Accepting request 1037190 from home:jsikes:branches:Base:System

Update to sudo-1.9.12p1! Enjoy. OBS-URL: https://build.opensuse.org/request/show/1037190 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=225
2022-11-21 22:44:26 +00:00 · 2022-11-21 22:44:26 +00:00 · 5e11511896
commit 5e11511896
parent a4384d0471
8 changed files with 40 additions and 69 deletions
--- a/sudo-1.9.12.tar.gz
+++ b/sudo-1.9.12.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:de15733888170c56834daafd34bf983db10fb21039742fcfc396bd32168d6362
-size 4906320
--- a/sudo-1.9.12.tar.gz.sig
+++ b/sudo-1.9.12.tar.gz.sig
--- a/sudo-1.9.12p1.tar.gz
+++ b/sudo-1.9.12p1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8
+size 4908060
--- a/sudo-1.9.12p1.tar.gz.sig
+++ b/sudo-1.9.12p1.tar.gz.sig
--- a/sudo-CVE-2022-43995.patch
+++ b/sudo-CVE-2022-43995.patch
@ -1,50 +0,0 @@
-From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Fri, 28 Oct 2022 07:29:55 -0600
-Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
- characters. Starting with sudo 1.8.0 the plaintext password buffer is
- dynamically sized so it is not safe to assume that it is at least 9 bytes in
- size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
-
---
- plugins/sudoers/auth/passwd.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
-index b2046eca2..0416861e9 100644
--- a/plugins/sudoers/auth/passwd.c
-+++ b/plugins/sudoers/auth/passwd.c
-@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
- int
- sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
- {
-    char sav, *epass;
-+    char des_pass[9], *epass;
-     char *pw_epasswd = auth->data;
-     size_t pw_len;
-     int matched = 0;
-@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
- 
-     /*
-      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
-      */
-    sav = pass[8];
-     pw_len = strlen(pw_epasswd);
-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
-	pass[8] = '\0';
-+    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
-+	strlcpy(des_pass, pass, sizeof(des_pass));
-+	pass = des_pass;
-+    }
- 
-     /*
-      * Normal UN*X password check.
-@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
-      * only compare the first DESLEN characters in that case.
-      */
-     epass = (char *) crypt(pass, pw_epasswd);
-    pass[8] = sav;
-     if (epass != NULL) {
- 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
- 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
--- a/sudo-sudoers.patch
+++ b/sudo-sudoers.patch
@ -52,7 +52,7 @@ index 5efda5d..e757da4 100644
 ##
 ## Uncomment to send mail if the user does not enter the correct password.
 # Defaults mail_badpass
-@@ -68,7 +59,6 @@
+@@ -68,10 +59,16 @@
 ## Set maxseq to a smaller number if you don't have unlimited disk space.
 # Defaults log_output
 # Defaults!/usr/bin/sudoreplay !log_output
@ -60,13 +60,27 @@ index 5efda5d..e757da4 100644
 # Defaults!REBOOT !log_output
 # Defaults maxseq = 1000
 
-@@ -87,9 +84,6 @@ root ALL=(ALL:ALL) ALL
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw   # ask for the password of the target user i.e. root
+ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
+
+ ##
+ ## Runas alias specification
+ ##
+@@ -87,13 +84,5 @@ root ALL=(ALL:ALL) ALL
 ## Same thing without a password
 # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
 
 -## Uncomment to allow members of group sudo to execute any command
 -# %sudo	ALL=(ALL:ALL) ALL
 -
- ## Uncomment to allow any user to run sudo if they know the password
- ## of the user they are running the command as (root by default).
- # Defaults targetpw  # Ask for the password of the target user
+-## Uncomment to allow any user to run sudo if they know the password
+-## of the user they are running the command as (root by default).
+-# Defaults targetpw  # Ask for the password of the target user
+-# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+-
+ ## Read drop-in files from @sysconfdir@/sudoers.d
+ @includedir @sysconfdir@/sudoers.d
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Nov 21 22:25:54 UTC 2022 - Jason Sikes <jsikes@suse.com>
+
+- Update to 1.9.12p1:
+  * Changes in 1.9.12p1:
+    - Sudo’s configure script now does a better job of detecting when
+      the -fstack-clash-protection compiler option does not work.
+      GitHub issue #191.
+
+    - Fixed CVE-2022-43995, a potential out-of-bounds write for passwords
+      smaller than 8 characters when passwd authentication is enabled.
+      This does not affect configurations that use other authentication
+      methods such as PAM, AIX authentication or BSD authentication.
+
+    - Fixed a build error with some configurations compiling host_port.c.
+  * Dropped sudo-CVE-2022-43995.patch
+
 -------------------------------------------------------------------
 Thu Nov  3 22:07:14 UTC 2022 - Jason Sikes <jsikes@suse.com>

@ -7,15 +24,6 @@ Thu Nov  3 22:07:14 UTC 2022 - Jason Sikes <jsikes@suse.com>
  * Fixed a potential heap-based buffer over-read when entering a password
    of seven characters or fewer and using the crypt() password backend.

-------------------------------------------------------------------
-Tue Nov  1 22:04:32 UTC 2022 - Jason Sikes <jsikes@suse.com>
-
- Modified sudo-sudoers.patch
-  * [bsc#1203978 jsc#PED-260]
-  * Remove uncommented "Defaults targetpw" portion of /etc/sudo-sudoers file.
-  * Sudo now asks for the password of the user calling sudo instead of the
-    target (i.e. root) user.
-
 -------------------------------------------------------------------
 Tue Oct 25 23:41:55 UTC 2022 - Jason Sikes <jsikes@suse.com>

--- a/sudo.spec
+++ b/sudo.spec
@ -17,7 +17,7 @@


 Name:           sudo
-Version:        1.9.12
+Version:        1.9.12p1
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@ -33,7 +33,6 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
-Patch1:         sudo-CVE-2022-43995.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff