diff options
Diffstat (limited to 'main/sudo/CVE-2019-18634.patch')
-rw-r--r-- | main/sudo/CVE-2019-18634.patch | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/main/sudo/CVE-2019-18634.patch b/main/sudo/CVE-2019-18634.patch new file mode 100644 index 00000000000..4d0fdd41d5d --- /dev/null +++ b/main/sudo/CVE-2019-18634.patch @@ -0,0 +1,98 @@ +From: "Todd C. Miller" <Todd.Miller@sudo.ws> +Date: Wed, 29 Jan 2020 20:15:21 -0700 +Subject: Fix a buffer overflow when pwfeedback is enabled and input is a not a + tty. In getln() if the user enters ^U (erase line) and the write(2) fails, + the remaining buffer size is reset but the current pointer is not. While + here, fix an incorrect break for erase when write(2) fails. Also disable + pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit: + Joe Vennix from Apple Information Security. +Origin: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18634 +Bug-Debian: https://bugs.debian.org/950371 + +--HG-- +branch : 1.8 +[Salvatore Bonaccorso: Backport to 1.8.19p1. Changes from ab2cba0f5d8b ("Print +a warning for password read issues. Issues include: timeout at the password +prompt, read error while reading the password, and EOF reading the password.") +upstream in 1.8.26 changes signature of getln function.] +--- + src/tgetpass.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/src/tgetpass.c ++++ b/src/tgetpass.c +@@ -48,7 +48,7 @@ static volatile sig_atomic_t signo[NSIG] + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int); ++static char *getln(int, char *, size_t, bool); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -90,6 +90,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ bool feedback = ISSET(flags, TGP_MASK); + debug_decl(tgetpass, SUDO_DEBUG_CONV) + + (void) fflush(stdout); +@@ -136,7 +137,7 @@ restart: + */ + if (!ISSET(flags, TGP_ECHO)) { + for (;;) { +- if (ISSET(flags, TGP_MASK)) ++ if (feedback) + neednl = sudo_term_cbreak(input); + else + neednl = sudo_term_noecho(input); +@@ -150,6 +151,9 @@ restart: + } + } + } ++ /* Only use feedback mode when we can disable echo. */ ++ if (!neednl) ++ feedback = false; + + /* + * Catch signals that would otherwise cause the user to end +@@ -175,7 +179,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK)); ++ pass = getln(input, buf, sizeof(buf), feedback); + alarm(0); + save_errno = errno; + +@@ -294,7 +298,7 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback) ++getln(int fd, char *buf, size_t bufsiz, bool feedback) + { + size_t left = bufsiz; + ssize_t nr = -1; +@@ -316,15 +320,15 @@ getln(int fd, char *buf, size_t bufsiz, + while (cp > buf) { + if (write(fd, "\b \b", 3) == -1) + break; +- --cp; ++ cp--; + } ++ cp = buf; + left = bufsiz; + continue; + } else if (c == sudo_term_erase) { + if (cp > buf) { +- if (write(fd, "\b \b", 3) == -1) +- break; +- --cp; ++ ignore_result(write(fd, "\b \b", 3)); ++ cp--; + left++; + } + continue; |