Pullup ticket #6702 - requested by taca

security/sudo: security fix

Revisions pulled up:
- security/sudo/Makefile                                        1.191-1.192
- security/sudo/PLIST                                           1.23
- security/sudo/distinfo                                        1.123-1.124
- security/sudo/patches/patch-plugins_sudoers_auth_passwd.c     1.1

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Mon Oct 24 10:29:20 UTC 2022

   Modified Files:
   	pkgsrc/security/sudo: Makefile PLIST distinfo

   Log Message:
   sudo: updated to 1.9.12

   What's new in Sudo 1.9.12

    * Fixed a bug in the ptrace-based intercept mode where the current
      working directory could include garbage at the end.

    * Fixed a compilation error on systems that lack the stdint.h
      header.

    * Fixed a bug when logging the command's exit status in intercept
      mode.  The wrong command could be logged with the exit status.

    * For ptrace-based intercept mode, sudo will now attempt to
      verify that the command path name, arguments and environment
      have not changed from the time when they were authorized by the
      security policy.  The new "intercept_verify" sudoers setting can
      be used to control this behavior.

    * Fixed running commands with a relative path (e.g. ./foo) in
      intercept mode.  Previously, this would fail if sudo's current
      working directory was different from that of the command.

    * Sudo now supports passing the execve(2) system call the NULL
      pointer for the `argv` and/or `envp` arguments when in intercept
      mode.  Linux treats a NULL pointer like an empty array.

    * The sudoers LDAP schema now allows sudoUser, sudoRunasUser and
      sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.

    * Fixed a problem with "sudo -i" on SELinux when the target user's
      home directory is not searchable by sudo.

    * Neovim has been added to the list of visudo editors that support
      passing the line number on the command line.

    * Fixed a bug in sudo's SHA384 and SHA512 message digest padding.

    * Added a new "-N" (--no-update) command line option to sudo which
      can be used to prevent sudo from updating the user's cached
      credentials.  It is now possible to determine whether or not a
      user's cached credentials are currently valid by running:

           $ sudo -Nnv

      and checking the exit value.  One use case for this is to indicate
      in a shell prompt that sudo is "active" for the user.

    * PAM approval modules are no longer invoked when running sub-commands
      in intercept mode unless the "intercept_authenticate" option is set.
      There is a substantial performance penalty for calling into PAM
      for each command run.  PAM approval modules are still called for
      the initial command.

    * Intercept mode on Linux now uses process_vm_readv(2) and
      process_vm_writev(2) if available.

    * The XDG_CURRENT_DESKTOP environment variable is now preserved
      by default.  This makes it possible for graphical applications
      to choose the correct theme when run via sudo.

    * On 64-bit systems, if sudo fails to load a sudoers group plugin,
      it will use system-specific heuristics to try to locate a 64-bit
      version of the plugin.

    * The cvtsudoers manual now documents the JSON and CSV output
      formats.

    * Fixed a bug where sub-commands were not being logged to a remote
      log server when log_subcmds was enabled.

    * The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout
      sudoers settings can be used to support more fine-grained I/O logging.
      The sudo front-end no longer allocates a pseudo-terminal when running
      a command if the I/O logging plugin requests logging of stdin, stdout,
      or stderr but not terminal input/output.

    * Quieted a libgcrypt run-time initialization warning.

    * Fixed a bug in visudo that caused literal backslashes to be removed
      from the EDITOR environment variable.

    * The sudo Python plugin now implements the "find_spec" method instead
      of the the deprecated "find_module".  This fixes a test failure when
      a newer version of setuptools that doesn't include "find_module" is
      found on the system.

    * Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created
      the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as
      a directory instead of a plain file.  The same bug could result
      in I/O log directories that end in six or more X's being created
      literally in addition to the name being used as a template for
      the mkdtemp(3) function.

    * Fixed a long-standing bug where a sudoers rule with a command
      line argument of "", which indicates the command may be run with
      no arguments, would also match a literal "" on the command line.

    * Added the -I option to visudo which only edits the main sudoers
      file.  Include files are not edited unless a syntax error is found.

    * Fixed "sudo -l -U otheruser" output when the runas list is empty.
      Previously, sudo would list the invoking user instead of the
      list user.

    * Fixed the display of command tags and options in "sudo -l" output
      when the RunAs user or group changes.  A new line is started for
      RunAs changes which means we need to display the command tags
      and options again.

    * The sesh helper program now uses getopt_long(3) to parse the
      command line options.

    * The embedded copy of zlib has been updated to version 1.2.13.

    * Fixed a bug that prevented event log data from being sent to the
      log server when I/O logging was not enabled.  This only affected
      systems without PAM or configurations where the pam_session and
      pam_setcred options were disabled in the sudoers file.

    * Fixed a bug where "sudo -l" output included a carriage return
      after the newline.  This is only needed when displaying to a
      terminal in raw mode.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Nov  4 00:58:00 UTC 2022

   Modified Files:
   	pkgsrc/security/sudo: Makefile distinfo
   Added Files:
   	pkgsrc/security/sudo/patches: patch-plugins_sudoers_auth_passwd.c

   Log Message:
   security/sudo: add fix for CVE-2022-43995

   Add patch from upstream to fix CVE-2022-43995.

   Bump PKGREVISION.

4 files changed, 50 insertions, 9 deletions

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index bbf4ca26806..d1c70b18473 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.190 2022/07/05 11:01:38 adam Exp $
+# $NetBSD: Makefile,v 1.190.2.1 2022/11/11 19:59:11 bsiegert Exp $
 
-DISTNAME=	sudo-1.9.11p3
+DISTNAME=	sudo-1.9.12
+PKGREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	https://www.sudo.ws/dist/
 MASTER_SITES+=	ftp://ftp.sudo.ws/pub/sudo/
@@ -66,7 +67,7 @@ SPECIAL_PERMS+=		bin/sudo ${SETUID_ROOT_PERMS}
 SPECIAL_PERMS+=		bin/sudoreplay ${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 511
 
 INSTALLATION_DIRS+=	${EGDIR}
-NOT_FOR_UNPRIVILEGED=	yes
+#NOT_FOR_UNPRIVILEGED=	yes
 
 post-install:
 	${INSTALL_DATA} ${WRKSRC}/plugins/sudoers/sudoers ${DESTDIR}${PREFIX}/${EGDIR}/sudoers
diff --git a/security/sudo/PLIST b/security/sudo/PLIST
index ef99235cf9f..0bb9221e37a 100644
--- a/security/sudo/PLIST
+++ b/security/sudo/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.22 2022/07/05 11:01:38 adam Exp $
+@comment $NetBSD: PLIST,v 1.22.2.1 2022/11/11 19:59:11 bsiegert Exp $
 bin/cvtsudoers
 bin/sudo
 bin/sudoedit
@@ -7,7 +7,6 @@ include/sudo_plugin.h
 lib/sudo/audit_json.la
 lib/sudo/group_file.la
 lib/sudo/libsudo_util.la
-lib/sudo/sample_approval.la
 ${PLIST.noexec}lib/sudo/sudo_noexec.la
 lib/sudo/sudoers.la
 lib/sudo/system_group.la
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index ed630a0f9a7..65cfa00765d 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,12 +1,13 @@
-$NetBSD: distinfo,v 1.122 2022/07/05 11:01:38 adam Exp $
+$NetBSD: distinfo,v 1.122.2.1 2022/11/11 19:59:11 bsiegert Exp $
 
-BLAKE2s (sudo-1.9.11p3.tar.gz) = 12883ca22e2ee8a3a6351ac6118bf30844d9341b25512dbf26b24c80d12e0bb3
-SHA512 (sudo-1.9.11p3.tar.gz) = ad5c3d623547d1e3016e1a721676fee6d6b7348e77b2c234041e0af40c7220e8934c8c27beef0d12fa6df11708d37de711dacfefc135d26de46abca7f91c55d1
-Size (sudo-1.9.11p3.tar.gz) = 4826520 bytes
+BLAKE2s (sudo-1.9.12.tar.gz) = e832414e92c0608e173f8ccb06a1cb8632c3be51b5905580d426b0984b049c0f
+SHA512 (sudo-1.9.12.tar.gz) = 34ee165baa2e37ba2530901d49bf0dad30159f27aeccd2519d4719bf93be8281edff71220a49ba2e41dacaa3c58031de1464df48d75a8caea7b9568a76f80b67
+Size (sudo-1.9.12.tar.gz) = 4906320 bytes
 SHA1 (patch-Makefile.in) = 1a83c55d27829013e2e23073046c5c39b020fafe
 SHA1 (patch-configure) = da1f0d89f7dc5d56734fc69f190189ccdfc8b043
 SHA1 (patch-examples_Makefile.in) = a20967ecd88eb5e4a8b47e6a3b80bc18be713409
 SHA1 (patch-lib_logsrv_Makefile.in) = 301c317c806edeee8ce7b44a5431cd38defb3a54
 SHA1 (patch-lib_protobuf-c_Makefile.in) = 122e432fb0da36b998778a1b71130f0c3785f575
 SHA1 (patch-plugins_sudoers_Makefile.in) = d2981bb9841f6bb4b1c80f5c2f2727fbf9579501
+SHA1 (patch-plugins_sudoers_auth_passwd.c) = 8fc437881e5eedef106037ff746116f8a36889da
 SHA1 (patch-src_Makefile.in) = 0642684c2d4b3a89259f7d27908f5ec8070969ec
diff --git a/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c b/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c
new file mode 100644
index 00000000000..a151cc79159
--- /dev/null
+++ b/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c
@@ -0,0 +1,40 @@
+$NetBSD: patch-plugins_sudoers_auth_passwd.c,v 1.2.2.2 2022/11/11 19:59:12 bsiegert Exp $
+
+Fix CVE-2022-43995 from upstream commit.
+
+--- plugins/sudoers/auth/passwd.c.orig	2022-06-12 18:46:46.000000000 +0000
++++ plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+-    char sav, *epass;
++    char des_pass[9], *epass;
+     char *pw_epasswd = auth->data;
+     size_t pw_len;
+     int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, ch
+ 
+     /*
+      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+      */
+-    sav = pass[8];
+     pw_len = strlen(pw_epasswd);
+-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+-	pass[8] = '\0';
++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++	strlcpy(des_pass, pass, sizeof(des_pass));
++	pass = des_pass;
++    }
+ 
+     /*
+      * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, ch
+      * only compare the first DESLEN characters in that case.
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+-    pass[8] = sav;
+     if (epass != NULL) {
+ 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ 	    matched = !strncmp(pw_epasswd, epass, DESLEN);