1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
new file mode 100644
index 0000000000..c04b8e72a6
--- /dev/null
+++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
+Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2021-3156
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611416640 25200
+# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
+# Parent  09f98816fc8978f1d8623a857073d2d5746f0379
+Don't assume that argv is allocated as a single flat buffer.
+While this is how the kernel behaves it is not a portable assumption.
+The assumption may also be violated if getopt_long(3) permutes arguments.
+Found by Qualys.
+diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
+--- a/src/parse_args.c  Sat Jan 23 08:44:00 2021 -0700
+++ b/src/parse_args.c  Sat Jan 23 08:44:00 2021 -0700
+@@ -614,16 +614,16 @@
+        if (argc != 0) {
+            /* shell -c "command" */
+            char *src, *dst;
+-           size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
+-               strlen(argv[argc - 1]) + 1;
+           size_t size = 0;
+ 
+-           cmnd = dst = reallocarray(NULL, cmnd_size, 2);
+-           if (cmnd == NULL)
+           for (av = argv; *av != NULL; av++)
+               size += strlen(*av) + 1;
+           if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
+                sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+            if (!gc_add(GC_PTR, cmnd))
+                exit(EXIT_FAILURE);
+ 
+-           for (av = argv; *av != NULL; av++) {
+           for (dst = cmnd, av = argv; *av != NULL; av++) {
+                for (src = *av; *src != '\0'; src++) {
+                    /* quote potential meta characters */
+                    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')

diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch new file mode 100644 index 0000000000..c04b8e72a6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch
@@ -0,0 +1,41 @@
	1	Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
	2	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	3	CVE: CVE-2021-3156
	4
	5	# HG changeset patch
	6	# User Todd C. Miller <Todd.Miller@sudo.ws>
	7	# Date 1611416640 25200
	8	# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
	9	# Parent 09f98816fc8978f1d8623a857073d2d5746f0379
	10	Don't assume that argv is allocated as a single flat buffer.
	11	While this is how the kernel behaves it is not a portable assumption.
	12	The assumption may also be violated if getopt_long(3) permutes arguments.
	13	Found by Qualys.
	14
	15	diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
	16	--- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
	17	+++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
	18	@@ -614,16 +614,16 @@
	19	if (argc != 0) {
	20	/* shell -c "command" */
	21	char src, dst;
	22	- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
	23	- strlen(argv[argc - 1]) + 1;
	24	+ size_t size = 0;
	25
	26	- cmnd = dst = reallocarray(NULL, cmnd_size, 2);
	27	- if (cmnd == NULL)
	28	+ for (av = argv; *av != NULL; av++)
	29	+ size += strlen(*av) + 1;
	30	+ if (size == 0 \|\| (cmnd = reallocarray(NULL, size, 2)) == NULL)
	31	sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
	32	if (!gc_add(GC_PTR, cmnd))
	33	exit(EXIT_FAILURE);
	34
	35	- for (av = argv; *av != NULL; av++) {
	36	+ for (dst = cmnd, av = argv; *av != NULL; av++) {
	37	for (src = av; src != '\0'; src++) {
	38	/* quote potential meta characters */
	39	if (!isalnum((unsigned char)src) && src != '_' && src != '-' && src != '$')
	40
	41