Version in base suite: 1.8.27-1+deb10u1

Base version: sudo_1.8.27-1+deb10u1
Target version: sudo_1.8.27-1+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/sudo/sudo_1.8.27-1+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/sudo/sudo_1.8.27-1+deb10u2.dsc

 changelog                                                          |    8 
 patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch |   95 ++++++++++
 patches/series                                                     |    1 
 3 files changed, 104 insertions(+)

diff -Nru sudo-1.8.27/debian/changelog sudo-1.8.27/debian/changelog
--- sudo-1.8.27/debian/changelog	2019-10-12 13:49:01.000000000 +0000
+++ sudo-1.8.27/debian/changelog	2020-02-02 07:41:42.000000000 +0000
@@ -1,3 +1,11 @@
+sudo (1.8.27-1+deb10u2) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix a buffer overflow when pwfeedback is enabled and input is a not a tty
+    (CVE-2019-18634) (Closes: #950371)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 02 Feb 2020 08:41:42 +0100
+
 sudo (1.8.27-1+deb10u1) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch
--- sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch	1970-01-01 00:00:00.000000000 +0000
+++ sudo-1.8.27/debian/patches/Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch	2020-02-02 07:41:42.000000000 +0000
@@ -0,0 +1,95 @@
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 29 Jan 2020 20:15:21 -0700
+Subject: Fix a buffer overflow when pwfeedback is enabled and input is a not a
+ tty. In getln() if the user enters ^U (erase line) and the write(2) fails,
+ the remaining buffer size is reset but the current pointer is not. While
+ here, fix an incorrect break for erase when write(2) fails. Also disable
+ pwfeedback when input is not a tty as it cannot work. CVE-2019-18634 Credit:
+ Joe Vennix from Apple Information Security.
+Origin: https://github.com/sudo-project/sudo/commit/b5d2010b6514ff45693509273bb07df3abb0bf0a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18634
+Bug-Debian: https://bugs.debian.org/950371
+
+--HG--
+branch : 1.8
+[Salvatore Bonaccorso: Backport to 1.8.27 for context changes]
+---
+ src/tgetpass.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/src/tgetpass.c
++++ b/src/tgetpass.c
+@@ -60,7 +60,7 @@ static volatile sig_atomic_t signo[NSIG]
+ 
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
+ static char *sudo_askpass(const char *, const char *);
+ 
+ static int
+@@ -123,6 +123,7 @@ tgetpass(const char *prompt, int timeout
+     static const char *askpass;
+     static char buf[SUDO_CONV_REPL_MAX + 1];
+     int i, input, output, save_errno, neednl = 0, need_restart;
++    bool feedback = ISSET(flags, TGP_MASK);
+     enum tgetpass_errval errval;
+     debug_decl(tgetpass, SUDO_DEBUG_CONV)
+ 
+@@ -170,7 +171,7 @@ restart:
+      */
+     if (!ISSET(flags, TGP_ECHO)) {
+ 	for (;;) {
+-	    if (ISSET(flags, TGP_MASK))
++	    if (feedback)
+ 		neednl = sudo_term_cbreak(input);
+ 	    else
+ 		neednl = sudo_term_noecho(input);
+@@ -184,6 +185,9 @@ restart:
+ 	    }
+ 	}
+     }
++    /* Only use feedback mode when we can disable echo. */
++    if (!neednl)
++	feedback = false;
+ 
+     /*
+      * Catch signals that would otherwise cause the user to end
+@@ -209,7 +213,7 @@ restart:
+ 
+     if (timeout > 0)
+ 	alarm(timeout);
+-    pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
++    pass = getln(input, buf, sizeof(buf), feedback, &errval);
+     alarm(0);
+     save_errno = errno;
+ 
+@@ -345,7 +349,7 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_eof, sudo_term_erase, sudo_term_kill;
+ 
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback,
++getln(int fd, char *buf, size_t bufsiz, bool feedback,
+     enum tgetpass_errval *errval)
+ {
+     size_t left = bufsiz;
+@@ -374,15 +378,15 @@ getln(int fd, char *buf, size_t bufsiz,
+ 		while (cp > buf) {
+ 		    if (write(fd, "\b \b", 3) == -1)
+ 			break;
+-		    --cp;
++		    cp--;
+ 		}
++		cp = buf;
+ 		left = bufsiz;
+ 		continue;
+ 	    } else if (c == sudo_term_erase) {
+ 		if (cp > buf) {
+-		    if (write(fd, "\b \b", 3) == -1)
+-			break;
+-		    --cp;
++		    ignore_result(write(fd, "\b \b", 3));
++		    cp--;
+ 		    left++;
+ 		}
+ 		continue;
diff -Nru sudo-1.8.27/debian/patches/series sudo-1.8.27/debian/patches/series
--- sudo-1.8.27/debian/patches/series	2019-10-12 13:49:01.000000000 +0000
+++ sudo-1.8.27/debian/patches/series	2020-02-02 07:41:42.000000000 +0000
@@ -3,3 +3,4 @@
 Whitelist-DPKG_COLORS-environment-variable.diff
 sudo_minus_1_uid.diff
 strtoid_minus_1_test_fix.diff
+Fix-a-buffer-overflow-when-pwfeedback-is-enabled-and.patch