isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Limit regular expressions to 1024 characters each.

Browse Source 
Avoids a problem with the fuzzer creating large regular expressions
that blow up the glibc regcomp().
This commit is contained in:
Todd C. Miller
2022-02-12 09:33:02 -07:00
parent 63b2a62f8a
commit 33f54c853b
6 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/sudo_logsrvd.conf.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 12, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -647,6 +647,7 @@ it will be matched in a case-insensitive manner.
Multiple
\fIpassprompt_regex\fR
settings may be specified.
Each regular expression is limited to 1024 characters.
The default value is
\(lq[Pp]assword[: ]*\(rq.
.SS "eventlog"

3
docs/sudo_logsrvd.conf.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd February 11, 2022
.Dd February 12, 2022
.Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -577,6 +577,7 @@ it will be matched in a case-insensitive manner.
Multiple
.Em passprompt_regex
settings may be specified.
Each regular expression is limited to 1024 characters.
The default value is
.Dq [Pp]assword[: ]* .
.El

6
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "February 12, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -2170,6 +2170,9 @@ even possible to use wildcards for the path name and regular
expressions for the arguments.
It is not possible to use a single regular expression to match
both the command and its arguments.
Regular expressions in
\fIsudoers\fR
are limited to 1024 characters.
.PP
There is no need to escape
\fIsudoers\fR
@@ -5427,6 +5430,7 @@ match password prompts in the terminal output.
As an extension, if the regular expression begins with
\(lq(?i)\(rq,
it will be matched in a case-insensitive manner.
Each regular expression is limited to 1024 characters.
This option is only used when
\fIlog_passwords\fR
has been disabled.

6
docs/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd February 11, 2022
.Dd February 12, 2022
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -2048,6 +2048,9 @@ even possible to use wildcards for the path name and regular
expressions for the arguments.
It is not possible to use a single regular expression to match
both the command and its arguments.
Regular expressions in
.Em sudoers
are limited to 1024 characters.
.Pp
There is no need to escape
.Em sudoers
@@ -5065,6 +5068,7 @@ match password prompts in the terminal output.
As an extension, if the regular expression begins with
.Dq (?i) ,
it will be matched in a case-insensitive manner.
Each regular expression is limited to 1024 characters.
This option is only used when
.Em log_passwords
has been disabled.