pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/sudo
Module Name: pkgsrc
Committed By: taca
Date: Fri Nov 4 00:58:00 UTC 2022
Modified Files:
pkgsrc/security/sudo: Makefile distinfo
Added Files:
pkgsrc/security/sudo/patches: patch-plugins_sudoers_auth_passwd.c
Log Message:
security/sudo: add fix for CVE-2022-43995
Add patch from upstream to fix CVE-2022-43995.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.191 -r1.192 pkgsrc/security/sudo/Makefile
cvs rdiff -u -r1.123 -r1.124 pkgsrc/security/sudo/distinfo
cvs rdiff -u -r0 -r1.1 \
pkgsrc/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/sudo/Makefile
diff -u pkgsrc/security/sudo/Makefile:1.191 pkgsrc/security/sudo/Makefile:1.192
--- pkgsrc/security/sudo/Makefile:1.191 Mon Oct 24 10:29:19 2022
+++ pkgsrc/security/sudo/Makefile Fri Nov 4 00:58:00 2022
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.191 2022/10/24 10:29:19 adam Exp $
+# $NetBSD: Makefile,v 1.192 2022/11/04 00:58:00 taca Exp $
DISTNAME= sudo-1.9.12
+PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= https://www.sudo.ws/dist/
MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/
Index: pkgsrc/security/sudo/distinfo
diff -u pkgsrc/security/sudo/distinfo:1.123 pkgsrc/security/sudo/distinfo:1.124
--- pkgsrc/security/sudo/distinfo:1.123 Mon Oct 24 10:29:19 2022
+++ pkgsrc/security/sudo/distinfo Fri Nov 4 00:58:00 2022
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.123 2022/10/24 10:29:19 adam Exp $
+$NetBSD: distinfo,v 1.124 2022/11/04 00:58:00 taca Exp $
BLAKE2s (sudo-1.9.12.tar.gz) = e832414e92c0608e173f8ccb06a1cb8632c3be51b5905580d426b0984b049c0f
SHA512 (sudo-1.9.12.tar.gz) = 34ee165baa2e37ba2530901d49bf0dad30159f27aeccd2519d4719bf93be8281edff71220a49ba2e41dacaa3c58031de1464df48d75a8caea7b9568a76f80b67
@@ -9,4 +9,5 @@ SHA1 (patch-examples_Makefile.in) = a209
SHA1 (patch-lib_logsrv_Makefile.in) = 301c317c806edeee8ce7b44a5431cd38defb3a54
SHA1 (patch-lib_protobuf-c_Makefile.in) = 122e432fb0da36b998778a1b71130f0c3785f575
SHA1 (patch-plugins_sudoers_Makefile.in) = d2981bb9841f6bb4b1c80f5c2f2727fbf9579501
+SHA1 (patch-plugins_sudoers_auth_passwd.c) = 8fc437881e5eedef106037ff746116f8a36889da
SHA1 (patch-src_Makefile.in) = 0642684c2d4b3a89259f7d27908f5ec8070969ec
Added files:
Index: pkgsrc/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c
diff -u /dev/null pkgsrc/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c:1.1
--- /dev/null Fri Nov 4 00:58:00 2022
+++ pkgsrc/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c Fri Nov 4 00:58:00 2022
@@ -0,0 +1,40 @@
+$NetBSD: patch-plugins_sudoers_auth_passwd.c,v 1.1 2022/11/04 00:58:00 taca Exp $
+
+Fix CVE-2022-43995 from upstream commit.
+
+--- plugins/sudoers/auth/passwd.c.orig 2022-06-12 18:46:46.000000000 +0000
++++ plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+- char sav, *epass;
++ char des_pass[9], *epass;
+ char *pw_epasswd = auth->data;
+ size_t pw_len;
+ int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, ch
+
+ /*
+ * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+- * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+ */
+- sav = pass[8];
+ pw_len = strlen(pw_epasswd);
+- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+- pass[8] = '\0';
++ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++ strlcpy(des_pass, pass, sizeof(des_pass));
++ pass = des_pass;
++ }
+
+ /*
+ * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, ch
+ * only compare the first DESLEN characters in that case.
+ */
+ epass = (char *) crypt(pass, pw_epasswd);
+- pass[8] = sav;
+ if (epass != NULL) {
+ if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ matched = !strncmp(pw_epasswd, epass, DESLEN);
Home |
Main Index |
Thread Index |
Old Index