diff --git a/backport-0001-CVE-2022-37434.patch b/backport-0001-CVE-2022-37434.patch deleted file mode 100644 index 56a97ccf88578dd9ef71491a863fbf1e406bdabd..0000000000000000000000000000000000000000 --- a/backport-0001-CVE-2022-37434.patch +++ /dev/null @@ -1,35 +0,0 @@ -From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Sat, 30 Jul 2022 15:51:11 -0700 -Subject: [PATCH] Fix a bug when getting a gzip header extra field with - inflate(). - -If the extra field was larger than the space the user provided with -inflateGetHeader(), and if multiple calls of inflate() delivered -the extra header data, then there could be a buffer overflow of the -provided space. This commit assures that provided space is not -exceeded. ---- - inflate.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c -index 2a0ac30..95a38f5 100644 ---- a/lib/zlib/inflate.c -+++ b/lib/zlib/inflate.c -@@ -765,9 +765,10 @@ int flush; - copy = state->length; - if (copy > have) copy = have; - if (copy) { -+ len = state->head->extra_len - state->length; - if (state->head != Z_NULL && -- state->head->extra != Z_NULL) { -- len = state->head->extra_len - state->length; -+ state->head->extra != Z_NULL && -+ len < state->head->extra_max) { - zmemcpy(state->head->extra + len, next, - len + copy > state->head->extra_max ? - state->head->extra_max - len : copy); --- -2.27.0 - diff --git a/backport-0002-CVE-2022-37434.patch b/backport-0002-CVE-2022-37434.patch deleted file mode 100644 index ad2318b6bcec0f2ff538a2a3fdaf576d64f79ef0..0000000000000000000000000000000000000000 --- a/backport-0002-CVE-2022-37434.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Mon, 8 Aug 2022 10:50:09 -0700 -Subject: [PATCH] Fix extra field processing bug that dereferences NULL - state->head. - -The recent commit to fix a gzip header extra field processing bug -introduced the new bug fixed here. ---- - inflate.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c -index 95a38f5..9c5934e 100644 ---- a/lib/zlib/inflate.c -+++ b/lib/zlib/inflate.c -@@ -765,10 +765,10 @@ int flush; - copy = state->length; - if (copy > have) copy = have; - if (copy) { -- len = state->head->extra_len - state->length; - if (state->head != Z_NULL && - state->head->extra != Z_NULL && -- len < state->head->extra_max) { -+ (len = state->head->extra_len - state->length) < -+ state->head->extra_max) { - zmemcpy(state->head->extra + len, next, - len + copy > state->head->extra_max ? - state->head->extra_max - len : copy); --- -2.27.0 - diff --git a/backport-CVE-2022-33070.patch b/backport-CVE-2022-33070.patch deleted file mode 100644 index 2310f14dfc46d8f3d1fbd2677d0daaf3571a7045..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-33070.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -Naru a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c ---- a/lib/protobuf-c/protobuf-c.c -+++ b/lib/protobuf-c/protobuf-c.c -@@ -316,9 +316,8 @@ - static inline uint32_t - zigzag32(int32_t v) - { -- // Note: the right-shift must be arithmetic -- // Note: left shift must be unsigned because of overflow -- return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31); -+ // Note: Using unsigned types prevents undefined behavior -+ return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31); - } - - /** -@@ -380,9 +379,8 @@ - static inline uint64_t - zigzag64(int64_t v) - { -- // Note: the right-shift must be arithmetic -- // Note: left shift must be unsigned because of overflow -- return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63); -+ // Note: Using unsigned types prevents undefined behavior -+ return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63); - } - - /** -@@ -802,7 +800,8 @@ - } - - /** -- * Pack a signed 32-bit integer and return the number of bytes written. -+ * Pack a signed 32-bit integer and return the number of bytes written, -+ * passed as unsigned to avoid implementation-specific behavior. - * Negative numbers are encoded as two's complement 64-bit integers. - * - * \param value -@@ -813,14 +812,14 @@ - * Number of bytes written to `out`. - */ - static inline size_t --int32_pack(int32_t value, uint8_t *out) -+int32_pack(uint32_t value, uint8_t *out) - { -- if (value < 0) { -+ if ((int32_t)value < 0) { - out[0] = value | 0x80; - out[1] = (value >> 7) | 0x80; - out[2] = (value >> 14) | 0x80; - out[3] = (value >> 21) | 0x80; -- out[4] = (value >> 28) | 0x80; -+ out[4] = (value >> 28) | 0xf0; - out[5] = out[6] = out[7] = out[8] = 0xff; - out[9] = 0x01; - return 10; -@@ -2425,7 +2424,7 @@ - unzigzag32(uint32_t v) - { - // Note: Using unsigned types prevents undefined behavior -- return (int32_t)((v >> 1) ^ (~(v & 1) + 1)); -+ return (int32_t)((v >> 1) ^ -(v & 1)); - } - - static inline uint32_t -@@ -2467,7 +2466,7 @@ - unzigzag64(uint64_t v) - { - // Note: Using unsigned types prevents undefined behavior -- return (int64_t)((v >> 1) ^ (~(v & 1) + 1)); -+ return (int64_t)((v >> 1) ^ -(v & 1)); - } - - static inline uint64_t diff --git a/backport-CVE-2023-22809.patch b/backport-CVE-2023-22809.patch deleted file mode 100644 index 33ea6bf00819e7b1e6f43495b46b590011ccb348..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-22809.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 0274a4f3b403162a37a10f199c989f3727ed3ad4 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 12 Jan 2023 15:55:27 -0700 -Subject: [PATCH] sudoedit: do not permit editor arguments to include "--" - (CVE-2023-22809) We use "--" to separate the editor and arguments from the - files to edit. If the editor arguments include "--", sudo can be tricked into - allowing the user to edit a file not permitted by the security policy. Thanks - to Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com) - for finding this bug. - -Reference:https://github.com/sudo-project/sudo/commit/0274a4f3b403162a37a10f199c989f3727ed3ad4 -Conflict:NA - ---- - plugins/sudoers/editor.c | 19 ++++++++++++++----- - plugins/sudoers/sudoers.c | 25 ++++++++++++++++++------- - plugins/sudoers/visudo.c | 8 ++++++-- - 3 files changed, 38 insertions(+), 14 deletions(-) - -diff --git a/plugins/sudoers/editor.c b/plugins/sudoers/editor.c -index 5ca4eb0af..6d988ff68 100644 ---- a/plugins/sudoers/editor.c -+++ b/plugins/sudoers/editor.c -@@ -133,7 +133,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files, - const char *tmp, *cp, *ep = NULL; - const char *edend = ed + edlen; - struct stat user_editor_sb; -- int nargc; -+ int nargc = 0; - debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL); - - /* -@@ -151,10 +151,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files, - /* If we can't find the editor in the user's PATH, give up. */ - if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL, - 0, allowlist) != FOUND) { -- sudoers_gc_remove(GC_PTR, editor); -- free(editor); -- errno = ENOENT; -- debug_return_str(NULL); -+ goto bad; - } - - /* Count rest of arguments and allocate editor argv. */ -@@ -175,6 +172,17 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files, - nargv[nargc] = copy_arg(cp, ep - cp); - if (nargv[nargc] == NULL) - goto oom; -+ -+ /* -+ * We use "--" to separate the editor and arguments from the files -+ * to edit. The editor arguments themselves may not contain "--". -+ */ -+ if (strcmp(nargv[nargc], "--") == 0) { -+ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); -+ sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); -+ errno = EINVAL; -+ goto bad; -+ } - } - if (nfiles != 0) { - nargv[nargc++] = "--"; -@@ -188,6 +196,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files, - debug_return_str(editor_path); - oom: - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); -+bad: - sudoers_gc_remove(GC_PTR, editor); - free(editor); - free(editor_path); -diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c -index 7b97340ac..1f22853ff 100644 ---- a/plugins/sudoers/sudoers.c -+++ b/plugins/sudoers/sudoers.c -@@ -759,21 +759,32 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], - - /* Note: must call audit before uid change. */ - if (ISSET(sudo_mode, MODE_EDIT)) { -+ const char *env_editor = NULL; - char **edit_argv; - int edit_argc; -- const char *env_editor; - - free(safe_cmnd); - safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, - &edit_argv, NULL, &env_editor, false); - if (safe_cmnd == NULL) { -- if (errno != ENOENT) -+ switch (errno) { -+ case ENOENT: -+ audit_failure(NewArgv, N_("%s: command not found"), -+ env_editor ? env_editor : def_editor); -+ sudo_warnx(U_("%s: command not found"), -+ env_editor ? env_editor : def_editor); -+ goto bad; -+ case EINVAL: -+ if (def_env_editor && env_editor != NULL) { -+ /* User tried to do something funny with the editor. */ -+ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL, -+ "invalid user-specified editor: %s", env_editor); -+ goto bad; -+ } -+ FALLTHROUGH; -+ default: - goto done; -- audit_failure(NewArgv, N_("%s: command not found"), -- env_editor ? env_editor : def_editor); -- sudo_warnx(U_("%s: command not found"), -- env_editor ? env_editor : def_editor); -- goto bad; -+ } - } - /* find_editor() already g/c'd edit_argv[] */ - sudoers_gc_remove(GC_PTR, NewArgv); -diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c -index 82f7f9e56..425071afd 100644 ---- a/plugins/sudoers/visudo.c -+++ b/plugins/sudoers/visudo.c -@@ -301,7 +301,7 @@ static char * - get_editor(int *editor_argc, char ***editor_argv) - { - char *editor_path = NULL, **allowlist = NULL; -- const char *env_editor; -+ const char *env_editor = NULL; - static char *files[] = { "+1", "sudoers" }; - unsigned int allowlist_len = 0; - debug_decl(get_editor, SUDOERS_DEBUG_UTIL); -@@ -335,7 +335,11 @@ get_editor(int *editor_argc, char ***editor_argv) - if (editor_path == NULL) { - if (def_env_editor && env_editor != NULL) { - /* We are honoring $EDITOR so this is a fatal error. */ -- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); -+ if (errno == ENOENT) { -+ sudo_warnx(U_("specified editor (%s) doesn't exist"), -+ env_editor); -+ } -+ exit(EXIT_FAILURE); - } - sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); - } --- -2.27.0 - diff --git a/backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch b/backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch deleted file mode 100644 index 6075d90d2a2d69083833f962d1c6763d7848b93f..0000000000000000000000000000000000000000 --- a/backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch +++ /dev/null @@ -1,55 +0,0 @@ -From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Fri, 28 Oct 2022 07:29:55 -0600 -Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8 - characters. Starting with sudo 1.8.0 the plaintext password buffer is - dynamically sized so it is not safe to assume that it is at least 9 bytes in - size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. - -Conflict:NA -Reference:https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 ---- - plugins/sudoers/auth/passwd.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c -index b2046eca2..0416861e9 100644 ---- a/plugins/sudoers/auth/passwd.c -+++ b/plugins/sudoers/auth/passwd.c -@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) - int - sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) - { -- char sav, *epass; -+ char des_pass[9], *epass; - char *pw_epasswd = auth->data; - size_t pw_len; - int matched = 0; -@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c - - /* - * Truncate to 8 chars if standard DES since not all crypt()'s do this. -- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). - */ -- sav = pass[8]; - pw_len = strlen(pw_epasswd); -- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) -- pass[8] = '\0'; -+ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { -+ strlcpy(des_pass, pass, sizeof(des_pass)); -+ pass = des_pass; -+ } - - /* - * Normal UN*X password check. -@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c - * only compare the first DESLEN characters in that case. - */ - epass = (char *) crypt(pass, pw_epasswd); -- pass[8] = sav; - if (epass != NULL) { - if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) - matched = !strncmp(pw_epasswd, epass, DESLEN); --- -2.27.0 - diff --git a/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch b/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch deleted file mode 100644 index 967f47d064a6bcc4db763e67bb1e2d3846895f35..0000000000000000000000000000000000000000 --- a/backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch +++ /dev/null @@ -1,26 +0,0 @@ -From bfc6249902d842626058e74074832930feaf2f80 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Wed, 29 Jun 2022 11:18:16 -0600 -Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref. - ---- - lib/protobuf-c/protobuf-c.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c -index 3cc22c5f0..9ee355df5 100644 ---- a/lib/protobuf-c/protobuf-c.c -+++ b/lib/protobuf-c/protobuf-c.c -@@ -3246,6 +3246,9 @@ protobuf_c_message_unpack(const ProtobufCMessageDescriptor *desc, - /* allocate space for repeated fields, also check that all required fields have been set */ - for (f = 0; f < desc->n_fields; f++) { - const ProtobufCFieldDescriptor *field = desc->fields + f; -+ if (field == NULL) { -+ continue; -+ } - if (field->label == PROTOBUF_C_LABEL_REPEATED) { - size_t siz = - sizeof_elt_in_repeated_array(field->type); --- -2.33.0 - diff --git a/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch b/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch deleted file mode 100644 index 2af4b2c280afa9e1626d9bf11985f003c13df9f2..0000000000000000000000000000000000000000 --- a/backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 264326de571e0eff1d8003f882bad4cdf1a9230d Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 10 Nov 2022 14:55:56 -0700 -Subject: [PATCH] Fix a potential use-after-free bug with cvtsudoers filtering. - In role_to_sudoers() when merging a privilege to the previous one where the - runas lists are the same we need to re-use the runas lists of the last - command in the previous privilege, not the first. Otherwise, the check in - free_cmndspec() will not notice the re-used runas lists. Reported/analyzed - by Sohom Datta. GitHub issue #198. - ---- - plugins/sudoers/parse_ldif.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c -index 5d2a79163..2b7109294 100644 ---- a/plugins/sudoers/parse_ldif.c -+++ b/plugins/sudoers/parse_ldif.c -@@ -432,11 +432,11 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role, - struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list); - if (reuse_runas) { - /* Runas users and groups same if as in previous privilege. */ -- struct member_list *runasuserlist = -- TAILQ_FIRST(&prev_priv->cmndlist)->runasuserlist; -- struct member_list *runasgrouplist = -- TAILQ_FIRST(&prev_priv->cmndlist)->runasgrouplist; - struct cmndspec *cmndspec = TAILQ_FIRST(&priv->cmndlist); -+ const struct cmndspec *prev_cmndspec = -+ TAILQ_LAST(&prev_priv->cmndlist, cmndspec_list); -+ struct member_list *runasuserlist = prev_cmndspec->runasuserlist; -+ struct member_list *runasgrouplist = prev_cmndspec->runasgrouplist; - - /* Free duplicate runas lists. */ - if (cmndspec->runasuserlist != NULL) { --- -2.27.0 - diff --git a/backport-Fix-incorrect-SHA384-512-digest-calculation.patch b/backport-Fix-incorrect-SHA384-512-digest-calculation.patch deleted file mode 100644 index 04f72d418c88ddf56c1611fc8b0327d555229b14..0000000000000000000000000000000000000000 --- a/backport-Fix-incorrect-SHA384-512-digest-calculation.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001 -From: Tim Shearer -Date: Tue, 2 Aug 2022 08:48:32 -0400 -Subject: [PATCH] Fix incorrect SHA384/512 digest calculation. - -Resolves an issue where certain message sizes result in an incorrect -checksum. Specifically, when: -(n*8) mod 1024 == 896 -where n is the file size in bytes. ---- - lib/util/sha2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/util/sha2.c b/lib/util/sha2.c -index b7a28cca8..f769f77f2 100644 ---- a/lib/util/sha2.c -+++ b/lib/util/sha2.c -@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx) - SHA512Update(ctx, (uint8_t *)"\200", 1); - - /* Pad message such that the resulting length modulo 1024 is 896. */ -- while ((ctx->count[0] & 1008) != 896) -+ while ((ctx->count[0] & 1016) != 896) - SHA512Update(ctx, (uint8_t *)"\0", 1); - - /* Append length of message in bits and do final SHA512Transform(). */ --- -2.33.0 - diff --git a/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch b/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch deleted file mode 100644 index ef9bc2cc5ab5ceed016d4b59fb3f6ee1ae6ecf4d..0000000000000000000000000000000000000000 --- a/backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 263fdc6b067bd892df654377c0ea051289fce33f Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Mon, 6 Jun 2022 20:15:03 -0600 -Subject: [PATCH] Fix issue protobuf-c#499: unsigned integer overflow - Signed-off-by: 10054172 - ---- - lib/protobuf-c/protobuf-c.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c -index 96b750650..73e120046 100644 ---- a/lib/protobuf-c/protobuf-c.c -+++ b/lib/protobuf-c/protobuf-c.c -@@ -2619,11 +2619,14 @@ parse_required_member(ScannedMember *scanned_member, - return FALSE; - - def_mess = scanned_member->field->default_value; -- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, -- allocator, -- len - pref_len, -- data + pref_len); -- -+ if (len > pref_len) { -+ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, -+ allocator, -+ len - pref_len, -+ data + pref_len); -+ } else { -+ subm = NULL; -+ } - if (maybe_clear && - *pmessage != NULL && - *pmessage != def_mess) --- -2.33.0 - diff --git a/backport-Fix-memory-leak-of-pass-in-converse.patch b/backport-Fix-memory-leak-of-pass-in-converse.patch deleted file mode 100644 index dde3bcf0a3d51150623dc100bb43505ce8f1312a..0000000000000000000000000000000000000000 --- a/backport-Fix-memory-leak-of-pass-in-converse.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f5cae905ca1a9f686f80aea45a34cea50fec0534 Mon Sep 17 00:00:00 2001 -From: modric -Date: Thu, 17 Nov 2022 16:08:59 +0800 -Subject: [PATCH] Fix memory leak of pass in converse(). - ---- - plugins/sudoers/auth/pam.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c -index 339b7a5..f5580ea 100644 ---- a/plugins/sudoers/auth/pam.c -+++ b/plugins/sudoers/auth/pam.c -@@ -722,7 +722,8 @@ converse(int num_msg, PAM_CONST struct pam_message **msg, - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "password longer than %d", PAM_MAX_RESP_SIZE); - ret = PAM_CONV_ERR; -- explicit_bzero(pass, strlen(pass)); -+ freezero(pass, strlen(pass)); -+ pass = NULL; - goto done; - } - reply[n].resp = pass; /* auth_getpass() malloc's a copy */ --- -2.27.0 - diff --git a/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch b/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch deleted file mode 100644 index edbc850eae725ed0f25282c2523ccb4fa27c7926..0000000000000000000000000000000000000000 --- a/backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch +++ /dev/null @@ -1,71 +0,0 @@ -From dc8311dae99c2e6d60ecd3db6730fe84c6fe9d5b Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Fri, 27 May 2022 15:47:32 -0600 -Subject: [PATCH] Fix potential signed integer overflow on 32-bit CPUs. - Converting fractional minutes to nanoseconds could overflow a 32-bit integer, - use long long instead. - ---- - plugins/sudoers/defaults.c | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c -index d5bd8080d..ec6b64fe9 100644 ---- a/plugins/sudoers/defaults.c -+++ b/plugins/sudoers/defaults.c -@@ -935,38 +935,38 @@ store_timespec(const char *str, struct sudo_defs_types *def) - - sudo_timespecclear(&ts); - if (str != NULL) { -- /* Convert from minutes to timespec. */ -+ /* Convert from minutes to seconds. */ - if (*str == '+' || *str == '-') - sign = *str++; - while (*str != '\0' && *str != '.') { - if (!isdigit((unsigned char)*str)) - debug_return_bool(false); /* invalid number */ - -- /* Verify (ts.tv_sec * 10) + digit <= TIME_T_MAX. */ -- i = *str++ - '0'; -+ /* Verify (ts.tv_sec * 10) + (digit * 60) <= TIME_T_MAX. */ -+ i = (*str++ - '0') * 60L; - if (ts.tv_sec > (TIME_T_MAX - i) / 10) - debug_return_bool(false); /* overflow */ - ts.tv_sec *= 10; - ts.tv_sec += i; - } - if (*str++ == '.') { -- /* Convert optional fractional component to nanosecs. */ -+ long long nsec = 0; -+ -+ /* Convert optional fractional component to seconds and nanosecs. */ - for (i = 100000000; i > 0; i /= 10) { - if (*str == '\0') - break; - if (!isdigit((unsigned char)*str)) - debug_return_bool(false); /* invalid number */ -- ts.tv_nsec += i * (*str++ - '0'); -+ nsec += i * (*str++ - '0') * 60LL; - } -- } -- /* Convert from minutes to seconds. */ -- if (ts.tv_sec > TIME_T_MAX / 60) -- debug_return_bool(false); /* overflow */ -- ts.tv_sec *= 60; -- ts.tv_nsec *= 60; -- while (ts.tv_nsec >= 1000000000) { -- ts.tv_sec++; -- ts.tv_nsec -= 1000000000; -+ while (nsec >= 1000000000) { -+ if (ts.tv_sec == TIME_T_MAX) -+ debug_return_bool(false); /* overflow */ -+ ts.tv_sec++; -+ nsec -= 1000000000; -+ } -+ ts.tv_nsec = nsec; - } - } - if (sign == '-') { --- -2.33.0 - diff --git a/backport-Fix-regression-with-zero-length-messages-introduced-.patch b/backport-Fix-regression-with-zero-length-messages-introduced-.patch deleted file mode 100644 index 485884b985ae9f2ed1c9dec80a9abf4661f8973d..0000000000000000000000000000000000000000 --- a/backport-Fix-regression-with-zero-length-messages-introduced-.patch +++ /dev/null @@ -1,26 +0,0 @@ -From b6a6451482a3ff5e30f43ef888159d4b0d39143b Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 9 Jun 2022 07:34:55 -0600 -Subject: [PATCH] Fix regression with zero-length messages introduced in - protobuf-c PR 500. - ---- - lib/protobuf-c/protobuf-c.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/protobuf-c/protobuf-c.c b/lib/protobuf-c/protobuf-c.c -index 9d56e1fec..3cc22c5f0 100644 ---- a/lib/protobuf-c/protobuf-c.c -+++ b/lib/protobuf-c/protobuf-c.c -@@ -2618,7 +2618,7 @@ parse_required_member(ScannedMember *scanned_member, - return FALSE; - - def_mess = scanned_member->field->default_value; -- if (len > pref_len) { -+ if (len >= pref_len) { - subm = protobuf_c_message_unpack(scanned_member->field->descriptor, - allocator, - len - pref_len, --- -2.33.0 - diff --git a/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch b/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch deleted file mode 100644 index 5180a3852973884914370ce045c0095f070f901a..0000000000000000000000000000000000000000 --- a/backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 169e049821a68449b1c73918f13765ea1142b7f0 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Fri, 10 Jun 2022 09:34:33 -0600 -Subject: [PATCH] =?UTF-8?q?Fix=20typo,=20we=20should=20define=20SSIZE=5FMA?= - =?UTF-8?q?X=C2=A0if=20it=20is=20not=20defined.?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - include/sudo_compat.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/sudo_compat.h b/include/sudo_compat.h -index d62dea7d6..ee3c22962 100644 ---- a/include/sudo_compat.h -+++ b/include/sudo_compat.h -@@ -157,7 +157,7 @@ - #endif - - #if defined(HAVE_DECL_SSIZE_MAX) && !HAVE_DECL_SSIZE_MAX --# define SIZE_MAX LONG_MAX -+# define SSIZE_MAX LONG_MAX - #endif - - #if defined(HAVE_DECL_PATH_MAX) && !HAVE_DECL_PATH_MAX --- -2.33.0 - diff --git a/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch b/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch deleted file mode 100644 index 182fbbdf75c3c8654c033937ac0c6e06e94ae3c4..0000000000000000000000000000000000000000 --- a/backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 902271f441f61506392588fc26db992e64ae4ecd Mon Sep 17 00:00:00 2001 -From: Sohom -Date: Wed, 9 Nov 2022 23:20:12 +0530 -Subject: [PATCH] [cvtsudoers]: Prevent sudo from reading into undefined memory - ---- - plugins/sudoers/parse_ldif.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c -index 6c2b74aa0..5d2a79163 100644 ---- a/plugins/sudoers/parse_ldif.c -+++ b/plugins/sudoers/parse_ldif.c -@@ -688,7 +688,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree, - if (strncasecmp(attr, "cn=", 3) == 0) { - for (attr += 3; *attr != '\0'; attr++) { - /* Handle escaped ',' chars. */ -- if (*attr == '\\') -+ if (*attr == '\\' && attr[1] != '\0') - attr++; - if (*attr == ',') { - attr++; --- -2.27.0 - diff --git a/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch b/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch deleted file mode 100644 index 5adf9fa17615f1e8ba0ae9a604aae390f17bcdee..0000000000000000000000000000000000000000 --- a/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 24 Feb 2022 07:56:38 -0700 -Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn - string. Coverity CID 249976 - ---- - plugins/sudoers/ldap.c | 41 ++++++++++++++++++----------------------- - 1 file changed, 18 insertions(+), 23 deletions(-) - -diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c -index e3c47b9bc..13e74160b 100644 ---- a/plugins/sudoers/ldap.c -+++ b/plugins/sudoers/ldap.c -@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc) - static bool - sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs) - { -- struct berval **bv, **p; -- char *cn, *cp, *source = NULL; -+ struct berval **p, **bv = NULL; -+ char *cp, *cn = NULL, *source = NULL; - bool ret = false; - int rc; - debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP); - - bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc); - if (bv == NULL) { -- if (rc == LDAP_NO_MEMORY) { -- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); -- debug_return_bool(false); -- } -+ if (rc == LDAP_NO_MEMORY) -+ goto oom; - debug_return_bool(true); - } - - /* Use sudoRole in place of file name in defaults. */ - cn = sudo_ldap_get_first_rdn(ld, entry, &rc); - if (cn == NULL) { -- if (rc == LDAP_NO_MEMORY) { -- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); -- goto done; -- } -- } -- if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) { -- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); -- goto done; -- } -- if ((source = sudo_rcstr_dup(cp)) == NULL) { -- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); -- free(cp); -- goto done; -+ if (rc == LDAP_NO_MEMORY) -+ goto oom; - } -+ if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) -+ goto oom; -+ source = sudo_rcstr_dup(cp); -+ free(cp); -+ if (source == NULL) -+ goto oom; - - /* Walk through options, appending to defs. */ - for (p = bv; *p != NULL; p++) { -@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs - int op; - - op = sudo_ldap_parse_option((*p)->bv_val, &var, &val); -- if (!append_default(var, val, op, source, defs)) { -- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); -- goto done; -- } -+ if (!append_default(var, val, op, source, defs)) -+ goto oom; - } - - ret = true; -+ goto done; -+ -+oom: -+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - - done: - sudo_rcstr_delref(source); --- -2.33.0 - diff --git a/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch b/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch deleted file mode 100644 index 18e56e5456809a3e153dc2b468e3c20ca00bf075..0000000000000000000000000000000000000000 --- a/backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b3834bbf248f3376ada8fc44166cba38c8ad4bcf Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 17 Nov 2022 08:10:35 -0700 -Subject: [PATCH] sudo_passwd_cleanup: Set auth->data to NULL after freeing. - GitHub issue #201 - ---- - plugins/sudoers/auth/passwd.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c -index 89da96ff6..6967e4fff 100644 ---- a/plugins/sudoers/auth/passwd.c -+++ b/plugins/sudoers/auth/passwd.c -@@ -117,11 +117,14 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct - int - sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force) - { -- char *pw_epasswd = auth->data; - debug_decl(sudo_passwd_cleanup, SUDOERS_DEBUG_AUTH); - -- if (pw_epasswd != NULL) -- freezero(pw_epasswd, strlen(pw_epasswd)); -+ if (auth->data != NULL) { -+ /* Zero out encrypted password before freeing. */ -+ size_t len = strlen((char *)auth->data); -+ freezero(auth->data, len); -+ auth->data = NULL; -+ } - - debug_return_int(AUTH_SUCCESS); - } --- -2.27.0 - diff --git a/backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch b/backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch deleted file mode 100644 index a232dc9081a070462caf02ee3e33fefc6163ac39..0000000000000000000000000000000000000000 --- a/backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9f948224acb911cbec1ed9041887c1fe62c59877 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Tue, 8 Nov 2022 13:17:11 -0700 -Subject: [PATCH] sudo_passwd_verify: zero out des_pass before returning. - ---- - plugins/sudoers/auth/passwd.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c -index 636c07bab..89da96ff6 100644 ---- a/plugins/sudoers/auth/passwd.c -+++ b/plugins/sudoers/auth/passwd.c -@@ -95,6 +95,8 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct - matched = !strcmp(pw_epasswd, epass); - } - -+ explicit_bzero(des_pass, sizeof(des_pass)); -+ - debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE); - } - #else --- -2.33.0 - diff --git a/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch b/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch deleted file mode 100644 index 2abbb8a69610641eac47eabeca63ee94a30f1981..0000000000000000000000000000000000000000 --- a/backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch +++ /dev/null @@ -1,29 +0,0 @@ -From dbfd84301a9316018f7c5e42ff5b3a19dd13e5c5 Mon Sep 17 00:00:00 2001 -From: modric -Date: Tue, 22 Nov 2022 10:12:29 +0800 -Subject: [PATCH] sudo_rcstr_dup: Fix potential NULL pointer deref - ---- - lib/util/rcstr.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/lib/util/rcstr.c b/lib/util/rcstr.c -index d990a99e9..08b00bcd7 100644 ---- a/lib/util/rcstr.c -+++ b/lib/util/rcstr.c -@@ -49,8 +49,10 @@ sudo_rcstr_dup(const char *src) - debug_decl(sudo_rcstr_dup, SUDO_DEBUG_UTIL); - - dst = sudo_rcstr_alloc(len); -- memcpy(dst, src, len); -- dst[len] = '\0'; -+ if (dst != NULL) { -+ memcpy(dst, src, len); -+ dst[len] = '\0'; -+ } - debug_return_ptr(dst); - } - --- -2.27.0 - diff --git a/sudo-1.9.8p2.tar.gz b/sudo-1.9.12p2.tar.gz similarity index 36% rename from sudo-1.9.8p2.tar.gz rename to sudo-1.9.12p2.tar.gz index 402590fa1ea616a1041703d0522b1e050955ffc8..860d2aff75fcc6106e20bf757e8f60d7678a1a2d 100644 Binary files a/sudo-1.9.8p2.tar.gz and b/sudo-1.9.12p2.tar.gz differ diff --git a/sudo.spec b/sudo.spec index 22f62f8771ebc02a28de2670e1706784880e46e5..39956d26042c11e828514fd77bd9775509f52d3c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,34 +1,15 @@ Name: sudo -Version: 1.9.8p2 -Release: 8 +Version: 1.9.12p2 +Release: 1 Summary: Allows restricted root access for specified users License: ISC -URL: http://www.courtesan.com/sudo/ +URL: https://www.sudo.ws Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz Source1: sudoers Source2: sudo Source3: sudo-i -Patch0: backport-0001-CVE-2022-37434.patch -Patch1: backport-0002-CVE-2022-37434.patch -Patch2: backport-CVE-2022-33070.patch -Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch -Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch -Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch -Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch -Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch -Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch -Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch -Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch -Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch -Patch12: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch -Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch -Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch -Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch -Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch -Patch17: backport-CVE-2023-22809.patch - Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam Recommends: vim-minimal @@ -40,7 +21,7 @@ BuildRequires: chrpath %description Sudo is a program designed to allow a sysadmin to give limited root privileges -to users and log root activity. The basic philosophy is to give as few +to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. %package devel @@ -91,7 +72,7 @@ make check rm -rf $RPM_BUILD_ROOT %make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` -chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* +chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d @@ -146,7 +127,6 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so -%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so* %dir /var/db/sudo %dir /var/db/sudo/lectured @@ -154,7 +134,7 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %config(noreplace) /etc/ld.so.conf.d/* -%license doc/LICENSE +%license LICENSE.md %files devel %{_includedir}/sudo_plugin.h @@ -169,6 +149,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Tue Jan 31 2023 wangyu - 1.9.12p2-1 +- Upgrade to 1.9.12p2 + * Thu Jan 19 2023 houmingyong - 1.9.8p2-8 - Fix CVE-2023-22809