diff options
Diffstat (limited to 'meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch')
-rw-r--r-- | meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch new file mode 100644 index 0000000000..1336c7701d --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2022-43995.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 15 Nov 2022 09:17:18 +0530 | ||
4 | Subject: [PATCH] CVE-2022-43995 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] | ||
7 | CVE: CVE-2022-43995 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | Potential heap overflow for passwords < 8 | ||
11 | characters. Starting with sudo 1.8.0 the plaintext password buffer is | ||
12 | dynamically sized so it is not safe to assume that it is at least 9 bytes in | ||
13 | size. | ||
14 | Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz. | ||
15 | --- | ||
16 | plugins/sudoers/auth/passwd.c | 11 +++++------ | ||
17 | 1 file changed, 5 insertions(+), 6 deletions(-) | ||
18 | |||
19 | diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c | ||
20 | index 03c7a16..76a7824 100644 | ||
21 | --- a/plugins/sudoers/auth/passwd.c | ||
22 | +++ b/plugins/sudoers/auth/passwd.c | ||
23 | @@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) | ||
24 | int | ||
25 | sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) | ||
26 | { | ||
27 | - char sav, *epass; | ||
28 | + char des_pass[9], *epass; | ||
29 | char *pw_epasswd = auth->data; | ||
30 | size_t pw_len; | ||
31 | int matched = 0; | ||
32 | @@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
33 | |||
34 | /* | ||
35 | * Truncate to 8 chars if standard DES since not all crypt()'s do this. | ||
36 | - * If this turns out not to be safe we will have to use OS #ifdef's (sigh). | ||
37 | */ | ||
38 | - sav = pass[8]; | ||
39 | pw_len = strlen(pw_epasswd); | ||
40 | - if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) | ||
41 | - pass[8] = '\0'; | ||
42 | + if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { | ||
43 | + strlcpy(des_pass, pass, sizeof(des_pass)); | ||
44 | + pass = des_pass; | ||
45 | + } | ||
46 | |||
47 | /* | ||
48 | * Normal UN*X password check. | ||
49 | @@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c | ||
50 | * only compare the first DESLEN characters in that case. | ||
51 | */ | ||
52 | epass = (char *) crypt(pass, pw_epasswd); | ||
53 | - pass[8] = sav; | ||
54 | if (epass != NULL) { | ||
55 | if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) | ||
56 | matched = !strncmp(pw_epasswd, epass, DESLEN); | ||
57 | -- | ||
58 | 2.25.1 | ||
59 | |||