Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Hi Stable release managers,
In stretch we fixed CVE-2019-18634 via a DSA. As the vulnerability is
not exploitable in buster due to an upsteam change in 1.8.26 relating
to the handling of EOF the update for buster was not included (but the
bug still present).
Bdale did upload a 1.8.31 version to unstable adressing it so I propse
to adress the bug as well in buster via the point release (if not the
next one as the window closes this weekend, then for the next one).
Attached is the resulting debdiff and which was uploaded already but
as said feel free to hold it back if it's too close.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru sudo-1.8.27/debian/changelog sudo-1.8.27/debian/changelog
--- sudo-1.8.27/debian/changelog 2019-10-12 15:49:01.000000000 +0200
+++ sudo-1.8.27/debian/changelog 2020-02-02 08:41:42.000000000 +0100
@@ -1,3 +1,11 @@
+sudo (1.8.27-1+deb10u2) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix a buffer overflow when pwfeedback is enabled and input is a not a tty
+ (CVE-2019-18634) (Closes: #950371)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sun, 02 Feb 2020 08:41:42 +0100
+
sudo (1.8.27-1+deb10u1) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch
sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch
---
sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch
1970-01-01 01:00:00.000000000 +0100
+++
sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch
2020-02-02 08:41:42.000000000 +0100
@@ -0,0 +1,95 @@
+From: "Todd C. Miller" <todd.mil...@sudo.ws>
+Date: Wed, 29 Jan 2020 20:15:21 -0700
+Subject: Fix a buffer overflow when pwfeedback is enabled and input is a not a
+ tty. In getln() if the user enters ^U (erase line) and the write(2) fails,
+ the remaining buffer size is reset but the current pointer is not. While
+ here, fix an incorrect break for erase when write(2) fails. Also disable
+ pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit:
+ Joe Vennix from Apple Information Security.
+Origin:
https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18634
+Bug-Debian: https://bugs.debian.org/950371
+
+--HG--
+branch : 1.8
+[Salvatore Bonaccorso: Backport to 1.8.27 for context changes]
+---
+ src/tgetpass.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/src/tgetpass.c
++++ b/src/tgetpass.c
+@@ -60,7 +60,7 @@ static volatile sig_atomic_t signo[NSIG]
+
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
+ static char *sudo_askpass(const char *, const char *);
+
+ static int
+@@ -123,6 +123,7 @@ tgetpass(const char *prompt, int timeout
+ static const char *askpass;
+ static char buf[SUDO_CONV_REPL_MAX + 1];
+ int i, input, output, save_errno, neednl = 0, need_restart;
++ bool feedback = ISSET(flags, TGP_MASK);
+ enum tgetpass_errval errval;
+ debug_decl(tgetpass, SUDO_DEBUG_CONV)
+
+@@ -170,7 +171,7 @@ restart:
+ */
+ if (!ISSET(flags, TGP_ECHO)) {
+ for (;;) {
+- if (ISSET(flags, TGP_MASK))
++ if (feedback)
+ neednl = sudo_term_cbreak(input);
+ else
+ neednl = sudo_term_noecho(input);
+@@ -184,6 +185,9 @@ restart:
+ }
+ }
+ }
++ /* Only use feedback mode when we can disable echo. */
++ if (!neednl)
++ feedback = false;
+
+ /*
+ * Catch signals that would otherwise cause the user to end
+@@ -209,7 +213,7 @@ restart:
+
+ if (timeout > 0)
+ alarm(timeout);
+- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
++ pass = getln(input, buf, sizeof(buf), feedback, &errval);
+ alarm(0);
+ save_errno = errno;
+
+@@ -345,7 +349,7 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_eof, sudo_term_erase, sudo_term_kill;
+
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback,
++getln(int fd, char *buf, size_t bufsiz, bool feedback,
+ enum tgetpass_errval *errval)
+ {
+ size_t left = bufsiz;
+@@ -374,15 +378,15 @@ getln(int fd, char *buf, size_t bufsiz,
+ while (cp > buf) {
+ if (write(fd, "\b \b", 3) == -1)
+ break;
+- --cp;
++ cp--;
+ }
++ cp = buf;
+ left = bufsiz;
+ continue;
+ } else if (c == sudo_term_erase) {
+ if (cp > buf) {
+- if (write(fd, "\b \b", 3) == -1)
+- break;
+- --cp;
++ ignore_result(write(fd, "\b \b", 3));
++ cp--;
+ left++;
+ }
+ continue;
diff -Nru sudo-1.8.27/debian/patches/series sudo-1.8.27/debian/patches/series
--- sudo-1.8.27/debian/patches/series 2019-10-12 15:49:01.000000000 +0200
+++ sudo-1.8.27/debian/patches/series 2020-02-02 08:41:42.000000000 +0100
@@ -3,3 +3,4 @@
Whitelist-DPKG_COLORS-environment-variable.diff
sudo_minus_1_uid.diff
strtoid_minus_1_test_fix.diff
+Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch
