[sudo-commits] sudo changeset 15036:df81a335db65
Todd C. Miller
Todd.Miller at sudo.ws
Sat Sep 9 14:07:45 MDT 2023
changeset: 15036:df81a335db65 in /raid/repos/sudo
details: https://www.sudo.ws/repos/sudo/rev/df81a335db65
user: Todd C. Miller <Todd.Miller at sudo.ws>
date: Sat Sep 09 14:07:04 2023 -0600
files: plugins/sudoers/auth/passwd.c plugins/sudoers/auth/sudo_auth.c plugins/sudoers/auth/sudo_auth.h plugins/sudoers/lookup.c plugins/sudoers/match.c plugins/sudoers/parse.h
Log Message:
Try to make sudo less vulnerable to ROWHAMMER attacks.
We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS,
AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we
explicitly test for expected values instead of using a negated test
against an error value. In the parser match functions this means
explicitly checking for ALLOW or DENY instead of accepting anything
that is not set to UNSPEC.
Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk
Sunar, all affiliated with the Vernam Applied Cryptography and
Cybersecurity Lab at Worcester Polytechnic Institute, for the report.
Paper preprint: https://arxiv.org/abs/2309.02545
diffstat:
plugins/sudoers/auth/passwd.c | 27 +++++++++++++-------
plugins/sudoers/auth/sudo_auth.c | 51 ++++++++++++++++++++++++++++-----------
plugins/sudoers/auth/sudo_auth.h | 12 ++++----
plugins/sudoers/lookup.c | 12 ++++----
plugins/sudoers/match.c | 25 ++++++++++---------
plugins/sudoers/parse.h | 23 ++++++++++++++---
6 files changed, 96 insertions(+), 54 deletions(-)
More information about the sudo-commits
mailing list