From 5e115118963d43c93b743ea6193b120f0019899334348cf6119ada56a05bb65f Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Mon, 21 Nov 2022 22:44:26 +0000 Subject: [PATCH] Accepting request 1037190 from home:jsikes:branches:Base:System Update to sudo-1.9.12p1! Enjoy. OBS-URL: https://build.opensuse.org/request/show/1037190 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=225 --- sudo-1.9.12.tar.gz | 3 --- sudo-1.9.12.tar.gz.sig | Bin 566 -> 0 bytes sudo-1.9.12p1.tar.gz | 3 +++ sudo-1.9.12p1.tar.gz.sig | Bin 0 -> 566 bytes sudo-CVE-2022-43995.patch | 50 -------------------------------------- sudo-sudoers.patch | 24 ++++++++++++++---- sudo.changes | 26 +++++++++++++------- sudo.spec | 3 +-- 8 files changed, 40 insertions(+), 69 deletions(-) delete mode 100644 sudo-1.9.12.tar.gz delete mode 100644 sudo-1.9.12.tar.gz.sig create mode 100644 sudo-1.9.12p1.tar.gz create mode 100644 sudo-1.9.12p1.tar.gz.sig delete mode 100644 sudo-CVE-2022-43995.patch diff --git a/sudo-1.9.12.tar.gz b/sudo-1.9.12.tar.gz deleted file mode 100644 index aad3af2..0000000 --- a/sudo-1.9.12.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:de15733888170c56834daafd34bf983db10fb21039742fcfc396bd32168d6362 -size 4906320 diff --git a/sudo-1.9.12.tar.gz.sig b/sudo-1.9.12.tar.gz.sig deleted file mode 100644 index f031b308c158df9b1eeb35c379e234702ce644de4728c9b057c5c75f00d3db44..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0%KK6D*y@!5UKRQ zA3*n7A0)Y zXpmLC6GrA!&648Wfx5thC#=&j_xrD*s0wV_`)Jl$0)5dfZNbz6a5SuX*Rug-uQeF8 zxG-};oeTkQ0Y+|Qr_z|T%Mne3hYJ^J z7WC^T-3x7BqKDX#dFvri<88*+gTNzohqpDx7E_?}q#UgKbG=qN?umcGb1Oax`PpR6_4nH_YbhJ?QhhVI>!t+$3_6CsS6U z4^BET@M9MYvMp&KAo=FUYl_-dI-t(X7`oYOfVqUuDt=N~w0WMtLBKf)BLwi%=-hV*l^<{KQt^2k{gC&1COr)>i1>}6Bf5DaR{~ EhJ7m&o&W#< diff --git a/sudo-1.9.12p1.tar.gz b/sudo-1.9.12p1.tar.gz new file mode 100644 index 0000000..299f61a --- /dev/null +++ b/sudo-1.9.12p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8 +size 4908060 diff --git a/sudo-1.9.12p1.tar.gz.sig b/sudo-1.9.12p1.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..034ebaa26cb7c8d934cbbeb7104a8dc75e03f0ab8c0a4caad739c0361eeb3b83 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0%K)%+5id(5UKRQ zA>{NM&~7kHVcE>eI7~hJ{kWhS(<*$LlZQYOBLKFO=%M{ec-6 zntp`!8v5AoYw187CG#PjNwUT&HOZ)9E_M{6+*=#>weDG=X;Mv`JoJfYvO zHpEdBQtMW2JEJ^ev_J-v42o8$ zX#%g&7Uiz|e2`c{aO3`;ok0tDS6)qu{~-Z;KB~4FCOM3Jo87>Su&_pLx9S;zGx0iX zl~+yUCJ=?ET!hLnjvmXp&Wkmd;3Z2Y%`}#j#jn%Aw5%m3NXubkd4G* zOTfTJBqX7d&qVH=3!^efi_`iXU(A98PWh>$Q!VQc2mtvUO;1VDj8KondvSI`GX(qP z%K>gx;5AqloPTIP6j(E(?GeNq8Y!XB6g~qlf@GjUqn5?n2qEov?cEy#VHTDuW9_uh zu9u^+YPa@@uM9TDe|RZp8~f_I_dVwpz9ORYU3ZxRzQxI5Z|h&k+hvQrUPg(kZ5O;p zUYKlgFQnAQ1Gd7z6=m*$@!E&(xmvFPU659bB``vh^N1C|zyU(NZ53~{D4GnUz zfQ~RZDf293Zrn72n~=J@43U~xMVv{_`}y??uOGO(c537dKn|igBpyg`9j0<|Z@QO9 E#9D$9qW}N^ literal 0 HcmV?d00001 diff --git a/sudo-CVE-2022-43995.patch b/sudo-CVE-2022-43995.patch deleted file mode 100644 index bb67204..0000000 --- a/sudo-CVE-2022-43995.patch +++ /dev/null @@ -1,50 +0,0 @@ -From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Fri, 28 Oct 2022 07:29:55 -0600 -Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8 - characters. Starting with sudo 1.8.0 the plaintext password buffer is - dynamically sized so it is not safe to assume that it is at least 9 bytes in - size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. - ---- - plugins/sudoers/auth/passwd.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c -index b2046eca2..0416861e9 100644 ---- a/plugins/sudoers/auth/passwd.c -+++ b/plugins/sudoers/auth/passwd.c -@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) - int - sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) - { -- char sav, *epass; -+ char des_pass[9], *epass; - char *pw_epasswd = auth->data; - size_t pw_len; - int matched = 0; -@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c - - /* - * Truncate to 8 chars if standard DES since not all crypt()'s do this. -- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). - */ -- sav = pass[8]; - pw_len = strlen(pw_epasswd); -- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) -- pass[8] = '\0'; -+ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { -+ strlcpy(des_pass, pass, sizeof(des_pass)); -+ pass = des_pass; -+ } - - /* - * Normal UN*X password check. -@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c - * only compare the first DESLEN characters in that case. - */ - epass = (char *) crypt(pass, pw_epasswd); -- pass[8] = sav; - if (epass != NULL) { - if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) - matched = !strncmp(pw_epasswd, epass, DESLEN); diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index faed64a..e58b23e 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -52,7 +52,7 @@ index 5efda5d..e757da4 100644 ## ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass -@@ -68,7 +59,6 @@ +@@ -68,10 +59,16 @@ ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output @@ -60,13 +60,27 @@ index 5efda5d..e757da4 100644 # Defaults!REBOOT !log_output # Defaults maxseq = 1000 -@@ -87,9 +84,6 @@ root ALL=(ALL:ALL) ALL ++## In the default (unconfigured) configuration, sudo asks for the root password. ++## This allows use of an ordinary user account for administration of a freshly ++## installed system. When configuring sudo, delete the two ++## following lines: ++Defaults targetpw # ask for the password of the target user i.e. root ++ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ++ + ## + ## Runas alias specification + ## +@@ -87,13 +84,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL:ALL) ALL - - ## Uncomment to allow any user to run sudo if they know the password - ## of the user they are running the command as (root by default). - # Defaults targetpw # Ask for the password of the target user +-## Uncomment to allow any user to run sudo if they know the password +-## of the user they are running the command as (root by default). +-# Defaults targetpw # Ask for the password of the target user +-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' +- + ## Read drop-in files from @sysconfdir@/sudoers.d + @includedir @sysconfdir@/sudoers.d diff --git a/sudo.changes b/sudo.changes index e2094ef..b2b1f24 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Nov 21 22:25:54 UTC 2022 - Jason Sikes + +- Update to 1.9.12p1: + * Changes in 1.9.12p1: + - Sudo’s configure script now does a better job of detecting when + the -fstack-clash-protection compiler option does not work. + GitHub issue #191. + + - Fixed CVE-2022-43995, a potential out-of-bounds write for passwords + smaller than 8 characters when passwd authentication is enabled. + This does not affect configurations that use other authentication + methods such as PAM, AIX authentication or BSD authentication. + + - Fixed a build error with some configurations compiling host_port.c. + * Dropped sudo-CVE-2022-43995.patch + ------------------------------------------------------------------- Thu Nov 3 22:07:14 UTC 2022 - Jason Sikes @@ -7,15 +24,6 @@ Thu Nov 3 22:07:14 UTC 2022 - Jason Sikes * Fixed a potential heap-based buffer over-read when entering a password of seven characters or fewer and using the crypt() password backend. -------------------------------------------------------------------- -Tue Nov 1 22:04:32 UTC 2022 - Jason Sikes - -- Modified sudo-sudoers.patch - * [bsc#1203978 jsc#PED-260] - * Remove uncommented "Defaults targetpw" portion of /etc/sudo-sudoers file. - * Sudo now asks for the password of the user calling sudo instead of the - target (i.e. root) user. - ------------------------------------------------------------------- Tue Oct 25 23:41:55 UTC 2022 - Jason Sikes diff --git a/sudo.spec b/sudo.spec index ca2cf96..4de3ab4 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.12 +Version: 1.9.12p1 Release: 0 Summary: Execute some commands as root License: ISC @@ -33,7 +33,6 @@ Source6: fate_313276_test.sh Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch -Patch1: sudo-CVE-2022-43995.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff