Merge sudo 1.9.12p1 from tip.

--HG--
branch : 1.9

Author: millert

NEWS

@@ -1,3 +1,16 @@
+What's new in Sudo 1.9.12p1
+
+ * Sudo's configure script now does a better job of detecting when
+   the -fstack-clash-protection compiler option does not work.
+   GitHub issue #191.
+
+ * Fixed CVE-2022-43995, a potential out-of-bounds write for passwords
+   smaller than 8 characters when passwd authentication is enabled.
+   This does not affect configurations that use other authentication
+   methods such as PAM, AIX authentication or BSD authentication.
+
+ * Fixed a build error with some configurations compiling host_port.c.
+
 What's new in Sudo 1.9.12
 
  * Fixed a bug in the ptrace-based intercept mode where the current

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.3 -*- Autoconf -*-
+# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
 
-# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+# Copyright (C) 1996-2021 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for sudo 1.9.12.
+# Generated by GNU Autoconf 2.71 for sudo 1.9.12p1.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -621,8 +621,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.12'
-PACKAGE_STRING='sudo 1.9.12'
+PACKAGE_VERSION='1.9.12p1'
+PACKAGE_STRING='sudo 1.9.12p1'
 PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
 PACKAGE_URL=''
 
@@ -1640,7 +1640,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.9.12 to adapt to many kinds of systems.
+\`configure' configures sudo 1.9.12p1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1706,7 +1706,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.9.12:";;
+     short | recursive ) echo "Configuration of sudo 1.9.12p1:";;
    esac
   cat <<\_ACEOF
 
@@ -1996,7 +1996,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.9.12
+sudo configure 1.9.12p1
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2653,7 +2653,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.9.12, which was
+It was created by sudo $as_me 1.9.12p1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -31899,42 +31899,40 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; }
     fi
 fi
 if test "$enable_hardening" != "no"; then
-    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5
-printf %s "checking whether the linker accepts -fstack-clash-protection... " >&6; }
-if test ${ax_cv_check_ldflags___fstack_clash_protection+y}
+    # The gcc front-end may accept -fstack-clash-protection even if the
+    # machine-specific code does not support it.  We use a test program
+    # with a large stack allocation to try to cause the compiler to
+    # insert the stack clash protection code, or fail if not supported.
+    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5
+printf %s "checking whether C compiler supports -fstack-clash-protection... " >&6; }
+if test ${sudo_cv_check_cflags___fstack_clash_protection+y}
 then :
   printf %s "(cached) " >&6
 else $as_nop
 
-  ax_check_save_flags=$LDFLAGS
-  LDFLAGS="$LDFLAGS  -fstack-clash-protection"
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	    _CFLAGS="$CFLAGS"
+	    CFLAGS="$CFLAGS -fstack-clash-protection"
+	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-int
-main (void)
-{
+		int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }
 
-  ;
-  return 0;
-}
 _ACEOF
-if ac_fn_c_try_link "$LINENO"
+if ac_fn_c_try_compile "$LINENO"
 then :
-  ax_cv_check_ldflags___fstack_clash_protection=yes
+  sudo_cv_check_cflags___fstack_clash_protection=yes
 else $as_nop
-  ax_cv_check_ldflags___fstack_clash_protection=no
+  sudo_cv_check_cflags___fstack_clash_protection=no
 fi
-rm -f core conftest.err conftest.$ac_objext conftest.beam \
-    conftest$ac_exeext conftest.$ac_ext
-  LDFLAGS=$ax_check_save_flags
-fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_clash_protection" >&5
-printf "%s\n" "$ax_cv_check_ldflags___fstack_clash_protection" >&6; }
-if test x"$ax_cv_check_ldflags___fstack_clash_protection" = xyes
-then :
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+	    CFLAGS="$_CFLAGS"
 
 
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_check_cflags___fstack_clash_protection" >&5
+printf "%s\n" "$sudo_cv_check_cflags___fstack_clash_protection" >&6; }
+    if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
+
 if test ${HARDENING_CFLAGS+y}
 then :
 
@@ -32000,12 +31998,43 @@ else $as_nop
 
 fi
 
+    fi
 
+    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5
+printf %s "checking whether C compiler accepts -fcf-protection... " >&6; }
+if test ${ax_cv_check_cflags___fcf_protection+y}
+then :
+  printf %s "(cached) " >&6
 else $as_nop
-  :
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS  -fcf-protection"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main (void)
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+  ax_cv_check_cflags___fcf_protection=yes
+else $as_nop
+  ax_cv_check_cflags___fcf_protection=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
 fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fcf_protection" >&5
+printf "%s\n" "$ax_cv_check_cflags___fcf_protection" >&6; }
+if test x"$ax_cv_check_cflags___fcf_protection" = xyes
+then :
 
-    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5
 printf %s "checking whether the linker accepts -fcf-protection... " >&6; }
 if test ${ax_cv_check_ldflags___fcf_protection+y}
 then :
@@ -32107,6 +32136,11 @@ else $as_nop
 fi
 
 
+else $as_nop
+  :
+fi
+
+
 else $as_nop
   :
 fi
@@ -33114,7 +33148,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.9.12, which was
+This file was extended by sudo $as_me 1.9.12p1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -33182,7 +33216,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-sudo config.status 1.9.12
+sudo config.status 1.9.12p1
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 dnl
 AC_PREREQ([2.70])
-AC_INIT([sudo], [1.9.12], [https://bugzilla.sudo.ws/], [sudo])
+AC_INIT([sudo], [1.9.12p1], [https://bugzilla.sudo.ws/], [sudo])
 AC_CONFIG_HEADERS([config.h pathnames.h])
 AC_CONFIG_SRCDIR([src/sudo.c])
 AC_CONFIG_AUX_DIR([scripts])
@@ -4956,13 +4956,31 @@ if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then
     fi
 fi
 if test "$enable_hardening" != "no"; then
-    AX_CHECK_LINK_FLAG([-fstack-clash-protection], [
+    # The gcc front-end may accept -fstack-clash-protection even if the
+    # machine-specific code does not support it.  We use a test program
+    # with a large stack allocation to try to cause the compiler to
+    # insert the stack clash protection code, or fail if not supported.
+    AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
+	[sudo_cv_check_cflags___fstack_clash_protection],
+	[
+	    _CFLAGS="$CFLAGS"
+	    CFLAGS="$CFLAGS -fstack-clash-protection"
+	    AC_COMPILE_IFELSE([
+		AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]])
+	    ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
+	    CFLAGS="$_CFLAGS"
+	]
+    )
+    if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
 	AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
 	AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
-    ])
-    AX_CHECK_LINK_FLAG([-fcf-protection], [
-	AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
-	AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+    fi
+
+    AX_CHECK_COMPILE_FLAG([-fcf-protection], [
+	AX_CHECK_LINK_FLAG([-fcf-protection], [
+	    AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
+	    AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+	])
     ])
     AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])])
     AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [LDFLAGS])])

lib/iolog/host_port.c

@@ -30,6 +30,7 @@
 #endif /* HAVE_STDBOOL_H */
 #include <stdio.h>
 #include <string.h>
+#include <time.h>
 
 #include "sudo_compat.h"
 #include "sudo_debug.h"

plugins/sudoers/auth/API

@@ -14,7 +14,7 @@ typedef struct sudo_auth {
 
     int (*init)(struct passwd *pw, sudo_auth *auth);
     int (*setup)(struct passwd *pw, char **prompt, sudo_auth *auth);
-    int (*verify)(struct passwd *pw, char *p, sudo_auth *auth, struct sudo_conv_callback *callback);
+    int (*verify)(struct passwd *pw, const char *p, sudo_auth *auth, struct sudo_conv_callback *callback);
     int (*approval)(struct passwd *pw, sudo_auth *auth);
     int (*cleanup)(struct passwd *pw, sudo_auth *auth, bool force);
     int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth);

plugins/sudoers/auth/afs.c

@@ -45,7 +45,7 @@
 #include "check.h"
 
 int
-sudo_afs_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+sudo_afs_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
 {
     struct ktc_encryptionKey afs_key;
     struct ktc_token afs_token;

plugins/sudoers/auth/aix_auth.c

@@ -229,7 +229,7 @@ sudo_aix_change_password(const char *user)
 }
 
 int
-sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
+sudo_aix_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
 {
     char *pass, *message = NULL;
     int result = 1, reenter = 0;

plugins/sudoers/auth/bsdauth.c

@@ -104,7 +104,7 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth)
 }
 
 int
-bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
+bsdauth_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
 {
     char *pass;
     char *s;
@@ -133,20 +133,20 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
 	pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);
     } else {
 	pass = auth_getpass(s, SUDO_CONV_PROMPT_ECHO_OFF, callback);
-	if (pass && *pass == '\0') {
+	if (pass != NULL && *pass == '\0') {
 	    if ((prompt = strrchr(s, '\n')))
 		prompt++;
 	    else
 		prompt = s;
 
 	    /*
 	     * Append '[echo on]' to the last line of the challenge and
-	     * reprompt with echo turned on.
+	     * re-prompt with echo turned on.
 	     */
-	    len = strlen(prompt) - 1;
-	    while (isspace(prompt[len]) || prompt[len] == ':')
-		prompt[len--] = '\0';
-	    if (asprintf(&s, "%s [echo on]: ", prompt) == -1) {
+	    len = strlen(prompt);
+	    while (len > 0 && (isspace((unsigned char)prompt[len - 1]) || prompt[len - 1] == ':'))
+		len--;
+	    if (asprintf(&s, "%.*s [echo on]: ", (int)len, prompt) == -1) {
 		log_warningx(0, N_("unable to allocate memory"));
 		debug_return_int(AUTH_FATAL);
 	    }

plugins/sudoers/auth/dce.c

@@ -59,7 +59,7 @@
 static int check_dce_status(error_status_t, char *);
 
 int
-sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback)
+sudo_dce_verify(struct passwd *pw, const char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback)
 {
     struct passwd		temp_pw;
     sec_passwd_rec_t		password_rec;