric <pioneerbtw7@163.com>
+Date: Thu, 17 Nov 2022 16:08:59 +0800
+Subject: [PATCH] Fix memory leak of pass in converse().
+
+---
+ plugins/sudoers/auth/pam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
+index 339b7a5..f5580ea 100644
+--- a/plugins/sudoers/auth/pam.c
++++ b/plugins/sudoers/auth/pam.c
+@@ -722,7 +722,8 @@ converse(int num_msg, PAM_CONST struct pam_message **msg,
+ 		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ 			"password longer than %d", PAM_MAX_RESP_SIZE);
+ 		    ret = PAM_CONV_ERR;
+-		    explicit_bzero(pass, strlen(pass));
++		    freezero(pass, strlen(pass));
++		    pass = NULL;
+ 		    goto done;
+ 		}
+ 		reply[n].resp = pass;	/* auth_getpass() malloc's a copy */
+-- 
+2.27.0
+
diff --git a/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch b/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
new file mode 100644
index 0000000..182fbbd
--- /dev/null
+++ b/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
@@ -0,0 +1,25 @@
+From 902271f441f61506392588fc26db992e64ae4ecd Mon Sep 17 00:00:00 2001
+From: Sohom <sohom.datta@learner.manipal.edu>
+Date: Wed, 9 Nov 2022 23:20:12 +0530
+Subject: [PATCH] [cvtsudoers]: Prevent sudo from reading into undefined memory
+
+---
+ plugins/sudoers/parse_ldif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
+index 6c2b74aa0..5d2a79163 100644
+--- a/plugins/sudoers/parse_ldif.c
++++ b/plugins/sudoers/parse_ldif.c
+@@ -688,7 +688,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
+ 		if (strncasecmp(attr, "cn=", 3) == 0) {
+ 		    for (attr += 3; *attr != '\0'; attr++) {
+ 			/* Handle escaped ',' chars. */
+-			if (*attr == '\\')
++			if (*attr == '\\' && attr[1] != '\0')
+ 			    attr++;
+ 			if (*attr == ',') {
+ 			    attr++;
+-- 
+2.27.0
+
diff --git a/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch b/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
new file mode 100644
index 0000000..18e56e5
--- /dev/null
+++ b/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
@@ -0,0 +1,35 @@
+From b3834bbf248f3376ada8fc44166cba38c8ad4bcf Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 17 Nov 2022 08:10:35 -0700
+Subject: [PATCH] sudo_passwd_cleanup: Set auth->data to NULL after freeing.
+ GitHub issue #201
+
+---
+ plugins/sudoers/auth/passwd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index 89da96ff6..6967e4fff 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -117,11 +117,14 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
+ int
+ sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force)
+ {
+-    char *pw_epasswd = auth->data;
+     debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH);
+ 
+-    if (pw_epasswd != NULL)
+-	freezero(pw_epasswd, strlen(pw_epasswd));
++    if (auth->data != NULL) {
++	/* Zero out encrypted password before freeing. */
++	size_t len = strlen((char *)auth->data);
++	freezero(auth->data, len);
++	auth->data = NULL;
++    }
+ 
+     debug_return_int(AUTH_SUCCESS);
+ }
+-- 
+2.27.0
+
diff --git a/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch b/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
new file mode 100644
index 0000000..2abbb8a
--- /dev/null
+++ b/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
@@ -0,0 +1,29 @@
+From dbfd84301a9316018f7c5e42ff5b3a19dd13e5c5 Mon Sep 17 00:00:00 2001
+From: modric <pioneerbtw7@163.com>
+Date: Tue, 22 Nov 2022 10:12:29 +0800
+Subject: [PATCH] sudo_rcstr_dup: Fix potential NULL pointer deref
+
+---
+ lib/util/rcstr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/rcstr.c b/lib/util/rcstr.c
+index d990a99e9..08b00bcd7 100644
+--- a/lib/util/rcstr.c
++++ b/lib/util/rcstr.c
+@@ -49,8 +49,10 @@ sudo_rcstr_dup(const char *src)
+     debug_decl(sudo_rcstr_dup, SUDO_DEBUG_UTIL);
+ 
+     dst = sudo_rcstr_alloc(len);
+-    memcpy(dst, src, len);
+-    dst[len] = '\0';
++    if (dst != NULL) {
++        memcpy(dst, src, len);
++        dst[len] = '\0';
++    }
+     debug_return_ptr(dst);
+ }
+ 
+-- 
+2.27.0
+
diff --git a/sudo.spec b/sudo.spec
index 3c9be66..44311ef 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Name: sudo
 Version: 1.9.8p2
-Release: 6
+Release: 7
 Summary: Allows restricted root access for specified users
 License: ISC
 URL: http://www.courtesan.com/sudo/
@@ -22,6 +22,11 @@ Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
 Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
 Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
 Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
+Patch12: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
+Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
+Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
+Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
+Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: pam
@@ -172,6 +177,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %exclude %{_pkgdocdir}/ChangeLog
 
 %changelog
+* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-7
+- Backport patches from upstream community
+
 * Fri Nov 25 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-6
 - Backport patches from upstream community
 
-- 
Gitee