From 962ece34620a9bad94c80a547b0e617b3fc22480 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Mar 2023 09:29:26 +0000
Subject: [PATCH] import sudo-1.9.5p2-9.el9

---
 SOURCES/sha-digest-calc.patch            |  26 +++++
 SOURCES/sudo-1.9.12-CVE-2023-22809.patch | 121 +++++++++++++++++++++++
 SPECS/sudo.spec                          |  16 ++-
 3 files changed, 162 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/sha-digest-calc.patch
 create mode 100644 SOURCES/sudo-1.9.12-CVE-2023-22809.patch

diff --git a/SOURCES/sha-digest-calc.patch b/SOURCES/sha-digest-calc.patch
new file mode 100644
index 0000000..affab8b
--- /dev/null
+++ b/SOURCES/sha-digest-calc.patch
@@ -0,0 +1,26 @@
+From e4f08157b6693b956fe9c7c987bc3eeac1abb2cc Mon Sep 17 00:00:00 2001
+From: Tim Shearer <timtimminz@gmail.com>
+Date: Tue, 2 Aug 2022 08:48:32 -0400
+Subject: [PATCH] Fix incorrect SHA384/512 digest calculation.
+
+Resolves an issue where certain message sizes result in an incorrect
+checksum. Specifically, when:
+(n*8) mod 1024 == 896
+where n is the file size in bytes.
+---
+ lib/util/sha2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/util/sha2.c b/lib/util/sha2.c
+index b7a28cca8..f769f77f2 100644
+--- a/lib/util/sha2.c
++++ b/lib/util/sha2.c
+@@ -490,7 +490,7 @@ SHA512Pad(SHA2_CTX *ctx)
+ 	SHA512Update(ctx, (uint8_t *)"\200", 1);
+ 
+ 	/* Pad message such that the resulting length modulo 1024 is 896. */
+-	while ((ctx->count[0] & 1008) != 896)
++	while ((ctx->count[0] & 1016) != 896)
+ 		SHA512Update(ctx, (uint8_t *)"\0", 1);
+ 
+ 	/* Append length of message in bits and do final SHA512Transform(). */
diff --git a/SOURCES/sudo-1.9.12-CVE-2023-22809.patch b/SOURCES/sudo-1.9.12-CVE-2023-22809.patch
new file mode 100644
index 0000000..66f866f
--- /dev/null
+++ b/SOURCES/sudo-1.9.12-CVE-2023-22809.patch
@@ -0,0 +1,121 @@
+diff -up ./plugins/sudoers/editor.c.cve ./plugins/sudoers/editor.c
+--- ./plugins/sudoers/editor.c.cve	2021-01-09 21:12:16.000000000 +0100
++++ ./plugins/sudoers/editor.c	2023-01-17 13:57:05.598949058 +0100
+@@ -126,7 +126,7 @@ resolve_editor(const char *ed, size_t ed
+     const char *tmp, *cp, *ep = NULL;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
++    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
+ 
+     /*
+@@ -144,9 +144,7 @@ resolve_editor(const char *ed, size_t ed
+     /* If we can't find the editor in the user's PATH, give up. */
+     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 	    0, allowlist) != FOUND) {
+-	free(editor);
+-	errno = ENOENT;
+-	debug_return_str(NULL);
++        goto bad;
+     }
+ 
+     /* Count rest of arguments and allocate editor argv. */
+@@ -166,6 +164,18 @@ resolve_editor(const char *ed, size_t ed
+ 	nargv[nargc] = copy_arg(cp, ep - cp);
+ 	if (nargv[nargc] == NULL)
+ 	    goto oom;
++
++	/*
++	 * We use "--" to separate the editor and arguments from the files
++	 * to edit.  The editor arguments themselves may not contain "--".
++	 */
++	if (strcmp(nargv[nargc], "--") == 0) {
++	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++	    errno = EINVAL;
++	    goto bad;
++	}
++
+     }
+     if (nfiles != 0) {
+ 	nargv[nargc++] = "--";
+@@ -179,6 +189,7 @@ resolve_editor(const char *ed, size_t ed
+     debug_return_str(editor_path);
+ oom:
+     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
+     free(editor);
+     free(editor_path);
+     if (nargv != NULL) {
+diff -up ./plugins/sudoers/sudoers.c.cve ./plugins/sudoers/sudoers.c
+--- ./plugins/sudoers/sudoers.c.cve	2023-01-17 13:50:33.718255775 +0100
++++ ./plugins/sudoers/sudoers.c	2023-01-17 14:00:53.049710094 +0100
+@@ -724,21 +724,34 @@ sudoers_policy_main(int argc, char * con
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
++    const char *env_editor = NULL;
+ 	char **edit_argv;
+ 	int edit_argc;
+-	const char *env_editor;
++
+ 
+ 	free(safe_cmnd);
+ 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ 	    &edit_argv, NULL, &env_editor, false);
+ 	if (safe_cmnd == NULL) {
+-	    if (errno != ENOENT)
+-		goto done;
+-	    audit_failure(NewArgv, N_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    sudo_warnx(U_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    goto bad;
++
++	    switch (errno) {
++	    case ENOENT:
++		audit_failure(NewArgv, N_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		sudo_warnx(U_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		goto bad;
++	    case EINVAL:
++		if (def_env_editor && env_editor != NULL) {
++		    /* User tried to do something funny with the editor. */
++		    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
++			"invalid user-specified editor: %s", env_editor);
++		    goto bad;
++		}
++		FALLTHROUGH;
++	    default:
++            goto done;
++        }
+ 	}
+ 	sudoers_gc_add(GC_VECTOR, edit_argv);
+ 	NewArgv = edit_argv;
+diff -up ./plugins/sudoers/visudo.c.cve ./plugins/sudoers/visudo.c
+--- ./plugins/sudoers/visudo.c.cve	2021-01-09 21:12:16.000000000 +0100
++++ ./plugins/sudoers/visudo.c	2023-01-17 14:02:01.393135129 +0100
+@@ -303,7 +303,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **allowlist = NULL;
+-    const char *env_editor;
++    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int allowlist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
+@@ -337,7 +337,11 @@ get_editor(int *editor_argc, char ***edi
+     if (editor_path == NULL) {
+ 	if (def_env_editor && env_editor != NULL) {
+ 	    /* We are honoring $EDITOR so this is a fatal error. */
+-	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++	    if (errno == ENOENT) {
++		sudo_warnx(U_("specified editor (%s) doesn't exist"),
++		    env_editor);
++	    }
++	    exit(EXIT_FAILURE);
+ 	}
+ 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 658e064..8c29268 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 7%{?dist}
+Release: 9%{?dist}
 License: ISC
 URL: https://www.sudo.ws
 
@@ -31,6 +31,8 @@ Patch3: sudo-1.9.5-selinux-t.patch
 Patch4: sudo-1.9.5-sesh-bad-condition.patch
 Patch5: sudo-1.9.5-utmp-leak.patch
 Patch6: covscan.patch
+Patch7: sha-digest-calc.patch
+Patch8: sudo-1.9.12-CVE-2023-22809.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -69,6 +71,8 @@ BuildRequires:  python3-devel
 %patch4 -p1 -b .bad-cond
 %patch5 -p1 -b .utmp-leak
 %patch6 -p1 -b .covscan
+%patch7 -p1 -b .sha-digest
+%patch8 -p1 -b .cve-fix
 
 %build
 # Remove bundled copy of zlib
@@ -243,6 +247,16 @@ EOF
 %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
 
 %changelog
+* Thu Jan 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-9
+RHEL 9.2.0 ERRATUM
+- CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
+Resolves: rhbz#2161225
+
+* Wed Jan 11 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-8
+RHEL 9.2.0 ERRATUM
+- sudo digest check fails incorrectly for certain file sizes (SHA512/SHA384)
+Resolves: rhbz#2115789
+
 * Fri Aug 20 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-7
 - utmp resource leak in sudo
 Resolves: rhbz#1986579