Okay. Seems like an interesting fix, only as confusing as the code already was, but it works. :-)

Can anyone try to send this upstream to the sudo maintainers? Also, could this be pulled up to pkgsrc-2012Q1, as it's a bug fix?

Thanks…

- Chris

Well, *newpw = *pw;, but otherwise, yeah...
That's what I would do with it. I once looked at setting up sudo for
one of my paid jobs. Here's the report I wrote for the person who
asked me to set it up, edited to remove internal stuff that it isn't my
place to reveal, fix up formatting (the copy of this I'm working from
has been forcibly mangled by a ticket system that insists on shoving
Webpage interfaces around everything), and even fix two typos. But the
basic content is accurate. This is dated 2011-11-01.

First problem:

I went looking to see where sudo came from. Even with my
half-assed Web skillz, I quickly found four different webpages each
of which seemed to think it was the real sudo webpage; given what
sudo is, I was inclined to trust none of them.

After some asking around on an external IRC channel, I settled on
sudo.ws as probably correct.

Second problem:

The thing is friggin' enormous. It's got dynamic loading and
plugins and a whole raft of crap that has no business anywhere near
a central part of a security system. It's drunk the
configure-script koolaid, which is a disaster I've ranted about
elsewhere. But this was for work, which historically doesn't care
about that sort of security issue, so I ignored all that.

Third problem:

I got it built and installed. I set up a rudimentary sudoers file
which you can still find in [target machine]'s /etc/sudoers as of
this writing; the only non-comment lines are

root ALL=(ALL) ALL
Defaults:root env_editor
%infs ALL=(ALL) ALL

visudo is happy with this. But when I run sudo itself, even as
root, I get

sudo: >>> /etc/sudoers: syntax error near line 1 <<<
Segmentation fault

I did some debugging and got nowhere. /etc/sudoers is parsed with
a lex-and-yacc parser; I added debugging at the stdio level and
found it reads the whole file, then at the tokenizer level and
found it errors after getting only one token (which is COMMENT).

At this point I decided to ask the list for help. So I sent mail
to sudo-workers-***@sudo.ws to subscribe.

Fourth problem:

The mail got stuck in [my] mailq saying "Connection reset by
sudo.ws.". A manual run of the mailq reveals that it seems to be
under the impression I'm a spam sender:

sudo-workers-***@sudo.ws... Connecting to sudo.ws. via esmtp...
220 core.courtesan.com ESMTP spamd IP-based SPAM blocker; Tue Nov 1 16:27:35 2011
250 Hello, spam sender. Pleased to be wasting your time.
250 You are about to try to deliver spam. Your time will be spent, for nothing.
250 This is hurting you more than it is hurting me.
451 Temporary failure, please try again later.
sudo-workers-***@sudo.ws... Deferred: Connection reset by sudo.ws.
Closing connection to sudo.ws.

Now, I am - or at least was - listed by SORBS, because I refuse to
consider their abuse attempts anything but, well, abuse attempts.
And there are still a few places left that block based on SORBS.
So I tried from [that workplace's mailserver]:

[(hostname)] 1> telnet 64.85.164.38 smtp
Trying 64.85.164.38...
Connected to courtesan.com.
Escape character is '^]'.
220 core.courtesan.com ESMTP spamd IP-based SPAM blocker; Tue Nov 1 16:33:00 2011
helo (mailserver's FQDN)
250 Hello, spam sender. Pleased to be wasting your time.

I didn't bother going any further, since it seems to be of the
opinion that [that mailserver] is a spam source too [...].

At this point, I am inclined to throw sudo out completely. It has
failed catastrophically at design, at implementation, and at
support.

[...]

(I failed to think of and thus neglected to mention "distribution"
among the things sudo failed at.)

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

You need to read the entire thread!
C only allows you to take pointers to objects, cast them to certain other
types (including char * and void *), cast them back to the SAME type
and then dereference them.
This means that the compiler is allowed to assume that 'pw' is a pointer
to an item of the relevent type, and thus has the alignment constraints
of 'struct passwd', and so can be read (in this case) with 64bit accesses.
Since the compiler knows about memcpy() that also applies when it decides
on the code to use for the memcpy() call.
Since the alignment is tracked as a property of the value, no amount
of casting will remove it.

David

FYI: that this has been fixed differently/slightly more intrusive in a sane
way upstream.

The memcpy() was only the first to hit the misaligned data in the internal
cache structure, any later access might have crashed as well (depending
on the accessed fields and compiler optimization).

Martin