https://bugzilla.suse.com/show_bug.cgi?id=1205094

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=137

sudo-CVE-2022-43995.patch

@@ -1,50 +0,0 @@
-From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Fri, 28 Oct 2022 07:29:55 -0600
-Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
- characters. Starting with sudo 1.8.0 the plaintext password buffer is
- dynamically sized so it is not safe to assume that it is at least 9 bytes in
- size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
-
----
- plugins/sudoers/auth/passwd.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
-index b2046eca2..0416861e9 100644
---- a/plugins/sudoers/auth/passwd.c
-+++ b/plugins/sudoers/auth/passwd.c
-@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
- int
- sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
- {
--    char sav, *epass;
-+    char des_pass[9], *epass;
-     char *pw_epasswd = auth->data;
-     size_t pw_len;
-     int matched = 0;
-@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
- 
-     /*
-      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
--     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
-      */
--    sav = pass[8];
-     pw_len = strlen(pw_epasswd);
--    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
--	pass[8] = '\0';
-+    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
-+	strlcpy(des_pass, pass, sizeof(des_pass));
-+	pass = des_pass;
-+    }
- 
-     /*
-      * Normal UN*X password check.
-@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
-      * only compare the first DESLEN characters in that case.
-      */
-     epass = (char *) crypt(pass, pw_epasswd);
--    pass[8] = sav;
-     if (epass != NULL) {
- 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
- 	    matched = !strncmp(pw_epasswd, epass, DESLEN);

sudo-sudoers.patch

@@ -52,7 +52,7 @@ index 5efda5d..e757da4 100644
  ##
  ## Uncomment to send mail if the user does not enter the correct password.
  # Defaults mail_badpass
-@@ -68,7 +59,6 @@
+@@ -68,10 +59,16 @@
  ## Set maxseq to a smaller number if you don't have unlimited disk space.
  # Defaults log_output
  # Defaults!/usr/bin/sudoreplay !log_output
@@ -60,13 +60,27 @@ index 5efda5d..e757da4 100644
  # Defaults!REBOOT !log_output
  # Defaults maxseq = 1000
  
-@@ -87,9 +84,6 @@ root ALL=(ALL:ALL) ALL
++## In the default (unconfigured) configuration, sudo asks for the root password.
++## This allows use of an ordinary user account for administration of a freshly
++## installed system. When configuring sudo, delete the two
++## following lines:
++Defaults targetpw   # ask for the password of the target user i.e. root
++ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
++
+ ##
+ ## Runas alias specification
+ ##
+@@ -87,13 +84,5 @@ root ALL=(ALL:ALL) ALL
  ## Same thing without a password
  # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
  
 -## Uncomment to allow members of group sudo to execute any command
 -# %sudo	ALL=(ALL:ALL) ALL
 -
- ## Uncomment to allow any user to run sudo if they know the password
+-## Uncomment to allow any user to run sudo if they know the password
- ## of the user they are running the command as (root by default).
+-## of the user they are running the command as (root by default).
- # Defaults targetpw  # Ask for the password of the target user
+-# Defaults targetpw  # Ask for the password of the target user
+-# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+-
+ ## Read drop-in files from @sysconfdir@/sudoers.d
+ @includedir @sysconfdir@/sudoers.d

sudo.changes

@@ -1,21 +1,3 @@
--------------------------------------------------------------------
-Thu Nov  3 22:07:14 UTC 2022 - Jason Sikes <jsikes@suse.com>
-
-- Added sudo-CVE-2022-43995.patch
-  * CVE-2022-43995
-  * bsc#1204986
-  * Fixed a potential heap-based buffer over-read when entering a password
-    of seven characters or fewer and using the crypt() password backend.
-
--------------------------------------------------------------------
-Tue Nov  1 22:04:32 UTC 2022 - Jason Sikes <jsikes@suse.com>
-
-- Modified sudo-sudoers.patch
-  * [bsc#1203978 jsc#PED-260]
-  * Remove uncommented "Defaults targetpw" portion of /etc/sudo-sudoers file.
-  * Sudo now asks for the password of the user calling sudo instead of the
-    target (i.e. root) user.
-
 -------------------------------------------------------------------
 Tue Oct 25 23:41:55 UTC 2022 - Jason Sikes <jsikes@suse.com>
 

sudo.spec

@@ -33,7 +33,6 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
-Patch1:         sudo-CVE-2022-43995.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff