Re: [OE-Core][kirkstone][PATCH] sudo: fix CVE-2022-43995 potential heap overflow for passwords < 8 characters

Tue, 15 Nov 2022 10:21:47 -0800 

On 2022-11-15 14:08, Randy MacLeod wrote:
Thanks Xiangyu but for kirkstone/langdale I think we should take the patch update: 
  sudo: upgrade 1.9.12 -> 1.9.12p1
that was sent to the list for master since it includes this CVE fix and more bug fixes: 

$ git log --oneline SUDO_1_9_12..SUDO_1_9_12p1 | cut -c -99



Oops, I'm wrong. Please consider taking the patch backport for now.

This patch is for 1.9.10 and master is on 1.9.12 going to 1.9.12p1.

It may be sensible to update from 1.9.10 to 1.9.12p1 but I haven't looked

at that yet. It seems that the 'sudo-1.9' branch (1) is stable so 
someone should
look into the list of changes made on that branch to see how disciplined 
the sudo maintainers

have been.


../Randy

1)

$ cd .../sudo.git

$git branch -a
  main
  master
* sudo-1.9
  remotes/origin/HEAD -> origin/master
  remotes/origin/audit-server-tls-support
  remotes/origin/main
  remotes/origin/master
  remotes/origin/sudo-1.7
  remotes/origin/sudo-1.8
  remotes/origin/sudo-1.9
  remotes/origin/sudoers-iolog-tls
  remotes/origin/tls-config-default-values

$ git branch -a --contains SUDO_1_9_10
* sudo-1.9
  remotes/origin/sudo-1.9

$ git branch -a --contains SUDO_1_9_12p1
* sudo-1.9
  remotes/origin/sudo-1.9


7a103879a Merge sudo 1.9.12p1 from tip.
3df1e9a07 sudo 1.9.12p1
7ba318470 Include time.h for struct timespec used by sudo_iolog.h.

b2c8e1b1b Display sudo_mode in hex in debug log. This makes it easier 
to match against the MODE_ de

7ec1ee0e5 bsdauth_verify: do not write to prompt, it is now const

d242261dd Store raw sudoers lines in the debug log. Also add a 
"sudoerslex" prefix to the token deb
966731311 The line numbers in sudoers_trace_print() were off by one. 
The line counter is incremente
4da22b101 Make the second arg to the sudo auth verify function const. 
This may be either a plaintex



bd209b9f1 Fix CVE-2022-43995, potential heap overflow for passwords < 
8 characters. Starting with s


c78e78dc5 Move debugging info from hostname_matches() to host_matches().
6a3fb3fd7 Add debugging to sudo_set_grlist() and sudo_set_gidlist().

366217571 configure: better test for -fstack-clash-protection The gcc 
front-end may accept -fstack-
6a2075b67 Check that compiler accepts -fstack-clash-protection and 
-fcf-protection. Previously, we

794449419 Fix compilation error on Linux/mips.
3d2b84ed2 Added tag SUDO_1_9_12 for changeset b53d725f7c88

../Randy

On 2022-11-14 01:27, Xiangyu Chen via lists.openembedded.org wrote:

Signed-off-by: Xiangyu Chen <xiangyu.c...@eng.windriver.com>
---
  ...95-potential-heap-overflow-for-passw.patch | 57 +++++++++++++++++++
  meta/recipes-extended/sudo/sudo_1.9.10.bb     |  1 +
  2 files changed, 58 insertions(+)

  create mode 100644 
meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch



diff --git 
a/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 
b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 


new file mode 100644
index 0000000000..be52af27e1
--- /dev/null

+++ 
b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch

@@ -0,0 +1,57 @@
+From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <todd.mil...@sudo.ws>
+Date: Fri, 28 Oct 2022 07:29:55 -0600

+Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for 
passwords < 8

+ characters. Starting with sudo 1.8.0 the plaintext password buffer is

+ dynamically sized so it is not safe to assume that it is at least 9 
bytes in

+ size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
+
+Upstream-Status: Backport from

+[https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] 


+
+Signed-off-by: Xiangyu Chen <xiangyu.c...@eng.windriver.com>
+---
+ plugins/sudoers/auth/passwd.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+

+diff --git a/plugins/sudoers/auth/passwd.c 
b/plugins/sudoers/auth/passwd.c

+index b2046eca2..0416861e9 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
+ int

+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, 
struct sudo_conv_callback *callback)

+ {
+-    char sav, *epass;
++    char des_pass[9], *epass;
+     char *pw_epasswd = auth->data;
+     size_t pw_len;
+     int matched = 0;

+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char 
*pass, sudo_auth *auth, struct sudo_c

+
+     /*

+      * Truncate to 8 chars if standard DES since not all crypt()'s 
do this.
+-     * If this turns out not to be safe we will have to use OS 
#ifdef's (sigh).

+      */
+-    sav = pass[8];
+     pw_len = strlen(pw_epasswd);
+-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+-    pass[8] = '\0';
++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++    strlcpy(des_pass, pass, sizeof(des_pass));
++    pass = des_pass;
++    }
+
+     /*
+      * Normal UN*X password check.

+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, 
sudo_auth *auth, struct sudo_c

+      * only compare the first DESLEN characters in that case.
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+-    pass[8] = sav;
+     if (epass != NULL) {
+     if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+         matched = !strncmp(pw_epasswd, epass, DESLEN);
+--
+2.34.1
+

diff --git a/meta/recipes-extended/sudo/sudo_1.9.10.bb 
b/meta/recipes-extended/sudo/sudo_1.9.10.bb

index aa0d814ed7..e1f603a125 100644
--- a/meta/recipes-extended/sudo/sudo_1.9.10.bb
+++ b/meta/recipes-extended/sudo/sudo_1.9.10.bb
@@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \

             ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 
'${PAM_SRC_URI}', '', d)} \

file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
file://0001-lib-util-mksigname.c-correctly-include-header-for-ou.patch \

+ 
file://0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch \

             "
    PAM_SRC_URI = "file://sudo.pam"







--
# Randy MacLeod
# Wind River Linux


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173354): 
https://lists.openembedded.org/g/openembedded-core/message/173354
Mute This Topic: https://lists.openembedded.org/mt/95013602/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to