Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
sudo.16960
sudo-1.8.22-CVE-2019-18634.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sudo-1.8.22-CVE-2019-18634.patch of Package sudo.16960
From fa8ffeb17523494f0e8bb49a25e53635f4509078 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" <Todd.Miller@sudo.ws> Date: Wed, 29 Jan 2020 20:15:21 -0700 Subject: [PATCH] Fix a buffer overflow when pwfeedback is enabled and input is a not a tty. In getln() if the user enters ^U (erase line) and the write(2) fails, the remaining buffer size is reset but the current pointer is not. While here, fix an incorrect break for erase when write(2) fails. Also disable pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit: Joe Vennix from Apple Information Security. --- src/tgetpass.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) Index: sudo-1.8.22/src/tgetpass.c =================================================================== --- sudo-1.8.22.orig/src/tgetpass.c +++ sudo-1.8.22/src/tgetpass.c @@ -48,7 +48,7 @@ static volatile sig_atomic_t signo[NSIG] static bool tty_present(void); static void tgetpass_handler(int); -static char *getln(int, char *, size_t, int); +static char *getln(int, char *, size_t, bool); static char *sudo_askpass(const char *, const char *); static int @@ -90,6 +90,7 @@ tgetpass(const char *prompt, int timeout static const char *askpass; static char buf[SUDO_CONV_REPL_MAX + 1]; int i, input, output, save_errno, neednl = 0, need_restart; + bool feedback = ISSET(flags, TGP_MASK); debug_decl(tgetpass, SUDO_DEBUG_CONV) (void) fflush(stdout); @@ -136,7 +137,7 @@ restart: */ if (!ISSET(flags, TGP_ECHO)) { for (;;) { - if (ISSET(flags, TGP_MASK)) + if (feedback) neednl = sudo_term_cbreak(input); else neednl = sudo_term_noecho(input); @@ -150,6 +151,9 @@ restart: } } } + /* Only use feedback mode when we can disable echo. */ + if (!neednl) + feedback = false; /* * Catch signals that would otherwise cause the user to end @@ -175,7 +179,7 @@ restart: if (timeout > 0) alarm(timeout); - pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK)); + pass = getln(input, buf, sizeof(buf), feedback); alarm(0); save_errno = errno; @@ -305,7 +309,7 @@ sudo_askpass(const char *askpass, const extern int sudo_term_erase, sudo_term_kill; static char * -getln(int fd, char *buf, size_t bufsiz, int feedback) +getln(int fd, char *buf, size_t bufsiz, bool feedback) { size_t left = bufsiz; ssize_t nr = -1; @@ -327,15 +331,15 @@ getln(int fd, char *buf, size_t bufsiz, while (cp > buf) { if (write(fd, "\b \b", 3) == -1) break; - --cp; + cp--; } + cp = buf; left = bufsiz; continue; } else if (c == sudo_term_erase) { if (cp > buf) { - if (write(fd, "\b \b", 3) == -1) - break; - --cp; + ignore_result(write(fd, "\b \b", 3)); + cp--; left++; } continue;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor