diff options
author | Ross Burton <ross.burton@arm.com> | 2022-11-07 18:02:05 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-11-14 15:59:15 +0000 |
commit | 63e80a02332fa554dfd438a0f6c609c508270b74 (patch) | |
tree | 0629db675eedcb7a0adebd7e74db7986600d21f4 | |
parent | c689d5d4e3c489e2c2d16438985a4dd18208ab83 (diff) | |
download | poky-63e80a02332fa554dfd438a0f6c609c508270b74.tar.gz |
sudo: backport fix for CVE-2022-43995
(From OE-Core rev: a41a5f310246dcd9dbdb4537d59bc0579c3b1052)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/sudo/files/CVE-2022-43995.patch | 54 | ||||
-rw-r--r-- | meta/recipes-extended/sudo/sudo_1.9.11p3.bb | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2022-43995.patch b/meta/recipes-extended/sudo/files/CVE-2022-43995.patch new file mode 100644 index 0000000000..64dca8c9c6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2022-43995.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | CVE: CVE-2022-43995 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001 | ||
6 | From: "Todd C. Miller" <Todd.Miller@sudo.ws> | ||
7 | Date: Fri, 28 Oct 2022 07:29:55 -0600 | ||
8 | Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8 | ||
9 | characters. Starting with sudo 1.8.0 the plaintext password buffer is | ||
10 | dynamically sized so it is not safe to assume that it is at least 9 bytes in | ||
11 | size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. | ||
12 | |||
13 | --- | ||
14 | plugins/sudoers/auth/passwd.c | 11 +++++------ | ||
15 | 1 file changed, 5 insertions(+), 6 deletions(-) | ||
16 | |||
17 | diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c | ||
18 | index b2046eca2..0416861e9 100644 | ||
19 | --- a/plugins/sudoers/auth/passwd.c | ||
20 | +++ b/plugins/sudoers/auth/passwd.c | ||
21 | @@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) | ||
22 | int | ||
23 | sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) | ||
24 | { | ||
25 | - char sav, *epass; | ||
26 | + char des_pass[9], *epass; | ||
27 | char *pw_epasswd = auth->data; | ||
28 | size_t pw_len; | ||
29 | int matched = 0; | ||
30 | @@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
31 | |||
32 | /* | ||
33 | * Truncate to 8 chars if standard DES since not all crypt()'s do this. | ||
34 | - * If this turns out not to be safe we will have to use OS #ifdef's (sigh). | ||
35 | */ | ||
36 | - sav = pass[8]; | ||
37 | pw_len = strlen(pw_epasswd); | ||
38 | - if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) | ||
39 | - pass[8] = '\0'; | ||
40 | + if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { | ||
41 | + strlcpy(des_pass, pass, sizeof(des_pass)); | ||
42 | + pass = des_pass; | ||
43 | + } | ||
44 | |||
45 | /* | ||
46 | * Normal UN*X password check. | ||
47 | @@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
48 | * only compare the first DESLEN characters in that case. | ||
49 | */ | ||
50 | epass = (char *) crypt(pass, pw_epasswd); | ||
51 | - pass[8] = sav; | ||
52 | if (epass != NULL) { | ||
53 | if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) | ||
54 | matched = !strncmp(pw_epasswd, epass, DESLEN); | ||
diff --git a/meta/recipes-extended/sudo/sudo_1.9.11p3.bb b/meta/recipes-extended/sudo/sudo_1.9.11p3.bb index ba610ee2e7..fa9cf48196 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.11p3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.11p3.bb | |||
@@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ | |||
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ |
5 | file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ | 5 | file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ |
6 | file://0001-lib-util-mksigname.c-correctly-include-header-for-ou.patch \ | 6 | file://0001-lib-util-mksigname.c-correctly-include-header-for-ou.patch \ |
7 | file://CVE-2022-43995.patch \ | ||
7 | " | 8 | " |
8 | 9 | ||
9 | PAM_SRC_URI = "file://sudo.pam" | 10 | PAM_SRC_URI = "file://sudo.pam" |