From e97af7098e5cb6f8128974925ef89ef29d81c0ca Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 28 2023 09:29:26 +0000 Subject: import sudo-1.9.5p2-9.el9 --- diff --git a/SOURCES/sha-digest-calc.patch b/SOURCES/sha-digest-calc.patch new file mode 100644 index 0000000..affab8b --- /dev/null +++ b/SOURCES/sha-digest-calc.patch @@ -0,0 +1,26 @@ +From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001 +From: Tim Shearer +Date: Tue, 2 Aug 2022 08:48:32 -0400 +Subject: [PATCH] Fix incorrect SHA384/512 digest calculation. + +Resolves an issue where certain message sizes result in an incorrect +checksum. Specifically, when: +(n*8) mod 1024 == 896 +where n is the file size in bytes. +--- + lib/util/sha2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/util/sha2.c b/lib/util/sha2.c +index b7a28cca8..f769f77f2 100644 +--- a/lib/util/sha2.c ++++ b/lib/util/sha2.c +@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx) + SHA512Update(ctx, (uint8_t *)"\200", 1); + + /* Pad message such that the resulting length modulo 1024 is 896. */ +- while ((ctx->count[0] & 1008) != 896) ++ while ((ctx->count[0] & 1016) != 896) + SHA512Update(ctx, (uint8_t *)"\0", 1); + + /* Append length of message in bits and do final SHA512Transform(). */ diff --git a/SOURCES/sudo-1.9.12-CVE-2023-22809.patch b/SOURCES/sudo-1.9.12-CVE-2023-22809.patch new file mode 100644 index 0000000..66f866f --- /dev/null +++ b/SOURCES/sudo-1.9.12-CVE-2023-22809.patch @@ -0,0 +1,121 @@ +diff -up ./plugins/sudoers/editor.c.cve ./plugins/sudoers/editor.c +--- ./plugins/sudoers/editor.c.cve 2021-01-09 21:12:16.000000000 +0100 ++++ ./plugins/sudoers/editor.c 2023-01-17 13:57:05.598949058 +0100 +@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed + const char *tmp, *cp, *ep = NULL; + const char *edend = ed + edlen; + struct stat user_editor_sb; +- int nargc; ++ int nargc = 0; + debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL); + + /* +@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed + /* If we can't find the editor in the user's PATH, give up. */ + if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL, + 0, allowlist) != FOUND) { +- free(editor); +- errno = ENOENT; +- debug_return_str(NULL); ++ goto bad; + } + + /* Count rest of arguments and allocate editor argv. */ +@@ -166,6 +164,18 @@ resolve_editor(const char *ed, size_t ed + nargv[nargc] = copy_arg(cp, ep - cp); + if (nargv[nargc] == NULL) + goto oom; ++ ++ /* ++ * We use "--" to separate the editor and arguments from the files ++ * to edit. The editor arguments themselves may not contain "--". ++ */ ++ if (strcmp(nargv[nargc], "--") == 0) { ++ sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed); ++ sudo_warnx("%s", U_("editor arguments may not contain \"--\"")); ++ errno = EINVAL; ++ goto bad; ++ } ++ + } + if (nfiles != 0) { + nargv[nargc++] = "--"; +@@ -179,6 +189,7 @@ resolve_editor(const char *ed, size_t ed + debug_return_str(editor_path); + oom: + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++bad: + free(editor); + free(editor_path); + if (nargv != NULL) { +diff -up ./plugins/sudoers/sudoers.c.cve ./plugins/sudoers/sudoers.c +--- ./plugins/sudoers/sudoers.c.cve 2023-01-17 13:50:33.718255775 +0100 ++++ ./plugins/sudoers/sudoers.c 2023-01-17 14:00:53.049710094 +0100 +@@ -724,21 +724,34 @@ sudoers_policy_main(int argc, char * con + + /* Note: must call audit before uid change. */ + if (ISSET(sudo_mode, MODE_EDIT)) { ++ const char *env_editor = NULL; + char **edit_argv; + int edit_argc; +- const char *env_editor; ++ + + free(safe_cmnd); + safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, + &edit_argv, NULL, &env_editor, false); + if (safe_cmnd == NULL) { +- if (errno != ENOENT) +- goto done; +- audit_failure(NewArgv, N_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- sudo_warnx(U_("%s: command not found"), +- env_editor ? env_editor : def_editor); +- goto bad; ++ ++ switch (errno) { ++ case ENOENT: ++ audit_failure(NewArgv, N_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ sudo_warnx(U_("%s: command not found"), ++ env_editor ? env_editor : def_editor); ++ goto bad; ++ case EINVAL: ++ if (def_env_editor && env_editor != NULL) { ++ /* User tried to do something funny with the editor. */ ++ log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL, ++ "invalid user-specified editor: %s", env_editor); ++ goto bad; ++ } ++ FALLTHROUGH; ++ default: ++ goto done; ++ } + } + sudoers_gc_add(GC_VECTOR, edit_argv); + NewArgv = edit_argv; +diff -up ./plugins/sudoers/visudo.c.cve ./plugins/sudoers/visudo.c +--- ./plugins/sudoers/visudo.c.cve 2021-01-09 21:12:16.000000000 +0100 ++++ ./plugins/sudoers/visudo.c 2023-01-17 14:02:01.393135129 +0100 +@@ -303,7 +303,7 @@ static char * + get_editor(int *editor_argc, char ***editor_argv) + { + char *editor_path = NULL, **allowlist = NULL; +- const char *env_editor; ++ const char *env_editor = NULL; + static char *files[] = { "+1", "sudoers" }; + unsigned int allowlist_len = 0; + debug_decl(get_editor, SUDOERS_DEBUG_UTIL); +@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi + if (editor_path == NULL) { + if (def_env_editor && env_editor != NULL) { + /* We are honoring $EDITOR so this is a fatal error. */ +- sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); ++ if (errno == ENOENT) { ++ sudo_warnx(U_("specified editor (%s) doesn't exist"), ++ env_editor); ++ } ++ exit(EXIT_FAILURE); + } + sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); + } diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 658e064..8c29268 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 7%{?dist} +Release: 9%{?dist} License: ISC URL: https://www.sudo.ws @@ -31,6 +31,8 @@ Patch3: sudo-1.9.5-selinux-t.patch Patch4: sudo-1.9.5-sesh-bad-condition.patch Patch5: sudo-1.9.5-utmp-leak.patch Patch6: covscan.patch +Patch7: sha-digest-calc.patch +Patch8: sudo-1.9.12-CVE-2023-22809.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -69,6 +71,8 @@ BuildRequires: python3-devel %patch4 -p1 -b .bad-cond %patch5 -p1 -b .utmp-leak %patch6 -p1 -b .covscan +%patch7 -p1 -b .sha-digest +%patch8 -p1 -b .cve-fix %build # Remove bundled copy of zlib @@ -243,6 +247,16 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Thu Jan 19 2023 Radovan Sroka - 1.9.5p2-9 +RHEL 9.2.0 ERRATUM +- CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user +Resolves: rhbz#2161225 + +* Wed Jan 11 2023 Radovan Sroka - 1.9.5p2-8 +RHEL 9.2.0 ERRATUM +- sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384) +Resolves: rhbz#2115789 + * Fri Aug 20 2021 Radovan Sroka - 1.9.5p2-7 - utmp resource leak in sudo Resolves: rhbz#1986579