diff --git a/sha-digest-calc.patch b/sha-digest-calc.patch new file mode 100644 index 0000000..affab8b --- /dev/null +++ b/sha-digest-calc.patch @@ -0,0 +1,26 @@ +From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001 +From: Tim Shearer +Date: Tue, 2 Aug 2022 08:48:32 -0400 +Subject: [PATCH] Fix incorrect SHA384/512 digest calculation. + +Resolves an issue where certain message sizes result in an incorrect +checksum. Specifically, when: +(n*8) mod 1024 == 896 +where n is the file size in bytes. +--- + lib/util/sha2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/util/sha2.c b/lib/util/sha2.c +index b7a28cca8..f769f77f2 100644 +--- a/lib/util/sha2.c ++++ b/lib/util/sha2.c +@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx) + SHA512Update(ctx, (uint8_t *)"\200", 1); + + /* Pad message such that the resulting length modulo 1024 is 896. */ +- while ((ctx->count[0] & 1008) != 896) ++ while ((ctx->count[0] & 1016) != 896) + SHA512Update(ctx, (uint8_t *)"\0", 1); + + /* Append length of message in bits and do final SHA512Transform(). */ diff --git a/sudo.spec b/sudo.spec index ea0036c..ca175ed 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.29 -Release: 8%{?dist} +Release: 9%{?dist} License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -76,6 +76,9 @@ Patch21: sudo-1.9.7-krb5ccname.patch # 1986572 - utmp resource leak in sudo Patch22: sudo-1.9.7-utmp-leak.patch +# 2114576 - sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384) +Patch23: sha-digest-calc.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -128,6 +131,8 @@ plugins that use %{name}. %patch21 -p1 -b .krb5ccname %patch22 -p1 -b .utmp-leak +%patch23 -p1 -b .sha-digest + %build # Remove bundled copy of zlib rm -rf zlib/ @@ -286,6 +291,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Jan 11 2023 Radovan Sroka - 1.8.29.9 +RHEL 8.8.0 ERRATUM +- sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384) +Resolves: rhbz#2114576 + * Mon Dec 06 2021 Radovan Sroka - 1.8.29-8 RHEL 8.6.0 ERRATUM - sudoedit does not work with selinux args