diff options
author | taca <taca@pkgsrc.org> | 2022-11-07 14:26:57 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2022-11-07 14:26:57 +0000 |
commit | 1b2480ff39578b94f0b38e245f6068aabb8cfcf9 (patch) | |
tree | c876d2cfbf78de1fc41b13cdc2a602a8dcbf3bcc /security | |
parent | 0c0d2316648f0eea50a5c92fa1d3409645b08c71 (diff) | |
download | pkgsrc-1b2480ff39578b94f0b38e245f6068aabb8cfcf9.tar.gz |
security/sudo: update to 1.9.12p1
1.9.12p1 (2022-11-07)
What's new in Sudo 1.9.12p1
* Sudo's configure script now does a better job of detecting when
the -fstack-clash-protection compiler option does not work.
GitHub issue #191.
* Fixed CVE-2022-43995, a potential out-of-bounds write for passwords
smaller than 8 characters when passwd authentication is enabled.
This does not affect configurations that use other authentication
methods such as PAM, AIX authentication or BSD authentication.
* Fixed a build error with some configurations compiling host_port.c.
Diffstat (limited to 'security')
-rw-r--r-- | security/sudo/Makefile | 5 | ||||
-rw-r--r-- | security/sudo/distinfo | 9 | ||||
-rw-r--r-- | security/sudo/patches/patch-plugins_sudoers_auth_passwd.c | 40 |
3 files changed, 6 insertions, 48 deletions
diff --git a/security/sudo/Makefile b/security/sudo/Makefile index d15319b9953..db1d0269838 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.192 2022/11/04 00:58:00 taca Exp $ +# $NetBSD: Makefile,v 1.193 2022/11/07 14:26:57 taca Exp $ -DISTNAME= sudo-1.9.12 -PKGREVISION= 1 +DISTNAME= sudo-1.9.12p1 CATEGORIES= security MASTER_SITES= https://www.sudo.ws/dist/ MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/ diff --git a/security/sudo/distinfo b/security/sudo/distinfo index bc3ec9d194b..e2abd435dcb 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,13 +1,12 @@ -$NetBSD: distinfo,v 1.124 2022/11/04 00:58:00 taca Exp $ +$NetBSD: distinfo,v 1.125 2022/11/07 14:26:57 taca Exp $ -BLAKE2s (sudo-1.9.12.tar.gz) = e832414e92c0608e173f8ccb06a1cb8632c3be51b5905580d426b0984b049c0f -SHA512 (sudo-1.9.12.tar.gz) = 34ee165baa2e37ba2530901d49bf0dad30159f27aeccd2519d4719bf93be8281edff71220a49ba2e41dacaa3c58031de1464df48d75a8caea7b9568a76f80b67 -Size (sudo-1.9.12.tar.gz) = 4906320 bytes +BLAKE2s (sudo-1.9.12p1.tar.gz) = c7f87e66e9cfa2c3fc09e84950c9e3b5c4ad5a0428ffb84e9308de67ed6be4f5 +SHA512 (sudo-1.9.12p1.tar.gz) = 6f564112aa1e0e9cd223adb280bd430d513109c031e52deca308501234dedc0d7418f13cbb9b4249ac58d997cfdae1908c280c26733acbc55dbf9db45dff239a +Size (sudo-1.9.12p1.tar.gz) = 4908060 bytes SHA1 (patch-Makefile.in) = 1a83c55d27829013e2e23073046c5c39b020fafe SHA1 (patch-configure) = da1f0d89f7dc5d56734fc69f190189ccdfc8b043 SHA1 (patch-examples_Makefile.in) = a20967ecd88eb5e4a8b47e6a3b80bc18be713409 SHA1 (patch-lib_logsrv_Makefile.in) = 301c317c806edeee8ce7b44a5431cd38defb3a54 SHA1 (patch-lib_protobuf-c_Makefile.in) = 122e432fb0da36b998778a1b71130f0c3785f575 SHA1 (patch-plugins_sudoers_Makefile.in) = d2981bb9841f6bb4b1c80f5c2f2727fbf9579501 -SHA1 (patch-plugins_sudoers_auth_passwd.c) = 8fc437881e5eedef106037ff746116f8a36889da SHA1 (patch-src_Makefile.in) = 0642684c2d4b3a89259f7d27908f5ec8070969ec diff --git a/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c b/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c deleted file mode 100644 index 18ddb8a6b74..00000000000 --- a/security/sudo/patches/patch-plugins_sudoers_auth_passwd.c +++ /dev/null @@ -1,40 +0,0 @@ -$NetBSD: patch-plugins_sudoers_auth_passwd.c,v 1.1 2022/11/04 00:58:00 taca Exp $ - -Fix CVE-2022-43995 from upstream commit. - ---- plugins/sudoers/auth/passwd.c.orig 2022-06-12 18:46:46.000000000 +0000 -+++ plugins/sudoers/auth/passwd.c -@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo - int - sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) - { -- char sav, *epass; -+ char des_pass[9], *epass; - char *pw_epasswd = auth->data; - size_t pw_len; - int matched = 0; -@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, ch - - /* - * Truncate to 8 chars if standard DES since not all crypt()'s do this. -- * If this turns out not to be safe we will have to use OS #ifdef's (sigh). - */ -- sav = pass[8]; - pw_len = strlen(pw_epasswd); -- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) -- pass[8] = '\0'; -+ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { -+ strlcpy(des_pass, pass, sizeof(des_pass)); -+ pass = des_pass; -+ } - - /* - * Normal UN*X password check. -@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, ch - * only compare the first DESLEN characters in that case. - */ - epass = (char *) crypt(pass, pw_epasswd); -- pass[8] = sav; - if (epass != NULL) { - if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) - matched = !strncmp(pw_epasswd, epass, DESLEN); |