diff options
author | Jakub Jirutka <jakub@jirutka.cz> | 2020-02-05 11:11:22 +0100 |
---|---|---|
committer | Jakub Jirutka <jakub@jirutka.cz> | 2020-02-05 11:13:03 +0100 |
commit | 335b433870315222476ab36d3844ac5782cfddbe (patch) | |
tree | ad7b3f968a023c12ef7f031e7583f27a161c23fa | |
parent | 3646eb84251dca32277b87ee540ad7062a909687 (diff) |
main/sudo: fix CVE-2019-18634
-rw-r--r-- | main/sudo/APKBUILD | 8 | ||||
-rw-r--r-- | main/sudo/CVE-2019-18634.patch | 95 |
2 files changed, 101 insertions, 2 deletions
diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD index c6b71e01af4..7e592f9fdc1 100644 --- a/main/sudo/APKBUILD +++ b/main/sudo/APKBUILD @@ -8,7 +8,7 @@ if [ "${pkgver%_*}" != "$pkgver" ]; then else _realver=$pkgver fi -pkgrel=1 +pkgrel=2 pkgdesc="Give certain users the ability to run some commands as root" url="https://www.sudo.ws/sudo/" arch="all" @@ -22,10 +22,13 @@ source="https://www.sudo.ws/dist/sudo-${_realver}.tar.gz libcrypt.patch sudo-cvtsudoers.patch CVE-2019-14287.patch + CVE-2019-18634.patch " options="suid" # secfixes: +# 1.8.27-r2: +# - CVE-2019-18634 # 1.8.27-r1: # - CVE-2019-14287 # 1.8.20_p2-r0: @@ -70,4 +73,5 @@ f0f462f40502da2194310fe4a72ec1a16ba40f95a821ba9aa6aabaa423d28c4ab26b684afa7fb81c b2d7816d334826545420c578114e5af361ced65c00e5bfc2e0b16f3c9325aa9d2b902defeebb181da3cf7bc6aba3a59a496293d2f11d83c9793f11138ba50343 fix-tests.patch 0fa06d13d202ee5ab58596413a7498b3e9b6925e87385bb876f5e0b29b22010a84918686a5974de87392ab18158e883da343fe6a14448a4e273eaa1bb81f5995 libcrypt.patch a4a219c16cd353b54f69b74ce7383b90f89745351776bd91bfccb63a2211fa84177719634d4e7e753cf22a8b175d797a474416ffac66d4aee31d3b8e28bfabd1 sudo-cvtsudoers.patch -bad0eda3a7473e4b13d2d9744c41d37bd1c2f4a50491e7e6c6e2cdb67f98eea5d595ead70ab7ac93444d41d1c9f65d83e67f905614869b9df0bd59365fefae1f CVE-2019-14287.patch" +bad0eda3a7473e4b13d2d9744c41d37bd1c2f4a50491e7e6c6e2cdb67f98eea5d595ead70ab7ac93444d41d1c9f65d83e67f905614869b9df0bd59365fefae1f CVE-2019-14287.patch +2e701aecd05f2a9b77e77f43e91d748794661dabfc7a0826bea41a9668220a1889f273568b67632829df7dba66ad3d2e0e73513ca59753c1c8e64967f0e705f8 CVE-2019-18634.patch" diff --git a/main/sudo/CVE-2019-18634.patch b/main/sudo/CVE-2019-18634.patch new file mode 100644 index 00000000000..5d6f227b3f5 --- /dev/null +++ b/main/sudo/CVE-2019-18634.patch @@ -0,0 +1,95 @@ +From: "Todd C. Miller" <Todd.Miller@sudo.ws> +Date: Wed, 29 Jan 2020 20:15:21 -0700 +Subject: Fix a buffer overflow when pwfeedback is enabled and input is a not a + tty. In getln() if the user enters ^U (erase line) and the write(2) fails, + the remaining buffer size is reset but the current pointer is not. While + here, fix an incorrect break for erase when write(2) fails. Also disable + pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit: + Joe Vennix from Apple Information Security. +Origin: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18634 +Bug-Debian: https://bugs.debian.org/950371 + +--HG-- +branch : 1.8 +[Salvatore Bonaccorso: Backport to 1.8.27 for context changes] +--- + src/tgetpass.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/src/tgetpass.c ++++ b/src/tgetpass.c +@@ -60,7 +60,7 @@ static volatile sig_atomic_t signo[NSIG] + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int, enum tgetpass_errval *); ++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -123,6 +123,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ bool feedback = ISSET(flags, TGP_MASK); + enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + +@@ -170,7 +171,7 @@ restart: + */ + if (!ISSET(flags, TGP_ECHO)) { + for (;;) { +- if (ISSET(flags, TGP_MASK)) ++ if (feedback) + neednl = sudo_term_cbreak(input); + else + neednl = sudo_term_noecho(input); +@@ -184,6 +185,9 @@ restart: + } + } + } ++ /* Only use feedback mode when we can disable echo. */ ++ if (!neednl) ++ feedback = false; + + /* + * Catch signals that would otherwise cause the user to end +@@ -209,7 +213,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); ++ pass = getln(input, buf, sizeof(buf), feedback, &errval); + alarm(0); + save_errno = errno; + +@@ -345,7 +349,7 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_eof, sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback, ++getln(int fd, char *buf, size_t bufsiz, bool feedback, + enum tgetpass_errval *errval) + { + size_t left = bufsiz; +@@ -374,15 +378,15 @@ getln(int fd, char *buf, size_t bufsiz, + while (cp > buf) { + if (write(fd, "\b \b", 3) == -1) + break; +- --cp; ++ cp--; + } ++ cp = buf; + left = bufsiz; + continue; + } else if (c == sudo_term_erase) { + if (cp > buf) { +- if (write(fd, "\b \b", 3) == -1) +- break; +- --cp; ++ ignore_result(write(fd, "\b \b", 3)); ++ cp--; + left++; + } + continue; |