Re: [OE-Core][kirkstone][PATCH] sudo: fix CVE-2022-43995 potential heap overflow for passwords < 8 characters

[Randy MacLeod <randy.macleod@windriver.com>]

Thanks Xiangyu but for kirkstone/langdale I think we should take the 
patch update:
   sudo: upgrade 1.9.12 -> 1.9.12p1
that was sent to the list for master since it includes this CVE fix and 
more bug fixes:

$ git log --oneline SUDO_1_9_12..SUDO_1_9_12p1 | cut -c -99
7a103879a Merge sudo 1.9.12p1 from tip.
3df1e9a07 sudo 1.9.12p1
7ba318470 Include time.h for struct timespec used by sudo_iolog.h.
b2c8e1b1b Display sudo_mode in hex in debug log. This makes it easier to 
match against the MODE_ de
7ec1ee0e5 bsdauth_verify: do not write to prompt, it is now const
d242261dd Store raw sudoers lines in the debug log. Also add a 
"sudoerslex" prefix to the token deb
966731311 The line numbers in sudoers_trace_print() were off by one. The 
line counter is incremente
4da22b101 Make the second arg to the sudo auth verify function const. 
This may be either a plaintex

bd209b9f1 Fix CVE-2022-43995, potential heap overflow for passwords < 8 
characters. Starting with s

c78e78dc5 Move debugging info from hostname_matches() to host_matches().
6a3fb3fd7 Add debugging to sudo_set_grlist() and sudo_set_gidlist().
366217571 configure: better test for -fstack-clash-protection The gcc 
front-end may accept -fstack-
6a2075b67 Check that compiler accepts -fstack-clash-protection and 
-fcf-protection. Previously, we
794449419 Fix compilation error on Linux/mips.
3d2b84ed2 Added tag SUDO_1_9_12 for changeset b53d725f7c88

../Randy

On 2022-11-14 01:27, Xiangyu Chen via lists.openembedded.org wrote:
> Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
> ---
>   ...95-potential-heap-overflow-for-passw.patch | 57 +++++++++++++++++++
>   meta/recipes-extended/sudo/sudo_1.9.10.bb     |  1 +
>   2 files changed, 58 insertions(+)
>   create mode 100644 meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
>
> diff --git a/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
> new file mode 100644
> index 0000000000..be52af27e1
> --- /dev/null
> +++ b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
> @@ -0,0 +1,57 @@
> +From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
> +From: "Todd C. Miller" <Todd.Miller@sudo.ws>
> +Date: Fri, 28 Oct 2022 07:29:55 -0600
> +Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
> + characters. Starting with sudo 1.8.0 the plaintext password buffer is
> + dynamically sized so it is not safe to assume that it is at least 9 bytes in
> + size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
> +
> +Upstream-Status: Backport from
> +[https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050]
> +
> +Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
> +---
> + plugins/sudoers/auth/passwd.c | 11 +++++------
> + 1 file changed, 5 insertions(+), 6 deletions(-)
> +
> +diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
> +index b2046eca2..0416861e9 100644
> +--- a/plugins/sudoers/auth/passwd.c
> ++++ b/plugins/sudoers/auth/passwd.c
> +@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
> + int
> + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
> + {
> +-    char sav, *epass;
> ++    char des_pass[9], *epass;
> +     char *pw_epasswd = auth->data;
> +     size_t pw_len;
> +     int matched = 0;
> +@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
> +
> +     /*
> +      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
> +-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
> +      */
> +-    sav = pass[8];
> +     pw_len = strlen(pw_epasswd);
> +-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
> +-	pass[8] = '\0';
> ++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
> ++	strlcpy(des_pass, pass, sizeof(des_pass));
> ++	pass = des_pass;
> ++    }
> +
> +     /*
> +      * Normal UN*X password check.
> +@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
> +      * only compare the first DESLEN characters in that case.
> +      */
> +     epass = (char *) crypt(pass, pw_epasswd);
> +-    pass[8] = sav;
> +     if (epass != NULL) {
> + 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
> + 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-extended/sudo/sudo_1.9.10.bb b/meta/recipes-extended/sudo/sudo_1.9.10.bb
> index aa0d814ed7..e1f603a125 100644
> --- a/meta/recipes-extended/sudo/sudo_1.9.10.bb
> +++ b/meta/recipes-extended/sudo/sudo_1.9.10.bb
> @@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
>              ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
>              file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
>              file://0001-lib-util-mksigname.c-correctly-include-header-for-ou.patch \
> +           file://0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch \
>              "
>   
>   PAM_SRC_URI = "file://sudo.pam"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173225): https://lists.openembedded.org/g/openembedded-core/message/173225
> Mute This Topic: https://lists.openembedded.org/mt/95013602/3616765
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

-- 
# Randy MacLeod
# Wind River Linux