Headline
CVE-2022-43995: Fix CVE-2022-43995, potential heap overflow for passwords < 8 charact… · sudo-project/sudo@bd209b9
Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains a plugins/sudoers/auth/passwd.c array-out-of-bounds error that can result in a heap-based buffer over-read. This can be triggered by arbitrary local users with access to Sudo by entering a password of seven characters or fewer. The impact could vary depending on the compiler and processor architecture.
@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth) int sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback) { char sav, *epass; char des_pass[9], *epass; char *pw_epasswd = auth->data; size_t pw_len; int matched = 0; @@ -75,20 +75,19 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
/* * Truncate to 8 chars if standard DES since not all crypt()'s do this. * If this turns out not to be safe we will have to use OS #ifdef’s (sigh). */ sav = pass[8]; pw_len = strlen(pw_epasswd); if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) pass[8] = '\0’; if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) { strlcpy(des_pass, pass, sizeof(des_pass)); pass = des_pass; }
/* * Normal UN*X password check. * HP-UX may add aging info (separated by a ‘,’) at the end so * only compare the first DESLEN characters in that case. */ epass = (char *) crypt(pass, pw_epasswd); pass[8] = sav; if (epass != NULL) { if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN) matched = !strncmp(pw_epasswd, epass, DESLEN);
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Sudo before 1.9.13p2 has a double free in the per-command chroot feature.
Gentoo Linux Security Advisory 202211-8 - A vulnerability has been discovered in sudo which could result in denial of service. Versions less than 1.9.12-r1 are affected.
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.