| Summary: | <app-admin/sudo-1.9.12-r1: buffer overflow with very small passwords | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 | ||
| See Also: | https://github.com/gentoo/gentoo/pull/28143 | ||
| Whiteboard: | A3 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 879953 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2022-11-02 20:21:54 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eca952121b4f64dc7c40f81338384bf299ee771 commit 5eca952121b4f64dc7c40f81338384bf299ee771 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-05 00:39:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-05 02:06:35 +0000 app-admin/sudo: patch CVE-2022-43995 Bug: https://bugs.gentoo.org/879209 Signed-off-by: John Helmert III <ajak@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/28143 Signed-off-by: Sam James <sam@gentoo.org> .../sudo/files/sudo-1.9.12-CVE-2022-43995.patch | 53 ++++ app-admin/sudo/sudo-1.9.12-r1.ebuild | 287 +++++++++++++++++++++ 2 files changed, 340 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd464e04dac31f761430fb3c8f2cb940f3f44463 commit bd464e04dac31f761430fb3c8f2cb940f3f44463 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-11-06 03:35:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-06 03:36:47 +0000 app-admin/sudo: add 1.9.12_p1 Note that CVE-2022-43995 was already fixed in Gentoo in 1.9.12-r1 (5eca952121b4f64dc7c40f81338384bf299ee771) but tagging the bug for completeness. Bug: https://bugs.gentoo.org/879209 Closes: https://bugs.gentoo.org/862201 Signed-off-by: Sam James <sam@gentoo.org> app-admin/sudo/Manifest | 2 + app-admin/sudo/sudo-1.9.12_p1.ebuild | 286 +++++++++++++++++++++++++++++++++++ app-admin/sudo/sudo-9999.ebuild | 14 +- 3 files changed, 297 insertions(+), 5 deletions(-) GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=90304100a99e24458f3a757fd7288607e1786e6b commit 90304100a99e24458f3a757fd7288607e1786e6b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-22 03:52:48 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-08 ] sudo: Heap-Based Buffer Overread Bug: https://bugs.gentoo.org/879209 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-08.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) GLSA released, waiting for cleanup For users' clarity: 1.9.12_p1 includes the fix. See e.g. the git log: https://gitweb.gentoo.org/repo/gentoo.git/log/app-admin/sudo?showmsg=1 (In reply to Teika kazura from comment #6) > For users' clarity: 1.9.12_p1 includes the fix. See e.g. the git log: > https://gitweb.gentoo.org/repo/gentoo.git/log/app-admin/sudo?showmsg=1 You mean the commits that referenced this bug and are thus included as comments in this bug? ;) |