1 files changed, 26 insertions, 0 deletions
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
new file mode 100644
index 0000000000..d021873b70
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
@@ -0,0 +1,26 @@
+Backport of:
+From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Mon, 13 Mar 2023 08:04:32 -0600
+Subject: [PATCH] Add missing " ; " separator between environment variables and
+ command. This is a regression introduced in sudo 1.9.13. GitHub issue #254.
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b]
+CVE: CVE-2023-28486 CVE-2023-28487
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/eventlog/eventlog.c | 1 +
+ 1 file changed, 1 insertion(+)
+--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
+@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c
+            sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
+                sudo_user.env_vars[i]);
+        }
+       sudo_lbuf_append(&lbuf, " ; ");
+     }
+     if (user_cmnd != NULL) {
+        sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,

diff --git a/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch new file mode 100644 index 0000000000..d021873b70 --- /dev/null +++ b/meta/recipes-extended/sudo/sudo/CVE-2023-28486_CVE-2023-28487-2.patch
@@ -0,0 +1,26 @@
	1	Backport of:
	2
	3	From 12648b4e0a8cf486480442efd52f0e0b6cab6e8b Mon Sep 17 00:00:00 2001
	4	From: "Todd C. Miller" <Todd.Miller@sudo.ws>
	5	Date: Mon, 13 Mar 2023 08:04:32 -0600
	6	Subject: [PATCH] Add missing " ; " separator between environment variables and
	7	command. This is a regression introduced in sudo 1.9.13. GitHub issue #254.
	8
	9	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches/CVE-2023-2848x-2.patch?h=ubuntu/focal-security
	10	Upstream commit https://github.com/sudo-project/sudo/commit/12648b4e0a8cf486480442efd52f0e0b6cab6e8b]
	11	CVE: CVE-2023-28486 CVE-2023-28487
	12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	13	---
	14	lib/eventlog/eventlog.c \| 1 +
	15	1 file changed, 1 insertion(+)
	16
	17	--- a/plugins/sudoers/logging.c
	18	+++ b/plugins/sudoers/logging.c
	19	@@ -1018,6 +1018,7 @@ new_logline(const char *message, const c
	20	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
	21	sudo_user.env_vars[i]);
	22	}
	23	+ sudo_lbuf_append(&lbuf, " ; ");
	24	}
	25	if (user_cmnd != NULL) {
	26	sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL\|LBUF_ESC_BLANK,