Re: [OE-Core][kirkstone][PATCH] sudo: fix CVE-2022-43995 potential heap overflow for passwords < 8 characters

[Randy MacLeod <randy.macleod@windriver.com>]

On 2022-11-15 14:08, Randy MacLeod wrote:
> Thanks Xiangyu but for kirkstone/langdale I think we should take the 
> patch update:
>   sudo: upgrade 1.9.12 -> 1.9.12p1
> that was sent to the list for master since it includes this CVE fix 
> and more bug fixes:
>
> $ git log --oneline SUDO_1_9_12..SUDO_1_9_12p1 | cut -c -99


Oops, I'm wrong. Please consider taking the patch backport for now.

This patch is for 1.9.10 and master is on 1.9.12 going to 1.9.12p1.

It may be sensible to update from 1.9.10 to 1.9.12p1 but I haven't looked
at that yet. It seems that the 'sudo-1.9' branch (1) is stable so 
someone should
look into the list of changes made on that branch to see how disciplined 
the sudo maintainers
have been.


../Randy

1)

$ cd .../sudo.git

$git branch -a
   main
   master
* sudo-1.9
   remotes/origin/HEAD -> origin/master
   remotes/origin/audit-server-tls-support
   remotes/origin/main
   remotes/origin/master
   remotes/origin/sudo-1.7
   remotes/origin/sudo-1.8
   remotes/origin/sudo-1.9
   remotes/origin/sudoers-iolog-tls
   remotes/origin/tls-config-default-values

$ git branch -a --contains SUDO_1_9_10
* sudo-1.9
   remotes/origin/sudo-1.9

$ git branch -a --contains SUDO_1_9_12p1
* sudo-1.9
   remotes/origin/sudo-1.9

> 7a103879a Merge sudo 1.9.12p1 from tip.
> 3df1e9a07 sudo 1.9.12p1
> 7ba318470 Include time.h for struct timespec used by sudo_iolog.h.
> b2c8e1b1b Display sudo_mode in hex in debug log. This makes it easier 
> to match against the MODE_ de
> 7ec1ee0e5 bsdauth_verify: do not write to prompt, it is now const
> d242261dd Store raw sudoers lines in the debug log. Also add a 
> "sudoerslex" prefix to the token deb
> 966731311 The line numbers in sudoers_trace_print() were off by one. 
> The line counter is incremente
> 4da22b101 Make the second arg to the sudo auth verify function const. 
> This may be either a plaintex
>
> bd209b9f1 Fix CVE-2022-43995, potential heap overflow for passwords < 
> 8 characters. Starting with s
>
> c78e78dc5 Move debugging info from hostname_matches() to host_matches().
> 6a3fb3fd7 Add debugging to sudo_set_grlist() and sudo_set_gidlist().
> 366217571 configure: better test for -fstack-clash-protection The gcc 
> front-end may accept -fstack-
> 6a2075b67 Check that compiler accepts -fstack-clash-protection and 
> -fcf-protection. Previously, we
> 794449419 Fix compilation error on Linux/mips.
> 3d2b84ed2 Added tag SUDO_1_9_12 for changeset b53d725f7c88
>
> ../Randy
>
> On 2022-11-14 01:27, Xiangyu Chen via lists.openembedded.org wrote:
>> Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
>> ---
>>   ...95-potential-heap-overflow-for-passw.patch | 57 +++++++++++++++++++
>>   meta/recipes-extended/sudo/sudo_1.9.10.bb     |  1 +
>>   2 files changed, 58 insertions(+)
>>   create mode 100644 
>> meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
>>
>> diff --git 
>> a/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 
>> b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 
>>
>> new file mode 100644
>> index 0000000000..be52af27e1
>> --- /dev/null
>> +++ 
>> b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
>> @@ -0,0 +1,57 @@
>> +From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
>> +From: "Todd C. Miller" <Todd.Miller@sudo.ws>
>> +Date: Fri, 28 Oct 2022 07:29:55 -0600
>> +Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for 
>> passwords < 8
>> + characters. Starting with sudo 1.8.0 the plaintext password buffer is
>> + dynamically sized so it is not safe to assume that it is at least 9 
>> bytes in
>> + size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
>> +
>> +Upstream-Status: Backport from
>> +[https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] 
>>
>> +
>> +Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
>> +---
>> + plugins/sudoers/auth/passwd.c | 11 +++++------
>> + 1 file changed, 5 insertions(+), 6 deletions(-)
>> +
>> +diff --git a/plugins/sudoers/auth/passwd.c 
>> b/plugins/sudoers/auth/passwd.c
>> +index b2046eca2..0416861e9 100644
>> +--- a/plugins/sudoers/auth/passwd.c
>> ++++ b/plugins/sudoers/auth/passwd.c
>> +@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
>> + int
>> + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, 
>> struct sudo_conv_callback *callback)
>> + {
>> +-    char sav, *epass;
>> ++    char des_pass[9], *epass;
>> +     char *pw_epasswd = auth->data;
>> +     size_t pw_len;
>> +     int matched = 0;
>> +@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char 
>> *pass, sudo_auth *auth, struct sudo_c
>> +
>> +     /*
>> +      * Truncate to 8 chars if standard DES since not all crypt()'s 
>> do this.
>> +-     * If this turns out not to be safe we will have to use OS 
>> #ifdef's (sigh).
>> +      */
>> +-    sav = pass[8];
>> +     pw_len = strlen(pw_epasswd);
>> +-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
>> +-    pass[8] = '\0';
>> ++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
>> ++    strlcpy(des_pass, pass, sizeof(des_pass));
>> ++    pass = des_pass;
>> ++    }
>> +
>> +     /*
>> +      * Normal UN*X password check.
>> +@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, 
>> sudo_auth *auth, struct sudo_c
>> +      * only compare the first DESLEN characters in that case.
>> +      */
>> +     epass = (char *) crypt(pass, pw_epasswd);
>> +-    pass[8] = sav;
>> +     if (epass != NULL) {
>> +     if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
>> +         matched = !strncmp(pw_epasswd, epass, DESLEN);
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-extended/sudo/sudo_1.9.10.bb 
>> b/meta/recipes-extended/sudo/sudo_1.9.10.bb
>> index aa0d814ed7..e1f603a125 100644
>> --- a/meta/recipes-extended/sudo/sudo_1.9.10.bb
>> +++ b/meta/recipes-extended/sudo/sudo_1.9.10.bb
>> @@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
>>              ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 
>> '${PAM_SRC_URI}', '', d)} \
>> file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
>> file://0001-lib-util-mksigname.c-correctly-include-header-for-ou.patch \
>> + 
>> file://0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch \
>>              "
>>     PAM_SRC_URI = "file://sudo.pam"
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#173225): 
>> https://lists.openembedded.org/g/openembedded-core/message/173225
>> Mute This Topic: https://lists.openembedded.org/mt/95013602/3616765
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
>> [randy.macleod@windriver.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>

-- 
# Randy MacLeod
# Wind River Linux