Bug 269030 - [PATCH] security/sudo update 1.9.12p2 (fix CVE-2023-22809)
Summary: [PATCH] security/sudo update 1.9.12p2 (fix CVE-2023-22809)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Renato Botelho
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-01-18 16:24 UTC by Cy Schubert
Modified: 2023-02-27 18:05 UTC (History)
4 users (show)

See Also:
garga: maintainer-feedback+
fluffy: merge-quarterly+

Attachments
Update to 1.9.12p2 (1.81 KB, patch)
2023-01-18 16:27 UTC, Cy Schubert 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer freebsd_triage 2023-01-18 16:24:52 UTC 
(text/plain)
Sudo version 1.9.12p2 is now available which fixes several bugs in
sudo 1.9.12.  It includes a fix for CVE-2023-22809, a bug that could
allow a user with "sudoedit" privileges to edit arbitrary files.
See https://www.sudo.ws/security/advisories/sudoedit_any/ for details.

Source:
    https://www.sudo.ws/dist/sudo-1.9.12p2.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.12p2.tar.gz

SHA256 checksum:
    b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539
MD5 checksum:
    2c67b10f2aca4698eef0491142653382

Binary packages:
    https://www.sudo.ws/getting/packages/
    https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p2

For a list of download mirror sites, see:
    https://www.sudo.ws/getting/download_mirrors/

Sudo web site:
    https://www.sudo.ws/

Major changes between sudo 1.9.12p2 and 1.9.12p1:

 * Fixed a compilation error on Linux/aarch64.  GitHub issue #197.

 * Fixed a potential crash introduced in the fix for GitHub issue #134.
   If a user's sudoers entry did not have any RunAs user's set,
   running "sudo -U otheruser -l" would dereference a NULL pointer.

 * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
   from creating a I/O files when the "iolog_file" sudoers setting
   contains six or more Xs.

 * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit)
   that coud allow a malicious user with sudoedit privileges to
   edit arbitrary files.
Comment 1 Cy Schubert freebsd_committer freebsd_triage 2023-01-18 16:27:14 UTC 
Created attachment 239559 [details]
Update to 1.9.12p2

Added patch now that I know the PR number, in case maintainer passes it back to me to commit.
Comment 2 Cy Schubert freebsd_committer freebsd_triage 2023-01-18 16:28:41 UTC 
Bump to "Affects Many People" because of CVE-2023-22809, which allows uses of sudoedit to edit arbitrary files.
Comment 3 Renato Botelho freebsd_committer freebsd_triage 2023-01-18 17:03:01 UTC 
Approved.  Thanks!
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-01-18 17:09:46 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8f8bd813f3139d6f6ff35704808111c4ad1f053a

commit 8f8bd813f3139d6f6ff35704808111c4ad1f053a
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2023-01-18 16:20:58 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2023-01-18 17:08:35 +0000

    security/sudo: Update to 1.9.12p2

    Major changes between sudo 1.9.12p2 and 1.9.12p1:

     * Fixed a compilation error on Linux/aarch64.  GitHub issue #197.

     * Fixed a potential crash introduced in the fix for GitHub issue #134.
       If a user's sudoers entry did not have any RunAs user's set,
       running "sudo -U otheruser -l" would dereference a NULL pointer.

     * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
       from creating a I/O files when the "iolog_file" sudoers setting
       contains six or more Xs.

     * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit)
       that coud allow a malicious user with sudoedit privileges to
       edit arbitrary files.

    PR:             269030
    Submitted by:   cy
    Reported by:    cy
    Approved by:    garga
    MFH:            2023Q1
    Security:       CVE-2023-22809

 security/sudo/Makefile | 2 +-
 security/sudo/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-01-18 20:16:15 UTC 
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e4b0eefa183226d3d6cb8be568a5a3aa586c12b9

commit e4b0eefa183226d3d6cb8be568a5a3aa586c12b9
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2023-01-18 16:20:58 +0000
Commit:     Renato Botelho <garga@FreeBSD.org>
CommitDate: 2023-01-18 20:15:38 +0000

    security/sudo: Update to 1.9.12p2

    Major changes between sudo 1.9.12p2 and 1.9.12p1:

     * Fixed a compilation error on Linux/aarch64.  GitHub issue #197.

     * Fixed a potential crash introduced in the fix for GitHub issue #134.
       If a user's sudoers entry did not have any RunAs user's set,
       running "sudo -U otheruser -l" would dereference a NULL pointer.

     * Fixed a bug introduced in sudo 1.9.12 that could prevent sudo
       from creating a I/O files when the "iolog_file" sudoers setting
       contains six or more Xs.

     * Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit)
       that coud allow a malicious user with sudoedit privileges to
       edit arbitrary files.

    PR:             269030
    Submitted by:   cy
    Reported by:    cy
    Approved by:    garga
    MFH:            2023Q1
    Security:       CVE-2023-22809

    (cherry picked from commit 8f8bd813f3139d6f6ff35704808111c4ad1f053a)

 security/sudo/Makefile | 2 +-
 security/sudo/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 6 Cy Schubert freebsd_committer freebsd_triage 2023-01-20 16:43:39 UTC 
Fixed.
Comment 7 Graham Perrin freebsd_committer freebsd_triage 2023-01-21 05:37:35 UTC 
Thanks, should there be a VuXML entry? 

22 counted at <https://www.freshports.org/vuxml.php?package=sudo>, not including CVE-2023-22809.