!63 [sync] PR-62: Backport patches form upstream community

From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch

@@ -0,0 +1,37 @@
+From 264326de571e0eff1d8003f882bad4cdf1a9230d Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 10 Nov 2022 14:55:56 -0700
+Subject: [PATCH] Fix a potential use-after-free bug with cvtsudoers filtering.
+ In role_to_sudoers() when merging a privilege to the previous one where the
+ runas lists are the same we need to re-use the runas lists of the last
+ command in the previous privilege, not the first. Otherwise, the check in
+ free_cmndspec() will not notice the re-used runas lists.  Reported/analyzed
+ by Sohom Datta.  GitHub issue #198.
+
+---
+ plugins/sudoers/parse_ldif.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
+index 5d2a79163..2b7109294 100644
+--- a/plugins/sudoers/parse_ldif.c
++++ b/plugins/sudoers/parse_ldif.c
+@@ -432,11 +432,11 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role,
+ 	struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list);
+ 	if (reuse_runas) {
+ 	    /* Runas users and groups same if as in previous privilege. */
+-	    struct member_list *runasuserlist =
+-		TAILQ_FIRST(&prev_priv->cmndlist)->runasuserlist;
+-	    struct member_list *runasgrouplist =
+-		TAILQ_FIRST(&prev_priv->cmndlist)->runasgrouplist;
+ 	    struct cmndspec *cmndspec = TAILQ_FIRST(&priv->cmndlist);
++	    const struct cmndspec *prev_cmndspec =
++		TAILQ_LAST(&prev_priv->cmndlist, cmndspec_list);
++	    struct member_list *runasuserlist = prev_cmndspec->runasuserlist;
++	    struct member_list *runasgrouplist = prev_cmndspec->runasgrouplist;
+ 
+ 	    /* Free duplicate runas lists. */
+ 	    if (cmndspec->runasuserlist != NULL) {
+-- 
+2.27.0
+

backport-Fix-memory-leak-of-pass-in-converse.patch

@@ -0,0 +1,22 @@
+From f5cae905ca1a9f686f80aea45a34cea50fec0534 Mon Sep 17 00:00:00 2001
+From: modric <pioneerbtw7@163.com>
+Date: Thu, 17 Nov 2022 16:08:59 +0800
+Subject: [PATCH] Fix memory leak of pass in converse().
+
+---
+ plugins/sudoers/auth/pam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
+index dee9ea2..e90a4a6 100644
+--- a/plugins/sudoers/auth/pam.c
++++ b/plugins/sudoers/auth/pam.c
+@@ -703,6 +703,8 @@ converse(int num_msg, PAM_CONST struct pam_message **msg,
+ 			"password longer than %d", PAM_MAX_RESP_SIZE);
+ 		    ret = PAM_CONV_ERR;
+ 		    memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass));
++		    free(pass);
++		    pass = NULL;
+ 		    goto done;
+ 		}
+ 		reply[n].resp = pass;	/* auth_getpass() malloc's a copy */

backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch

@@ -0,0 +1,25 @@
+From 902271f441f61506392588fc26db992e64ae4ecd Mon Sep 17 00:00:00 2001
+From: Sohom <sohom.datta@learner.manipal.edu>
+Date: Wed, 9 Nov 2022 23:20:12 +0530
+Subject: [PATCH] [cvtsudoers]: Prevent sudo from reading into undefined memory
+
+---
+ plugins/sudoers/parse_ldif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c
+index 6c2b74aa0..5d2a79163 100644
+--- a/plugins/sudoers/parse_ldif.c
++++ b/plugins/sudoers/parse_ldif.c
+@@ -688,7 +688,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
+ 		if (strncasecmp(attr, "cn=", 3) == 0) {
+ 		    for (attr += 3; *attr != '\0'; attr++) {
+ 			/* Handle escaped ',' chars. */
+-			if (*attr == '\\')
++			if (*attr == '\\' && attr[1] != '\0')
+ 			    attr++;
+ 			if (*attr == ',') {
+ 			    attr++;
+-- 
+2.27.0
+

backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch

@@ -0,0 +1,22 @@
+From b3834bbf248f3376ada8fc44166cba38c8ad4bcf Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 17 Nov 2022 08:10:35 -0700
+Subject: [PATCH] sudo_passwd_cleanup: Set auth->data to NULL after freeing.
+ GitHub issue #201
+
+---
+ plugins/sudoers/auth/passwd.c | 1 +
+ 1 file changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index 889a8e3..910a510 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -104,6 +104,7 @@ sudo_passwd_cleanup(struct passwd *pw, sudo_auth *auth, bool force)
+     if (pw_epasswd != NULL) {
+ 	memset_s(pw_epasswd, SUDO_CONV_REPL_MAX, 0, strlen(pw_epasswd));
+ 	free(pw_epasswd);
++	auth->data = NULL;
+     }
+     debug_return_int(AUTH_SUCCESS);
+ }

sudo.spec

@@ -1,6 +1,6 @@
 Name: sudo
 Version: 1.9.2
-Release: 8
+Release: 9
 Summary: Allows restricted root access for specified users
 License: ISC
 URL: http://www.courtesan.com/sudo/
@@ -29,6 +29,10 @@ Patch15: backport-fix-CVE-2022-33070.patch
 Patch16: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
 Patch17: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
 Patch18: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
+Patch19: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
+Patch20: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
+Patch21: backport-Fix-memory-leak-of-pass-in-converse.patch
+Patch22: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: pam
@@ -169,6 +173,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %exclude %{_pkgdocdir}/ChangeLog
 
 %changelog
+* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.2-9
+- Backport patches from upstream community
+
 * Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.2-8
 - Backport patches from upstream community