diff -Nru sudo-1.9.9/debian/changelog sudo-1.9.9/debian/changelog
--- sudo-1.9.9/debian/changelog	2022-08-04 10:35:21.000000000 +0000
+++ sudo-1.9.9/debian/changelog	2023-01-16 12:36:33.000000000 +0000
@@ -1,3 +1,17 @@
+sudo (1.9.9-1ubuntu2.2) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: arbitrary file overwrite via sudoedit
+    - debian/patches/CVE-2023-22809.patch: do not permit editor arguments
+      to include -- in plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
+      plugins/sudoers/visudo.c.
+    - CVE-2023-22809
+  * SECURITY UPDATE: DoS via invalid arithmetic shift in Protobuf-c
+    - debian/patches/CVE-2022-33070.patch: only shift unsigned values in
+      lib/protobuf-c/protobuf-c.c.
+    - CVE-2022-33070
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 16 Jan 2023 07:36:33 -0500
+
 sudo (1.9.9-1ubuntu2.1) jammy; urgency=medium
 
   * Add XDG_CURRENT_DESKTOP to initial_keepenv_table for Qt to determine the
diff -Nru sudo-1.9.9/debian/patches/CVE-2022-33070.patch sudo-1.9.9/debian/patches/CVE-2022-33070.patch
--- sudo-1.9.9/debian/patches/CVE-2022-33070.patch	1970-01-01 00:00:00.000000000 +0000
+++ sudo-1.9.9/debian/patches/CVE-2022-33070.patch	2023-01-16 12:36:21.000000000 +0000
@@ -0,0 +1,90 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1654568137 21600
+# Node ID e25aa8e9891aeea0c4c92bb53692fd2902fbade1
+# Parent  f3637be4df4fcf7082556306baba6dedbdbc3610
+Only shift unsigned values to avoid implementation-specific behavior.
+This converts the arithmetic shifts to logical shifts.
+
+--- a/lib/protobuf-c/protobuf-c.c
++++ b/lib/protobuf-c/protobuf-c.c
+@@ -314,9 +314,8 @@ int32_size(int32_t v)
+ static inline uint32_t
+ zigzag32(int32_t v)
+ {
+-	// Note:  the right-shift must be arithmetic
+-	// Note:  left shift must be unsigned because of overflow
+-	return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31);
++	// Note:  Using unsigned types prevents undefined behavior
++	return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31);
+ }
+ 
+ /**
+@@ -378,9 +377,8 @@ uint64_size(uint64_t v)
+ static inline uint64_t
+ zigzag64(int64_t v)
+ {
+-	// Note:  the right-shift must be arithmetic
+-	// Note:  left shift must be unsigned because of overflow
+-	return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63);
++	// Note:  Using unsigned types prevents undefined behavior
++	return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63);
+ }
+ 
+ /**
+@@ -800,7 +798,8 @@ uint32_pack(uint32_t value, uint8_t *out
+ }
+ 
+ /**
+- * Pack a signed 32-bit integer and return the number of bytes written.
++ * Pack a signed 32-bit integer and return the number of bytes written,
++ * passed as unsigned to avoid implementation-specific behavior.
+  * Negative numbers are encoded as two's complement 64-bit integers.
+  *
+  * \param value
+@@ -811,14 +810,14 @@ uint32_pack(uint32_t value, uint8_t *out
+  *      Number of bytes written to `out`.
+  */
+ static inline size_t
+-int32_pack(int32_t value, uint8_t *out)
++int32_pack(uint32_t value, uint8_t *out)
+ {
+-	if (value < 0) {
++	if ((int32_t)value < 0) {
+ 		out[0] = value | 0x80;
+ 		out[1] = (value >> 7) | 0x80;
+ 		out[2] = (value >> 14) | 0x80;
+ 		out[3] = (value >> 21) | 0x80;
+-		out[4] = (value >> 28) | 0x80;
++		out[4] = (value >> 28) | 0xf0;
+ 		out[5] = out[6] = out[7] = out[8] = 0xff;
+ 		out[9] = 0x01;
+ 		return 10;
+@@ -2424,7 +2423,7 @@ static inline int32_t
+ unzigzag32(uint32_t v)
+ {
+ 	// Note:  Using unsigned types prevents undefined behavior
+-	return (int32_t)((v >> 1) ^ (~(v & 1) + 1));
++	return (int32_t)((v >> 1) ^ -(v & 1));
+ }
+ 
+ static inline uint32_t
+@@ -2466,7 +2465,7 @@ static inline int64_t
+ unzigzag64(uint64_t v)
+ {
+ 	// Note:  Using unsigned types prevents undefined behavior
+-	return (int64_t)((v >> 1) ^ (~(v & 1) + 1));
++	return (int64_t)((v >> 1) ^ -(v & 1));
+ }
+ 
+ static inline uint64_t
+@@ -3533,7 +3532,7 @@ protobuf_c_service_generated_init(Protob
+ 	service->descriptor = descriptor;
+ 	service->destroy = destroy;
+ 	service->invoke = protobuf_c_service_invoke_internal;
+-	memset(service + 1, 0, descriptor->n_methods * sizeof(GenericHandler));
++	memset(&service[1], 0, descriptor->n_methods * sizeof(GenericHandler));
+ }
+ 
+ void protobuf_c_service_destroy(ProtobufCService *service)
diff -Nru sudo-1.9.9/debian/patches/CVE-2023-22809.patch sudo-1.9.9/debian/patches/CVE-2023-22809.patch
--- sudo-1.9.9/debian/patches/CVE-2023-22809.patch	1970-01-01 00:00:00.000000000 +0000
+++ sudo-1.9.9/debian/patches/CVE-2023-22809.patch	2023-01-16 12:36:30.000000000 +0000
@@ -0,0 +1,126 @@
+Backport of:
+
+# HG changeset patch
+# Parent  7275148cad1f8cd3c350026460acc4d6ad349c3a
+sudoedit: do not permit editor arguments to include "--"
+We use "--" to separate the editor and arguments from the files to edit.
+If the editor arguments include "--", sudo can be tricked into allowing
+the user to edit a file not permitted by the security policy.
+Thanks to Matthieu Barjole and Victor Cutillas of Synacktiv
+(https://synacktiv.com) for finding this bug.
+
+--- a/plugins/sudoers/editor.c
++++ b/plugins/sudoers/editor.c
+@@ -133,7 +133,7 @@ resolve_editor(const char *ed, size_t ed
+     const char *tmp, *cp, *ep = NULL;
+     const char *edend = ed + edlen;
+     struct stat user_editor_sb;
+-    int nargc;
++    int nargc = 0;
+     debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL);
+ 
+     /*
+@@ -151,10 +151,7 @@ resolve_editor(const char *ed, size_t ed
+     /* If we can't find the editor in the user's PATH, give up. */
+     if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 	    0, allowlist) != FOUND) {
+-	sudoers_gc_remove(GC_PTR, editor);
+-	free(editor);
+-	errno = ENOENT;
+-	debug_return_str(NULL);
++	goto bad;
+     }
+ 
+     /* Count rest of arguments and allocate editor argv. */
+@@ -175,6 +172,17 @@ resolve_editor(const char *ed, size_t ed
+ 	nargv[nargc] = copy_arg(cp, ep - cp);
+ 	if (nargv[nargc] == NULL)
+ 	    goto oom;
++
++	/*
++	 * We use "--" to separate the editor and arguments from the files
++	 * to edit.  The editor arguments themselves may not contain "--".
++	 */
++	if (strcmp(nargv[nargc], "--") == 0) {
++	    sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
++	    sudo_warnx("%s", U_("editor arguments may not contain \"--\""));
++	    errno = EINVAL;
++	    goto bad;
++	}
+     }
+     if (nfiles != 0) {
+ 	nargv[nargc++] = "--";
+@@ -188,6 +196,7 @@ resolve_editor(const char *ed, size_t ed
+     debug_return_str(editor_path);
+ oom:
+     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
++bad:
+     sudoers_gc_remove(GC_PTR, editor);
+     free(editor);
+     free(editor_path);
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -772,21 +772,32 @@ sudoers_policy_main(int argc, char * con
+ 
+     /* Note: must call audit before uid change. */
+     if (ISSET(sudo_mode, MODE_EDIT)) {
++	const char *env_editor = NULL;
+ 	char **edit_argv;
+ 	int edit_argc;
+-	const char *env_editor;
+ 
+ 	free(safe_cmnd);
+ 	safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
+ 	    &edit_argv, NULL, &env_editor);
+ 	if (safe_cmnd == NULL) {
+-	    if (errno != ENOENT)
++	    switch (errno) {
++	    case ENOENT:
++		audit_failure(NewArgv, N_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		sudo_warnx(U_("%s: command not found"),
++		    env_editor ? env_editor : def_editor);
++		goto bad;
++	    case EINVAL:
++		if (def_env_editor && env_editor != NULL) {
++		    /* User tried to do something funny with the editor. */
++		    log_warningx(SLOG_NO_STDERR|SLOG_AUDIT|SLOG_SEND_MAIL,
++			"invalid user-specified editor: %s", env_editor);
++		    goto bad;
++		}
++		FALLTHROUGH;
++	    default:
+ 		goto done;
+-	    audit_failure(NewArgv, N_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    sudo_warnx(U_("%s: command not found"),
+-		env_editor ? env_editor : def_editor);
+-	    goto bad;
++	    }
+ 	}
+ 	/* find_editor() already g/c'd edit_argv[] */
+ 	sudoers_gc_remove(GC_PTR, NewArgv);
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -324,7 +324,7 @@ static char *
+ get_editor(int *editor_argc, char ***editor_argv)
+ {
+     char *editor_path = NULL, **allowlist = NULL;
+-    const char *env_editor;
++    const char *env_editor = NULL;
+     static char *files[] = { "+1", "sudoers" };
+     unsigned int allowlist_len = 0;
+     debug_decl(get_editor, SUDOERS_DEBUG_UTIL);
+@@ -358,7 +358,11 @@ get_editor(int *editor_argc, char ***edi
+     if (editor_path == NULL) {
+ 	if (def_env_editor && env_editor != NULL) {
+ 	    /* We are honoring $EDITOR so this is a fatal error. */
+-	    sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor);
++	    if (errno == ENOENT) {
++		sudo_warnx(U_("specified editor (%s) doesn't exist"),
++		    env_editor);
++	    }
++	    exit(EXIT_FAILURE);
+ 	}
+ 	sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
+     }
diff -Nru sudo-1.9.9/debian/patches/series sudo-1.9.9/debian/patches/series
--- sudo-1.9.9/debian/patches/series	2022-08-04 10:34:51.000000000 +0000
+++ sudo-1.9.9/debian/patches/series	2023-01-16 12:36:27.000000000 +0000
@@ -2,3 +2,5 @@
 Whitelist-DPKG_COLORS-environment-variable.diff
 sudo-ldap-docs
 Add-XDG_CURRENT_DESKTOP-to-initial_keepenv_table.patch
+CVE-2022-33070.patch
+CVE-2023-22809.patch