Re: [OE-Core][kirkstone][PATCH] sudo: fix CVE-2022-43995 potential heap overflow for passwords < 8 characters

[Xiangyu Chen <xiangyu.chen@eng.windriver.com>]

On 11/16/22 02:21, Randy MacLeod wrote:
> On 2022-11-15 14:08, Randy MacLeod wrote:
>> Thanks Xiangyu but for kirkstone/langdale I think we should take the 
>> patch update:
>>   sudo: upgrade 1.9.12 -> 1.9.12p1
>> that was sent to the list for master since it includes this CVE fix 
>> and more bug fixes:
>>
>> $ git log --oneline SUDO_1_9_12..SUDO_1_9_12p1 | cut -c -99
> Oops, I'm wrong. Please consider taking the patch backport for now.
>
> This patch is for 1.9.10 and master is on 1.9.12 going to 1.9.12p1.
>
> It may be sensible to update from 1.9.10 to 1.9.12p1 but I haven't looked
> at that yet. It seems that the 'sudo-1.9' branch (1) is stable so 
> someone should
> look into the list of changes made on that branch to see how 
> disciplined the sudo maintainers
> have been.
>
>
> ../Randy


Hi Steve and Randy,


Could you please ignore this patch.

I checked the sudo 1.9 branch from 1.9.10 to 1.9.12p1, most of commits 
are bug fix/security fix, and others like test/debug/output string changes.

So, we can take a small upgrade from 1.9.10 to 1.9.12p1.

Another patch has been sent to the list:

for kirkstone:

https://lists.openembedded.org/g/openembedded-core/message/173409 / 
https://patchwork.yoctoproject.org/project/oe-core/patch/20221117095236.2423969-1-xiangyu.chen@eng.windriver.com/

for langdale:

https://lists.openembedded.org/g/openembedded-core/message/173410 / 
https://patchwork.yoctoproject.org/project/oe-core/patch/20221117095450.2424717-1-xiangyu.chen@eng.windriver.com/


Thanks;


Br,

Xiangyu


>
> 1)
>
> $ cd .../sudo.git
>
> $git branch -a
>   main
>   master
> * sudo-1.9
>   remotes/origin/HEAD -> origin/master
>   remotes/origin/audit-server-tls-support
>   remotes/origin/main
>   remotes/origin/master
>   remotes/origin/sudo-1.7
>   remotes/origin/sudo-1.8
>   remotes/origin/sudo-1.9
>   remotes/origin/sudoers-iolog-tls
>   remotes/origin/tls-config-default-values
>
> $ git branch -a --contains SUDO_1_9_10
> * sudo-1.9
>   remotes/origin/sudo-1.9
>
> $ git branch -a --contains SUDO_1_9_12p1
> * sudo-1.9
>   remotes/origin/sudo-1.9
>
>> 7a103879a Merge sudo 1.9.12p1 from tip.
>> 3df1e9a07 sudo 1.9.12p1
>> 7ba318470 Include time.h for struct timespec used by sudo_iolog.h.
>> b2c8e1b1b Display sudo_mode in hex in debug log. This makes it easier 
>> to match against the MODE_ de
>> 7ec1ee0e5 bsdauth_verify: do not write to prompt, it is now const
>> d242261dd Store raw sudoers lines in the debug log. Also add a 
>> "sudoerslex" prefix to the token deb
>> 966731311 The line numbers in sudoers_trace_print() were off by one. 
>> The line counter is incremente
>> 4da22b101 Make the second arg to the sudo auth verify function const. 
>> This may be either a plaintex
>>
>> bd209b9f1 Fix CVE-2022-43995, potential heap overflow for passwords < 
>> 8 characters. Starting with s
>>
>> c78e78dc5 Move debugging info from hostname_matches() to host_matches().
>> 6a3fb3fd7 Add debugging to sudo_set_grlist() and sudo_set_gidlist().
>> 366217571 configure: better test for -fstack-clash-protection The gcc 
>> front-end may accept -fstack-
>> 6a2075b67 Check that compiler accepts -fstack-clash-protection and 
>> -fcf-protection. Previously, we
>> 794449419 Fix compilation error on Linux/mips.
>> 3d2b84ed2 Added tag SUDO_1_9_12 for changeset b53d725f7c88
>>
>> ../Randy
>>
>> On 2022-11-14 01:27, Xiangyu Chen via lists.openembedded.org wrote:
>>> Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
>>> ---
>>>   ...95-potential-heap-overflow-for-passw.patch | 57 
>>> +++++++++++++++++++
>>>   meta/recipes-extended/sudo/sudo_1.9.10.bb     |  1 +
>>>   2 files changed, 58 insertions(+)
>>>   create mode 100644 
>>> meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
>>>
>>> diff --git 
>>> a/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 
>>> b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 
>>>
>>> new file mode 100644
>>> index 0000000000..be52af27e1
>>> --- /dev/null
>>> +++ 
>>> b/meta/recipes-extended/sudo/files/0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch
>>> @@ -0,0 +1,57 @@
>>> +From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
>>> +From: "Todd C. Miller" <Todd.Miller@sudo.ws>
>>> +Date: Fri, 28 Oct 2022 07:29:55 -0600
>>> +Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for 
>>> passwords < 8
>>> + characters. Starting with sudo 1.8.0 the plaintext password buffer is
>>> + dynamically sized so it is not safe to assume that it is at least 
>>> 9 bytes in
>>> + size. Found by Hugo Lefeuvre (University of Manchester) with 
>>> ConfFuzz.
>>> +
>>> +Upstream-Status: Backport from
>>> +[https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050] 
>>>
>>> +
>>> +Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
>>> +---
>>> + plugins/sudoers/auth/passwd.c | 11 +++++------
>>> + 1 file changed, 5 insertions(+), 6 deletions(-)
>>> +
>>> +diff --git a/plugins/sudoers/auth/passwd.c 
>>> b/plugins/sudoers/auth/passwd.c
>>> +index b2046eca2..0416861e9 100644
>>> +--- a/plugins/sudoers/auth/passwd.c
>>> ++++ b/plugins/sudoers/auth/passwd.c
>>> +@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
>>> + int
>>> + sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, 
>>> struct sudo_conv_callback *callback)
>>> + {
>>> +-    char sav, *epass;
>>> ++    char des_pass[9], *epass;
>>> +     char *pw_epasswd = auth->data;
>>> +     size_t pw_len;
>>> +     int matched = 0;
>>> +@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char 
>>> *pass, sudo_auth *auth, struct sudo_c
>>> +
>>> +     /*
>>> +      * Truncate to 8 chars if standard DES since not all crypt()'s 
>>> do this.
>>> +-     * If this turns out not to be safe we will have to use OS 
>>> #ifdef's (sigh).
>>> +      */
>>> +-    sav = pass[8];
>>> +     pw_len = strlen(pw_epasswd);
>>> +-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
>>> +-    pass[8] = '\0';
>>> ++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
>>> ++    strlcpy(des_pass, pass, sizeof(des_pass));
>>> ++    pass = des_pass;
>>> ++    }
>>> +
>>> +     /*
>>> +      * Normal UN*X password check.
>>> +@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, 
>>> sudo_auth *auth, struct sudo_c
>>> +      * only compare the first DESLEN characters in that case.
>>> +      */
>>> +     epass = (char *) crypt(pass, pw_epasswd);
>>> +-    pass[8] = sav;
>>> +     if (epass != NULL) {
>>> +     if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
>>> +         matched = !strncmp(pw_epasswd, epass, DESLEN);
>>> +--
>>> +2.34.1
>>> +
>>> diff --git a/meta/recipes-extended/sudo/sudo_1.9.10.bb 
>>> b/meta/recipes-extended/sudo/sudo_1.9.10.bb
>>> index aa0d814ed7..e1f603a125 100644
>>> --- a/meta/recipes-extended/sudo/sudo_1.9.10.bb
>>> +++ b/meta/recipes-extended/sudo/sudo_1.9.10.bb
>>> @@ -4,6 +4,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
>>>              ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 
>>> '${PAM_SRC_URI}', '', d)} \
>>> file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
>>> file://0001-lib-util-mksigname.c-correctly-include-header-for-ou.patch 
>>> \
>>> + 
>>> file://0001-Fix-CVE-2022-43995-potential-heap-overflow-for-passw.patch 
>>> \
>>>              "
>>>     PAM_SRC_URI = "file://sudo.pam"
>>>
>>> -=-=-=-=-=-=-=-=-=-=-=-
>>> Links: You receive all messages sent to this group.
>>> View/Reply Online (#173225): 
>>> https://lists.openembedded.org/g/openembedded-core/message/173225
>>> Mute This Topic: https://lists.openembedded.org/mt/95013602/3616765
>>> Group Owner: openembedded-core+owner@lists.openembedded.org
>>> Unsubscribe: 
>>> https://lists.openembedded.org/g/openembedded-core/unsub 
>>> [randy.macleod@windriver.com]
>>> -=-=-=-=-=-=-=-=-=-=-=-
>>>
>>
>