diff options
author | Hitendra Prajapati <hprajapati@mvista.com> | 2022-11-15 14:18:07 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-07 15:06:36 +0000 |
commit | 4978b9a24fef2047f2f86ecdd7e6deb14d34a1c0 (patch) | |
tree | da1d99b25fe40d583d92f45fed66cee8cfa20c1c | |
parent | aa0073041806c9f417a33b0b7f747d2a86289eda (diff) | |
download | poky-4978b9a24fef2047f2f86ecdd7e6deb14d34a1c0.tar.gz |
sudo: CVE-2022-43995 heap-based overflow with very small passwords
Upstream-Status: Backport from https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050
(From OE-Core rev: d1bdb663e6a69993d3f42547a27296b606965d47)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch | 59 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo_1.8.32.bb | 1 |
2 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch new file mode 100644 index 0000000000..1336c7701d --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 15 Nov 2022 09:17:18 +0530 | ||
4 | Subject: [PATCH] CVE-2022-43995 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] | ||
7 | CVE: CVE-2022-43995 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | Potential heap overflow for passwords < 8 | ||
11 | characters. Starting with sudo 1.8.0 the plaintext password buffer is | ||
12 | dynamically sized so it is not safe to assume that it is at least 9 bytes in | ||
13 | size. | ||
14 | Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. | ||
15 | --- | ||
16 | plugins/sudoers/auth/passwd.c | 11 +++++------ | ||
17 | 1 file changed, 5 insertions(+), 6 deletions(-) | ||
18 | |||
19 | diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c | ||
20 | index 03c7a16..76a7824 100644 | ||
21 | --- a/plugins/sudoers/auth/passwd.c | ||
22 | +++ b/plugins/sudoers/auth/passwd.c | ||
23 | @@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) | ||
24 | int | ||
25 | sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) | ||
26 | { | ||
27 | - char sav, *epass; | ||
28 | + char des_pass[9], *epass; | ||
29 | char *pw_epasswd = auth->data; | ||
30 | size_t pw_len; | ||
31 | int matched = 0; | ||
32 | @@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
33 | |||
34 | /* | ||
35 | * Truncate to 8 chars if standard DES since not all crypt()'s do this. | ||
36 | - * If this turns out not to be safe we will have to use OS #ifdef's (sigh). | ||
37 | */ | ||
38 | - sav = pass[8]; | ||
39 | pw_len = strlen(pw_epasswd); | ||
40 | - if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) | ||
41 | - pass[8] = '\0'; | ||
42 | + if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { | ||
43 | + strlcpy(des_pass, pass, sizeof(des_pass)); | ||
44 | + pass = des_pass; | ||
45 | + } | ||
46 | |||
47 | /* | ||
48 | * Normal UN*X password check. | ||
49 | @@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
50 | * only compare the first DESLEN characters in that case. | ||
51 | */ | ||
52 | epass = (char *) crypt(pass, pw_epasswd); | ||
53 | - pass[8] = sav; | ||
54 | if (epass != NULL) { | ||
55 | if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) | ||
56 | matched = !strncmp(pw_epasswd, epass, DESLEN); | ||
57 | -- | ||
58 | 2.25.1 | ||
59 | |||
diff --git a/meta/recipes-extended/sudo/sudo_1.8.32.bb b/meta/recipes-extended/sudo/sudo_1.8.32.bb index 8d16ec2538..10785beedf 100644 --- a/meta/recipes-extended/sudo/sudo_1.8.32.bb +++ b/meta/recipes-extended/sudo/sudo_1.8.32.bb | |||
@@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | |||
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ | 5 | file://0001-Include-sys-types.h-for-id_t-definition.patch \ |
6 | file://0001-Fix-includes-when-building-with-musl.patch \ | 6 | file://0001-Fix-includes-when-building-with-musl.patch \ |
7 | file://CVE-2022-43995.patch \ | ||
7 | " | 8 | " |
8 | 9 | ||
9 | PAM_SRC_URI = "file://sudo.pam" | 10 | PAM_SRC_URI = "file://sudo.pam" |