File sudo-CVE-2019-14287.patch of Package sudo.18794

Treat an ID of -1 as invalid since that means "no change".
Fixes CVE-2019-14287.
Found by Joe Vennix from Apple Information Security.

Index: sudo-1.8.10p3/common/atoid.c
===================================================================
--- sudo-1.8.10p3.orig/common/atoid.c	2019-10-11 17:38:47.343060929 +0200
+++ sudo-1.8.10p3/common/atoid.c	2019-10-11 17:43:09.920616175 +0200
@@ -48,6 +48,27 @@
 #include "sudo_util.h"
 
 /*
+ * Make sure that the ID ends with a valid separator char.
+ */
+static bool
+valid_separator(const char *p, const char *ep, const char *sep)
+{
+    bool valid = false;
+    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
+
+    if (ep != p) {
+	/* check for valid separator (including '\0') */
+	if (sep == NULL)
+	    sep = "";
+	do {
+	    if (*ep == *sep)
+		valid = true;
+	} while (*sep++ != '\0');
+    }
+    debug_return_bool(valid);
+}
+
+/*
  * Parse a uid/gid in string form.
  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
  * If endp is non-NULL it is set to the next char after the ID.
@@ -59,27 +80,11 @@ atoid(const char *p, const char *sep, ch
 {
     char *ep;
     id_t rval = 0;
-    bool valid = false;
     debug_decl(atoid, SUDO_DEBUG_UTIL)
 
-    if (sep == NULL)
-	sep = "";
     errno = 0;
     if (*p == '-') {
 	long lval = strtol(p, &ep, 10);
-	if (ep != p) {
-	    /* check for valid separator (including '\0') */
-	    do {
-		if (*ep == *sep)
-		    valid = true;
-	    } while (*sep++ != '\0');
-	}
-	if (!valid) {
-	    if (errstr != NULL)
-		*errstr = N_("invalid value");
-	    errno = EINVAL;
-	    goto done;
-	}
 	if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
 	    errno = ERANGE;
 	    if (errstr != NULL)
@@ -92,28 +97,31 @@ atoid(const char *p, const char *sep, ch
 		*errstr = N_("value too small");
 	    goto done;
 	}
-	rval = (id_t)lval;
-    } else {
-	unsigned long ulval = strtoul(p, &ep, 10);
-	if (ep != p) {
-	    /* check for valid separator (including '\0') */
-	    do {
-		if (*ep == *sep)
-		    valid = true;
-	    } while (*sep++ != '\0');
-	}
-	if (!valid) {
+
+	/* Disallow id -1, which means "no change". */
+	if (!valid_separator(p, ep, sep) || lval == -1) {
 	    if (errstr != NULL)
 		*errstr = N_("invalid value");
 	    errno = EINVAL;
 	    goto done;
 	}
+	rval = (id_t)lval;
+    } else {
+	unsigned long ulval = strtoul(p, &ep, 10);
 	if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
 	    errno = ERANGE;
 	    if (errstr != NULL)
 		*errstr = N_("value too large");
 	    goto done;
 	}
+
+	/* Disallow id -1, which means "no change". */
+	if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
+	    if (errstr != NULL)
+		*errstr = N_("invalid value");
+	    errno = EINVAL;
+	    goto done;
+	}
 	rval = (id_t)ulval;
     }
     if (errstr != NULL)