Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix CVE-2022-43995, potential heap overflow for passwords < 8 charact…
…ers.

Starting with sudo 1.8.0 the plaintext password buffer is dynamically
sized so it is not safe to assume that it is at least 9 bytes in size.
Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
  • Loading branch information
millert committed Oct 28, 2022
1 parent c78e78d commit bd209b9
Showing 1 changed file with 5 additions and 6 deletions.
11 changes: 5 additions & 6 deletions plugins/sudoers/auth/passwd.c
Expand Up @@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
int
sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
{
char sav, *epass;
char des_pass[9], *epass;
char *pw_epasswd = auth->data;
size_t pw_len;
int matched = 0;
Expand All @@ -75,20 +75,19 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c

/*
* Truncate to 8 chars if standard DES since not all crypt()'s do this.
* If this turns out not to be safe we will have to use OS #ifdef's (sigh).
*/
sav = pass[8];
pw_len = strlen(pw_epasswd);
if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
pass[8] = '\0';
if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
strlcpy(des_pass, pass, sizeof(des_pass));
pass = des_pass;
}

/*
* Normal UN*X password check.
* HP-UX may add aging info (separated by a ',') at the end so
* only compare the first DESLEN characters in that case.
*/
epass = (char *) crypt(pass, pw_epasswd);
pass[8] = sav;
if (epass != NULL) {
if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
matched = !strncmp(pw_epasswd, epass, DESLEN);
Expand Down

0 comments on commit bd209b9

Please sign in to comment.