diff --git a/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch
new file mode 100644
index 0000000..0ae387a
--- /dev/null
+++ b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch
@@ -0,0 +1,96 @@
+diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c
+--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
++++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2014-2019 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -24,6 +24,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
++#include <errno.h>
+
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -78,15 +79,20 @@ static struct strtoid_data {
+ id_t id;
+ const char *sep;
+ const char *ep;
++ int errnum;
+ } strtoid_data[] = {
+- { "0,1", 0, ",", "," },
+- { "10", 10, NULL, NULL },
+- { "-2", -2, NULL, NULL },
++ { "0,1", 0, ",", ",", 0 },
++ { "10", 10, NULL, NULL, 0 },
++ { "-1", 0, NULL, NULL, EINVAL },
++ { "4294967295", 0, NULL, NULL, EINVAL },
++ { "4294967296", 0, NULL, NULL, ERANGE },
++ { "-2147483649", 0, NULL, NULL, ERANGE },
++ { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+- { "-2", (id_t)4294967294U, NULL, NULL },
++ { "-2", (id_t)4294967294U, NULL, NULL, 0 },
+ #endif
+- { "4294967294", (id_t)4294967294U, NULL, NULL },
+- { NULL, 0, NULL, NULL }
++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
++ { NULL, 0, NULL, NULL, 0 }
+ };
+
+ static int
+@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
+ (*ntests)++;
+ errstr = "some error";
+ value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+- if (errstr != NULL) {
+- if (d->id != (id_t)-1) {
+- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++ if (d->errnum != 0) {
++ if (errstr == NULL) {
++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
++ d->idstr, d->errnum);
++ errors++;
++ } else if (value != 0) {
++ sudo_warnx_nodebug("FAIL: %s should return 0 on error",
++ d->idstr);
++ errors++;
++ } else if (errno != d->errnum) {
++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
++ d->idstr, errno, d->errnum);
+ errors++;
+ }
++ } else if (errstr != NULL) {
++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++ errors++;
+ } else if (value != d->id) {
+ sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+ errors++;
+diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok
+--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
++++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200
+@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
+ Entries for user root:
+
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
++testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+
+ Entries for user root:
+diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh
+--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200
++++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200
+@@ -24,7 +24,7 @@ EOF
+
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
++./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+
diff --git a/SOURCES/sudo-1.8.28-CVE-strtouid.patch b/SOURCES/sudo-1.8.28-CVE-strtouid.patch
new file mode 100644
index 0000000..dbf9db7
--- /dev/null
+++ b/SOURCES/sudo-1.8.28-CVE-strtouid.patch
@@ -0,0 +1,172 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+diff -r fcd7a6d8330e lib/util/strtoid.c
+--- a/lib/util/strtoid.c Fri Jan 11 13:31:15 2019 -0700
++++ b/lib/util/strtoid.c Thu Oct 10 09:52:12 2019 -0600
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2016 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2013-2019 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -47,6 +47,27 @@
+ #include "sudo_util.h"
+
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++ bool valid = false;
++ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++ if (ep != p) {
++ /* check for valid separator (including '\0') */
++ if (sep == NULL)
++ sep = "";
++ do {
++ if (*ep == *sep)
++ valid = true;
++ } while (*sep++ != '\0');
++ }
++ debug_return_bool(valid);
++}
++
++/*
+ * Parse a uid/gid in string form.
+ * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+ * If endp is non-NULL it is set to the next char after the ID.
+@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha
+ char *ep;
+ id_t ret = 0;
+ long long llval;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+ errno = 0;
+ llval = strtoll(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++ errno = ERANGE;
++ if (errstr != NULL)
++ *errstr = N_("value too large");
++ goto done;
+ }
+- if (!valid) {
++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++ errno = ERANGE;
++ if (errstr != NULL)
++ *errstr = N_("value too small");
++ goto done;
++ }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
+- if (errno == ERANGE) {
+- if (errstr != NULL) {
+- if (llval == LLONG_MAX)
+- *errstr = N_("value too large");
+- else
+- *errstr = N_("value too small");
+- }
+- goto done;
+- }
+ ret = (id_t)llval;
+ if (errstr != NULL)
+ *errstr = NULL;
+@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha
+ {
+ char *ep;
+ id_t ret = 0;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
+ errno = 0;
+ if (*p == '-') {
+ long lval = strtol(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
+- if (errstr != NULL)
+- *errstr = N_("invalid value");
+- errno = EINVAL;
+- goto done;
+- }
+ if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha
+ *errstr = N_("value too small");
+ goto done;
+ }
+- ret = (id_t)lval;
+- } else {
+- unsigned long ulval = strtoul(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || lval == -1) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
++ ret = (id_t)lval;
++ } else {
++ unsigned long ulval = strtoul(p, &ep, 10);
+ if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+ *errstr = N_("value too large");
+ goto done;
+ }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++ if (errstr != NULL)
++ *errstr = N_("invalid value");
++ errno = EINVAL;
++ goto done;
++ }
+ ret = (id_t)ulval;
+ }
+ if (errstr != NULL)
diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch
new file mode 100644
index 0000000..5b71919
--- /dev/null
+++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch
@@ -0,0 +1,158 @@
+diff -up ./src/tgetpass.c.bla ./src/tgetpass.c
+--- ./src/tgetpass.c.bla 2018-08-18 16:10:15.000000000 +0200
++++ ./src/tgetpass.c 2020-02-05 17:15:16.216904891 +0100
+@@ -44,11 +44,18 @@
+ #include "sudo.h"
+ #include "sudo_plugin.h"
+
++enum tgetpass_errval {
++ TGP_ERRVAL_NOERROR,
++ TGP_ERRVAL_TIMEOUT,
++ TGP_ERRVAL_NOPASSWORD,
++ TGP_ERRVAL_READERROR
++};
++
+ static volatile sig_atomic_t signo[NSIG];
+
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int);
++static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
+ static char *sudo_askpass(const char *, const char *);
+
+ static int
+@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call
+ debug_return_int(ret);
+ }
+
++static void
++tgetpass_display_error(enum tgetpass_errval errval)
++{
++ debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV)
++
++ switch (errval) {
++ case TGP_ERRVAL_NOERROR:
++ break;
++ case TGP_ERRVAL_TIMEOUT:
++ sudo_warnx(U_("timed out reading password"));
++ break;
++ case TGP_ERRVAL_NOPASSWORD:
++ sudo_warnx(U_("no password was provided"));
++ break;
++ case TGP_ERRVAL_READERROR:
++ sudo_warn(U_("unable to read password"));
++ break;
++ }
++ debug_return;
++}
++
+ /*
+ * Like getpass(3) but with timeout and echo flags.
+ */
+@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout
+ static const char *askpass;
+ static char buf[SUDO_CONV_REPL_MAX + 1];
+ int i, input, output, save_errno, neednl = 0, need_restart;
++ enum tgetpass_errval errval;
+ debug_decl(tgetpass, SUDO_DEBUG_CONV)
+
+ (void) fflush(stdout);
+@@ -175,7 +204,7 @@ restart:
+
+ if (timeout > 0)
+ alarm(timeout);
+- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK));
++ pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
+ alarm(0);
+ save_errno = errno;
+
+@@ -183,6 +212,7 @@ restart:
+ if (write(output, "\n", 1) == -1)
+ goto restore;
+ }
++ tgetpass_display_error(errval);
+
+ restore:
+ /* Restore old signal handlers. */
+@@ -210,6 +240,8 @@ restore:
+ for (i = 0; i < NSIG; i++) {
+ if (signo[i]) {
+ switch (i) {
++ case SIGALRM:
++ break;
+ case SIGTSTP:
+ case SIGTTIN:
+ case SIGTTOU:
+@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const
+ {
+ static char buf[SUDO_CONV_REPL_MAX + 1], *pass;
+ struct sigaction sa, savechld;
++ enum tgetpass_errval errval;
+ int pfd[2], status;
+ pid_t child;
+ debug_decl(sudo_askpass, SUDO_DEBUG_CONV)
+@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const
+
+ /* Get response from child (askpass). */
+ (void) close(pfd[1]);
+- pass = getln(pfd[0], buf, sizeof(buf), 0);
++ pass = getln(pfd[0], buf, sizeof(buf), 0, &errval);
+ (void) close(pfd[0]);
+
++ tgetpass_display_error(errval);
++
+ /* Wait for child to exit. */
+ for (;;) {
+ pid_t rv = waitpid(child, &status, 0);
+@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_erase, sudo_term_kill;
+
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback)
++getln(int fd, char *buf, size_t bufsiz, int feedback,
++ enum tgetpass_errval *errval)
+ {
+ size_t left = bufsiz;
+ ssize_t nr = -1;
+@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz,
+ char c = '\0';
+ debug_decl(getln, SUDO_DEBUG_CONV)
+
++ *errval = TGP_ERRVAL_NOERROR;
++
+ if (left == 0) {
++ *errval = TGP_ERRVAL_READERROR;
+ errno = EINVAL;
+ debug_return_str(NULL); /* sanity */
+ }
+@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz,
+ }
+ }
+
+- debug_return_str_masked(nr == 1 ? buf : NULL);
++ if (nr != 1) {
++ if (nr == 0) {
++ *errval = TGP_ERRVAL_NOPASSWORD;
++ } else if (nr == -1) {
++ if (errno == EINTR) {
++ if (signo[SIGALRM] == 1)
++ *errval = TGP_ERRVAL_TIMEOUT;
++ } else {
++ *errval = TGP_ERRVAL_READERROR;
++ }
++ }
++ debug_return_str(NULL);
++ }
++
++ debug_return_str_masked(buf);
+ }
+
+ static void
+ tgetpass_handler(int s)
+ {
+- if (s != SIGALRM)
+- signo[s] = 1;
++ signo[s] = 1;
+ }
+
+ static bool
diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch
new file mode 100644
index 0000000..86743ba
--- /dev/null
+++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch
@@ -0,0 +1,77 @@
+diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
+--- ./src/tgetpass.c.CVE-2019-18634 2020-02-05 17:16:07.601420697 +0100
++++ ./src/tgetpass.c 2020-02-05 17:22:34.206301510 +0100
+@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG]
+
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
+ static char *sudo_askpass(const char *, const char *);
+
+ static int
+@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout
+ static const char *askpass;
+ static char buf[SUDO_CONV_REPL_MAX + 1];
+ int i, input, output, save_errno, neednl = 0, need_restart;
++ bool feedback = ISSET(flags, TGP_MASK);
+ enum tgetpass_errval errval;
+ debug_decl(tgetpass, SUDO_DEBUG_CONV)
+
+@@ -165,7 +166,7 @@ restart:
+ */
+ if (!ISSET(flags, TGP_ECHO)) {
+ for (;;) {
+- if (ISSET(flags, TGP_MASK))
++ if (feedback)
+ neednl = sudo_term_cbreak(input);
+ else
+ neednl = sudo_term_noecho(input);
+@@ -179,6 +180,9 @@ restart:
+ }
+ }
+ }
++ /* Only use feedback mode when we can disable echo. */
++ if (!neednl)
++ feedback = false;
+
+ /*
+ * Catch signals that would otherwise cause the user to end
+@@ -204,7 +208,7 @@ restart:
+
+ if (timeout > 0)
+ alarm(timeout);
+- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
++ pass = getln(input, buf, sizeof(buf), feedback, &errval);
+ alarm(0);
+ save_errno = errno;
+
+@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_erase, sudo_term_kill;
+
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback,
++getln(int fd, char *buf, size_t bufsiz, bool feedback,
+ enum tgetpass_errval *errval)
+ {
+ size_t left = bufsiz;
+@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz,
+ while (cp > buf) {
+ if (write(fd, "\b \b", 3) == -1)
+ break;
+- --cp;
++ cp--;
+ }
++ cp = buf;
+ left = bufsiz;
+ continue;
+ } else if (c == sudo_term_erase) {
+ if (cp > buf) {
+- if (write(fd, "\b \b", 3) == -1)
+- break;
+- --cp;
++ ignore_result(write(fd, "\b \b", 3));
++ cp--;
+ left++;
+ }
+ continue;
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 1059bdd..6cf7ccd 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.8.25p1
-Release: 7%{?dist}
+Release: 8%{?dist}.1
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -70,6 +70,14 @@ Patch15: sudo-1.8.25-ldap-backend-parsing-2.patch
# Fix special handling of ipa_hostname that was lost in sudo
Patch16: sudo-1.8.25-ipa-hostname.patch
+# 1760696 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8]
+Patch17: sudo-1.8.28-CVE-strtouid.patch
+Patch18: sudo-1.8.28-CVE-strtouid-test.patch
+
+# 1798092 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-8.1.0.z]
+Patch19: sudo-1.8.29-CVE-2019-18634-part1.patch
+Patch20: sudo-1.8.29-CVE-2019-18634-part2.patch
+
%description
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
@@ -112,6 +120,12 @@ plugins that use %{name}.
%patch15 -p1 -b .ldap-backend2
%patch16 -p1 -b .ipa-hostname
+%patch17 -p1 -b .cve-strtouid
+%patch18 -p1 -b .cve-strtouid-test
+
+%patch19 -p1 -b .CVE-2019-18634-part1
+%patch20 -p1 -b .CVE-2019-18634-part2
+
%build
# Remove bundled copy of zlib
rm -rf zlib/
@@ -270,6 +284,16 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
+* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.25p1-8.1
+- RHEL 8.1.0.Z ERRATUM
+- CVE-2019-18634
+Resolves: rhbz#1798092
+
+* Fri Oct 18 2019 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.25p1-8
+- RHEL-8.1.0
+- fixed CVE-2019-14287
+ Resolves: rhbz#1760696
+
* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
- RHEL 8.1 ERRATUM
- sudo ipa_hostname not honored