Accepting request 1037191 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1037191
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=139

sudo-1.9.12.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:de15733888170c56834daafd34bf983db10fb21039742fcfc396bd32168d6362
-size 4906320

sudo-1.9.12p1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8
+size 4908060

sudo-CVE-2022-43995.patch

@@ -1,50 +0,0 @@
-From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Fri, 28 Oct 2022 07:29:55 -0600
-Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
- characters. Starting with sudo 1.8.0 the plaintext password buffer is
- dynamically sized so it is not safe to assume that it is at least 9 bytes in
- size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
-
----
- plugins/sudoers/auth/passwd.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
-index b2046eca2..0416861e9 100644
---- a/plugins/sudoers/auth/passwd.c
-+++ b/plugins/sudoers/auth/passwd.c
-@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
- int
- sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
- {
--    char sav, *epass;
-+    char des_pass[9], *epass;
-     char *pw_epasswd = auth->data;
-     size_t pw_len;
-     int matched = 0;
-@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
- 
-     /*
-      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
--     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
-      */
--    sav = pass[8];
-     pw_len = strlen(pw_epasswd);
--    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
--	pass[8] = '\0';
-+    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
-+	strlcpy(des_pass, pass, sizeof(des_pass));
-+	pass = des_pass;
-+    }
- 
-     /*
-      * Normal UN*X password check.
-@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
-      * only compare the first DESLEN characters in that case.
-      */
-     epass = (char *) crypt(pass, pw_epasswd);
--    pass[8] = sav;
-     if (epass != NULL) {
- 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
- 	    matched = !strncmp(pw_epasswd, epass, DESLEN);

sudo.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Nov 21 22:25:54 UTC 2022 - Jason Sikes <jsikes@suse.com>
+
+- Update to 1.9.12p1:
+  * Changes in 1.9.12p1:
+    - Sudo’s configure script now does a better job of detecting when
+      the -fstack-clash-protection compiler option does not work.
+      GitHub issue #191.
+
+    - Fixed CVE-2022-43995, a potential out-of-bounds write for passwords
+      smaller than 8 characters when passwd authentication is enabled.
+      This does not affect configurations that use other authentication
+      methods such as PAM, AIX authentication or BSD authentication.
+
+    - Fixed a build error with some configurations compiling host_port.c.
+  * Dropped sudo-CVE-2022-43995.patch
+
 -------------------------------------------------------------------
 Thu Nov  3 22:07:14 UTC 2022 - Jason Sikes <jsikes@suse.com>
 

sudo.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sudo
-Version:        1.9.12
+Version:        1.9.12p1
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -33,7 +33,6 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
-Patch1:         sudo-CVE-2022-43995.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff