packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport patches from upstream community

Browse Source 
Signed-off-by: modric <wangyu283@huawei.com>
This commit is contained in:
modric 2022-11-23 03:46:54 +00:00
parent 549b94a3b0
commit 40792f3000
3 changed files with 59 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
backport-Fix-incorrect-SHA384-512-digest-calculation.patch Normal file
View File

@ -0,0 +1,29 @@
From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
From: Tim Shearer <timtimminz@gmail.com>
Date: Tue, 2 Aug 2022 08:48:32 -0400
Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
Resolves an issue where certain message sizes result in an incorrect
checksum. Specifically, when:
(n*8) mod 1024 == 896
where n is the file size in bytes.
---
lib/util/sha2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/util/sha2.c b/lib/util/sha2.c
index b7a28cca8..f769f77f2 100644
--- a/lib/util/sha2.c
+++ b/lib/util/sha2.c
@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
SHA512Update(ctx, (uint8_t *)"\200", 1);
/* Pad message such that the resulting length modulo 1024 is 896. */
- while ((ctx->count[0] & 1008) != 896)
+ while ((ctx->count[0] & 1016) != 896)
SHA512Update(ctx, (uint8_t *)"\0", 1);
/* Append length of message in bits and do final SHA512Transform(). */
--
2.33.0

24
backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch Normal file
View File

@ -0,0 +1,24 @@
From 9f948224acb911cbec1ed9041887c1fe62c59877 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 8 Nov 2022 13:17:11 -0700
Subject: [PATCH] sudo_passwd_verify: zero out des_pass before returning.
---
plugins/sudoers/auth/passwd.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
index 636c07bab..89da96ff6 100644
--- a/plugins/sudoers/auth/passwd.c
+++ b/plugins/sudoers/auth/passwd.c
@@ -95,5 +95,7 @@ sudo_passwd_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct
matched = !strcmp(pw_epasswd, epass);
}
+ explicit_bzero(des_pass, sizeof(des_pass));
+
debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
}
--
2.33.0

7
sudo.spec
View File

@ -1,6 +1,6 @@
Name: sudo
Version: 1.9.2
Release: 7
Release: 8
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/
@ -27,6 +27,8 @@ Patch13: backport-0001-CVE-2022-37434.patch
Patch14: backport-0002-CVE-2022-37434.patch
Patch15: backport-fix-CVE-2022-33070.patch
Patch16: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
Patch17: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
Patch18: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
@ -167,6 +169,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%exclude %{_pkgdocdir}/ChangeLog
%changelog
* Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.2-8
- Backport patches from upstream community
* Sat Nov 05 2022 wangyu <wangyu283@huawei.com> - 1.9.2-7
- Fix CVE-2022-43995