From 65742d1686905358cb3f4a84098986fee39b760c Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 5 Feb 2020 12:04:41 +0100
Subject: main/sudo: fix CVE-2019-14287

---
 main/sudo/APKBUILD             |  10 ++-
 main/sudo/CVE-2019-14287.patch | 196 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 204 insertions(+), 2 deletions(-)
 create mode 100644 main/sudo/CVE-2019-14287.patch

diff --git a/main/sudo/APKBUILD b/main/sudo/APKBUILD
index 11d7f6df60..4400cf8063 100644
--- a/main/sudo/APKBUILD
+++ b/main/sudo/APKBUILD
@@ -8,7 +8,7 @@ if [ "${pkgver%_*}" != "$pkgver" ]; then
 else
 	_realver=$pkgver
 fi
-pkgrel=2
+pkgrel=3
 pkgdesc="Give certain users the ability to run some commands as root"
 url="https://www.sudo.ws/sudo/"
 arch="all"
@@ -21,10 +21,15 @@ source="https://www.sudo.ws/dist/sudo-${_realver}.tar.gz
 	fix-tests.patch
 	libcrypt.patch
 	musl-fix-headers.patch
+	CVE-2019-14287.patch
 	"
 options="suid"
 
 # secfixes:
+#   1.8.23-r3:
+#   - CVE-2019-14287
+#   1.8.25_p1-r3:
+#   - CVE-2019-14287
 #   1.8.20_p2-r0:
 #   - CVE-2017-1000368
 
@@ -69,4 +74,5 @@ sha512sums="a9d61850a4857bfd075547a13efb13b054e4736e3ebe3c8a98a90a090b1d9b968835
 f0f462f40502da2194310fe4a72ec1a16ba40f95a821ba9aa6aabaa423d28c4ab26b684afa7fb81c2407cf60de9327bdab01de51b878c5d4de49b0d62645f53c  fix-cross-compile.patch
 b2d7816d334826545420c578114e5af361ced65c00e5bfc2e0b16f3c9325aa9d2b902defeebb181da3cf7bc6aba3a59a496293d2f11d83c9793f11138ba50343  fix-tests.patch
 5ad20254aa587ef615f794081ecd55344eada5cf8c1a1d7956cc3f73375554716c483eeb74081da9a8501afce92cfbaf2abe59d1067aac67ce6e4874eb5a23e1  libcrypt.patch
-113416fed7532c6092687c8bdd9913d04888d2f0a32e4333dd27a6b3d39145717ad5c3b3f05ba11bd6462612a9a013d446d254d50b2b651c33eeebe670f41ab5  musl-fix-headers.patch"
+113416fed7532c6092687c8bdd9913d04888d2f0a32e4333dd27a6b3d39145717ad5c3b3f05ba11bd6462612a9a013d446d254d50b2b651c33eeebe670f41ab5  musl-fix-headers.patch
+347431718717ff00f11375df4c039e778be3f873014f68586054915bca9f818f8fd000ea256ac97739026bc36f32dd771afc69c290ee9f6ae7aa29752b2328e1  CVE-2019-14287.patch"
diff --git a/main/sudo/CVE-2019-14287.patch b/main/sudo/CVE-2019-14287.patch
new file mode 100644
index 0000000000..79794104d1
--- /dev/null
+++ b/main/sudo/CVE-2019-14287.patch
@@ -0,0 +1,196 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+Patch ported from:
+
+* https://www.sudo.ws/repos/sudo/rev/83db8dba09e7
+* https://www.sudo.ws/repos/sudo/rev/db06a8336c09
+
+--- a/lib/util/strtoid.c	Sun Oct 06 10:46:18 2019 -0600
++++ b/lib/util/strtoid.c	Thu Oct 10 10:04:13 2019 -0600
+@@ -49,6 +49,27 @@
+ #include "sudo_util.h"
+ 
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++    bool valid = false;
++    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++    if (ep != p) {
++	/* check for valid separator (including '\0') */
++	if (sep == NULL)
++	    sep = "";
++	do {
++	    if (*ep == *sep)
++		valid = true;
++	} while (*sep++ != '\0');
++    }
++    debug_return_bool(valid);
++}
++
++/*
+  * Parse a uid/gid in string form.
+  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+  * If endp is non-NULL it is set to the next char after the ID.
+@@ -62,38 +83,35 @@
+     char *ep;
+     id_t ret = 0;
+     long long llval;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+ 	p++;
+-    if (sep == NULL)
+-	sep = "";
++
++    /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+     errno = 0;
+     llval = strtoll(p, &ep, 10);
+-    if (ep != p) {
+-	/* check for valid separator (including '\0') */
+-	do {
+-	    if (*ep == *sep)
+-		valid = true;
+-	} while (*sep++ != '\0');
++    if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++	errno = ERANGE;
++	if (errstr != NULL)
++	    *errstr = N_("value too large");
++	goto done;
+     }
+-    if (!valid) {
++    if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++	errno = ERANGE;
++	if (errstr != NULL)
++	    *errstr = N_("value too small");
++	goto done;
++    }
++
++    /* Disallow id -1, which means "no change". */
++    if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
+ 	if (errstr != NULL)
+ 	    *errstr = N_("invalid value");
+ 	errno = EINVAL;
+ 	goto done;
+     }
+-    if (errno == ERANGE) {
+-	if (errstr != NULL) {
+-	    if (llval == LLONG_MAX)
+-		*errstr = N_("value too large");
+-	    else
+-		*errstr = N_("value too small");
+-	}
+-	goto done;
+-    }
+     ret = (id_t)llval;
+     if (errstr != NULL)
+ 	*errstr = NULL;
+@@ -108,30 +126,15 @@
+ {
+     char *ep;
+     id_t ret = 0;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+ 	p++;
+-    if (sep == NULL)
+-	sep = "";
++
+     errno = 0;
+     if (*p == '-') {
+ 	long lval = strtol(p, &ep, 10);
+-	if (ep != p) {
+-	    /* check for valid separator (including '\0') */
+-	    do {
+-		if (*ep == *sep)
+-		    valid = true;
+-	    } while (*sep++ != '\0');
+-	}
+-	if (!valid) {
+-	    if (errstr != NULL)
+-		*errstr = N_("invalid value");
+-	    errno = EINVAL;
+-	    goto done;
+-	}
+ 	if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ 	    errno = ERANGE;
+ 	    if (errstr != NULL)
+@@ -144,28 +147,31 @@
+ 		*errstr = N_("value too small");
+ 	    goto done;
+ 	}
+-	ret = (id_t)lval;
+-    } else {
+-	unsigned long ulval = strtoul(p, &ep, 10);
+-	if (ep != p) {
+-	    /* check for valid separator (including '\0') */
+-	    do {
+-		if (*ep == *sep)
+-		    valid = true;
+-	    } while (*sep++ != '\0');
+-	}
+-	if (!valid) {
++
++	/* Disallow id -1, which means "no change". */
++	if (!valid_separator(p, ep, sep) || lval == -1) {
+ 	    if (errstr != NULL)
+ 		*errstr = N_("invalid value");
+ 	    errno = EINVAL;
+ 	    goto done;
+ 	}
++	ret = (id_t)lval;
++    } else {
++	unsigned long ulval = strtoul(p, &ep, 10);
+ 	if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ 	    errno = ERANGE;
+ 	    if (errstr != NULL)
+ 		*errstr = N_("value too large");
+ 	    goto done;
+ 	}
++
++	/* Disallow id -1, which means "no change". */
++	if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++	    if (errstr != NULL)
++		*errstr = N_("invalid value");
++	    errno = EINVAL;
++	    goto done;
++	}
+ 	ret = (id_t)ulval;
+     }
+     if (errstr != NULL)
+
+
+diff -r 83db8dba09e7 -r db06a8336c09 plugins/sudoers/regress/testsudoers/test5.out.ok
+--- a/plugins/sudoers/regress/testsudoers/test5.out.ok	Thu Oct 10 10:04:13 2019 -0600
++++ b/plugins/sudoers/regress/testsudoers/test5.out.ok	Thu Oct 10 10:04:13 2019 -0600
+@@ -4,7 +4,7 @@
+ Entries for user root:
+ 
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
++testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+ 
+ Entries for user root:
+diff -r 83db8dba09e7 -r db06a8336c09 plugins/sudoers/regress/testsudoers/test5.sh
+--- a/plugins/sudoers/regress/testsudoers/test5.sh	Thu Oct 10 10:04:13 2019 -0600
++++ b/plugins/sudoers/regress/testsudoers/test5.sh	Thu Oct 10 10:04:13 2019 -0600
+@@ -24,7 +24,7 @@
+ 
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
++./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+ 
+
-- 
cgit v1.2.3