packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-37434 and CVE-2022-33070

Browse Source
This commit is contained in:
w00559322 2022-09-03 14:42:34 +08:00
parent 1e2d46d28a
commit 5f266b7bd2
4 changed files with 161 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-0001-CVE-2022-37434.patch Normal file
View File

@ -0,0 +1,35 @@
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Sat, 30 Jul 2022 15:51:11 -0700
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
index 2a0ac30..95a38f5 100644
--- a/lib/zlib/inflate.c
+++ b/lib/zlib/inflate.c
@@ -765,9 +765,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.27.0

32
backport-0002-CVE-2022-37434.patch Normal file
View File

@ -0,0 +1,32 @@
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Mon, 8 Aug 2022 10:50:09 -0700
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
index 95a38f5..9c5934e 100644
--- a/lib/zlib/inflate.c
+++ b/lib/zlib/inflate.c
@@ -765,10 +765,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.27.0

87
backport-fix-CVE-2022-33070.patch Normal file
View File

@ -0,0 +1,87 @@
Conflict:protobuf-c.c
Reference:https://gitee.com/src-openeuler/protobuf-c/pulls/19/files
diff --git a/lib/logsrv/protobuf-c.c b/lib/logsrv/protobuf-c.c
index 7a6b56d..27267e6 100644
--- a/lib/logsrv/protobuf-c.c
+++ b/lib/logsrv/protobuf-c.c
@@ -312,10 +312,8 @@ int32_size(int32_t v)
static inline uint32_t
zigzag32(int32_t v)
{
- if (v < 0)
- return (-(uint32_t)v) * 2 - 1;
- else
- return (uint32_t)(v) * 2;
+ // Note: Using unsigned types prevents undefined behavior
+ return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31);
}
/**
@@ -377,10 +375,8 @@ uint64_size(uint64_t v)
static inline uint64_t
zigzag64(int64_t v)
{
- if (v < 0)
- return (-(uint64_t)v) * 2 - 1;
- else
- return (uint64_t)(v) * 2;
+ // Note: Using unsigned types prevents undefined behavior
+ return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63);
}
/**
@@ -800,7 +796,8 @@ uint32_pack(uint32_t value, uint8_t *out)
}
/**
- * Pack a signed 32-bit integer and return the number of bytes written.
+ * Pack a signed 32-bit integer and return the number of bytes written,
+ * passed as unsigned to avoid implementation-specific behavior.
* Negative numbers are encoded as two's complement 64-bit integers.
*
* \param value
@@ -811,14 +808,14 @@ uint32_pack(uint32_t value, uint8_t *out)
* Number of bytes written to `out`.
*/
static inline size_t
-int32_pack(int32_t value, uint8_t *out)
+int32_pack(uint32_t value, uint8_t *out)
{
- if (value < 0) {
+ if ((int32_t)value < 0) {
out[0] = value | 0x80;
out[1] = (value >> 7) | 0x80;
out[2] = (value >> 14) | 0x80;
out[3] = (value >> 21) | 0x80;
- out[4] = (value >> 28) | 0x80;
+ out[4] = (value >> 28) | 0xf0;
out[5] = out[6] = out[7] = out[8] = 0xff;
out[9] = 0x01;
return 10;
@@ -2423,10 +2420,8 @@ parse_int32(unsigned len, const uint8_t *data)
static inline int32_t
unzigzag32(uint32_t v)
{
- if (v & 1)
- return -(v >> 1) - 1;
- else
- return v >> 1;
+ // Note: Using unsigned types prevents undefined behavior
+ return (int32_t)((v >> 1) ^ -(v & 1));
}
static inline uint32_t
@@ -2467,10 +2462,8 @@ parse_uint64(unsigned len, const uint8_t *data)
static inline int64_t
unzigzag64(uint64_t v)
{
- if (v & 1)
- return -(v >> 1) - 1;
- else
- return v >> 1;
+ // Note: Using unsigned types prevents undefined behavior
+ return (int64_t)((v >> 1) ^ -(v & 1));
}
static inline uint64_t

8
sudo.spec
View File

@ -1,6 +1,6 @@
Name: sudo
Version: 1.9.2
Release: 5
Release: 6
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/
@ -23,6 +23,9 @@ Patch9: backport-In-json_stack_push-treat-stack-exhaustion-like-memory-allocati
Patch10: backport-Stricter-parsing-of-generalized-time.patch
Patch11: backport-Strict-tz-offset-parsing.patch
Patch12: backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
Patch13: backport-0001-CVE-2022-37434.patch
Patch14: backport-0002-CVE-2022-37434.patch
Patch15: backport-fix-CVE-2022-33070.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
@ -163,6 +166,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%exclude %{_pkgdocdir}/ChangeLog
%changelog
* Sat Sep 03 2022 wangyu <wangyu283@huawei.com> - 1.9.2-6
- Fix CVE-2022-37434 and CVE-2022-33070
* Thu Dec 23 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-5
- Type:bugfix
- ID:NA