From 01793c9cfc5525fa59baa971ec986bc4f3f683c44def7fb5ddb99f181238d8c1 Mon Sep 17 00:00:00 2001
From: Otto Hollmann <otto.hollmann@suse.com>
Date: Thu, 23 Nov 2023 07:21:18 +0000
Subject: [PATCH] Accepting request 1128140 from
 home:ohollmann:branches:Base:System

- Update to 1.9.15p2:
  * Fixed a bug on BSD systems where sudo would not restore the
    terminal settings on exit if the terminal had parity enabled.
    GitHub issue #326.
- Update to 1.9.15p1:
  * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
    sudoers from being able to read the ldap.conf file.
    GitHub issue #325.
- Update to 1.9.15:
  * Fixed an undefined symbol problem on older versions of macOS
    when "intercept" or "log_subcmds" are enabled in sudoers.
    GitHub issue #276.
  * Fixed "make check" failure related to getpwent(3) wrapping
    on NetBSD.
  * Fixed the warning message for "sudo -l command" when the command
    is not permitted.  There was a missing space between "list" and
    the actual command due to changes in sudo 1.9.14.
  * Fixed a bug where output could go to the wrong terminal if
    "use_pty" is enabled (the default) and the standard input, output
    or error is redirected to a different terminal.  Bug #1056.
  * The visudo utility will no longer create an empty file when the
    specified sudoers file does not exist and the user exits the
    editor without making any changes.  GitHub issue #294.
  * The AIX and Solaris sudo packages on www.sudo.ws now support
    "log_subcmds" and "intercept" with both 32-bit and 64-bit
    binaries.  Previously, they only worked when running binaries
    with the same word size as the sudo binary.  GitHub issue #289.
  * The sudoers source is now logged in the JSON event log.  This
    makes it possible to tell which rule resulted in a match.
  * Running "sudo -ll command" now produces verbose output that

OBS-URL: https://build.opensuse.org/request/show/1128140
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=247
---
 sudo-1.9.14p3.tar.gz     |   3 --
 sudo-1.9.14p3.tar.gz.sig | Bin 566 -> 0 bytes
 sudo-1.9.15p2.tar.gz     |   3 ++
 sudo-1.9.15p2.tar.gz.sig | Bin 0 -> 566 bytes
 sudo-sudoers.patch       |  16 +++++---
 sudo.changes             |  77 +++++++++++++++++++++++++++++++++++++++
 sudo.spec                |   2 +-
 7 files changed, 91 insertions(+), 10 deletions(-)
 delete mode 100644 sudo-1.9.14p3.tar.gz
 delete mode 100644 sudo-1.9.14p3.tar.gz.sig
 create mode 100644 sudo-1.9.15p2.tar.gz
 create mode 100644 sudo-1.9.15p2.tar.gz.sig

diff --git a/sudo-1.9.14p3.tar.gz b/sudo-1.9.14p3.tar.gz
deleted file mode 100644
index 91e3ffb..0000000
--- a/sudo-1.9.14p3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62
-size 5232320
diff --git a/sudo-1.9.14p3.tar.gz.sig b/sudo-1.9.14p3.tar.gz.sig
deleted file mode 100644
index a01c16f6a2db614602706e3311443a69d32ff5d8bd3cfeb30f72c4f059e15047..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 566
zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0%X4fR{#nL5UKRQ
zA<m?5`+GzX0FsE8zG<^>E{jHIJ_Q6u+wUg^ke**Qft`Ptd*z=8xvGy>TI)zzz-IW|
z@LI>mJ7@tc-OcfakATrjm3ro{qx{cd%o;fMXjIf<;!Jc;RPK$^#;4Y?7(aY}AiE1K
zJIpk&1t<s-^HK|ujzcsev{ZA7C&E4myw3%heQxD>>OVI%7LymEwa<%Tc2~~7x-CF{
zn;YYSNaI!fY%di2N8_SW+&B{I?V<^+T|8`o$F&cN=XQH}4v@P@B#8_DW|^h<0(_=D
z(H^|LYwnk=72nudAMG^R*!qLUU;@0C-X5U{5NqyCI(qIGU($7`s)cf;M7cssV@_~I
zBQ_m>H~i;MFc$8;vnZF)Ig7hL;W2RBy9&4!tYgVK=+5)O3brJ$%2Q139IZHtGbbNw
zr=8|G1%+7S9f9<z{3kzpQf{8*H_11E)BEuf&=cL0Od_Vdr^i4dJLO|ge>(m3lS;=m
zNS?`hC2rWm;!&6FKCsl8dtORbRUpYm<au=b+0zAT8sG=g8~%XC1X%$pc|alvJe+u1
z;Q|ye-6F(U^l#{N;6=eSHPu&C;4uhkmgI1IYh-8*pRl!8t%P>N@8Tge(CQ=C1M8pm
zZ5M*I1@bfLK1v29KAYnAjoetPaIx-6mXWu9xY&`{n96Nll=LB{AnB*)<_e(dIe5Z5
EKB6-g7XSbN

diff --git a/sudo-1.9.15p2.tar.gz b/sudo-1.9.15p2.tar.gz
new file mode 100644
index 0000000..8576656
--- /dev/null
+++ b/sudo-1.9.15p2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:199c0cdbfa7efcfffa9c88684a8e2fb206a62b70a316507e4a91c89c873bbcc8
+size 5303642
diff --git a/sudo-1.9.15p2.tar.gz.sig b/sudo-1.9.15p2.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..25c31e71a1aa49f1e3b8e0482682ba81308f80586965fd770da64661269d32de
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0%c7MPXG!D5UKRQ
zA<m?5`>CG~|6k^nV;032<N#_6#5mT!PH8jR%fH#-WAxf|uyMvQRSS9en-1QlW3i2U
zmry?kEJhz<5>Xxd_;4-K`}zeXTD4?SjY1^*=;%|cOzrbs)%ohHjSW$_Q@qMo3<^gc
zF0erFy<EH1QA00i`vNI-WlsC;7$79q&Ab4~V|2tWlGva&wXM`nH7}IIfJXXdO{D*G
zt1C$&ht7c+)SVfxo!ee_2u2l53fFDTMV`fb2X$rcHIQLOa=-aTL*`51vz(jo=iAn4
zG!lku%aD!f|IV^fdXR_ib2qHxO&Nrdh6N#^Yul(DFdPD*mM$iuN!g}&(%mav_mL3G
z8H&8)Ae;_G;t{bTXnZa4TiKYuJ(8-6T-Fd<LQWqjT<KkYzelx7v-W~G9Cl{`y8;}C
zO9Mt(5is;y*L-^{O@MuU=8M2mmpkftX+U8k$)t1X?}b2(K{;*m+@U7suNiKhtaAdS
zHrZe6tKafs7S3<Rre=@E_Ae|%NBeK2Rnu=Z!Gfnz-n{vKazwLY|IZP)442&yU+MzM
z5+Lraz?;UFe|Gp})>jGTF;@Rg&tu5pu|Zu>P{uDM@SjQ1!GqFn@VsD2z^a3H@M(SR
z9l5L?LlaO=1CQv=k&@6@_{KG$La9x}yMdZ+l|~~22lLsMmpmU3xx3$gS>uHI3AJX)
EF~0;Dz5oCK

literal 0
HcmV?d00001

diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch
index ba60208..f051502 100644
--- a/sudo-sudoers.patch
+++ b/sudo-sudoers.patch
@@ -1,8 +1,8 @@
-Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in
+Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
 ===================================================================
---- sudo-1.9.14p3.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.9.14p3/plugins/sudoers/sudoers.in
-@@ -32,32 +32,23 @@
+--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
++++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
+@@ -41,32 +41,23 @@
  ##
  ## Defaults specification
  ##
@@ -52,13 +52,17 @@ Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in
  ##
  ## Uncomment to restore the historic behavior where a command is run in
  ## the user's own terminal.
-@@ -72,10 +63,15 @@
+@@ -81,7 +72,6 @@
  ## Set maxseq to a smaller number if you don't have unlimited disk space.
  # Defaults log_output
  # Defaults!/usr/bin/sudoreplay !log_output
 -# Defaults!/usr/local/bin/sudoreplay !log_output
  # Defaults!REBOOT !log_output
  # Defaults maxseq = 1000
+ ##
+@@ -95,6 +85,12 @@
+ ## slower by these options and also can clutter up the logs.
+ # Defaults!PKGMAN !intercept, !log_subcmds
  
 +## In the default (unconfigured) configuration, sudo asks for the root password.
 +## This allows use of an ordinary user account for administration of a freshly
@@ -69,7 +73,7 @@ Index: sudo-1.9.14p3/plugins/sudoers/sudoers.in
  ##
  ## Runas alias specification
  ##
-@@ -91,13 +87,5 @@ root ALL=(ALL:ALL) ALL
+@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
  ## Same thing without a password
  # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
  
diff --git a/sudo.changes b/sudo.changes
index 0869b7f..2e39476 100644
--- a/sudo.changes
+++ b/sudo.changes
@@ -1,3 +1,80 @@
+-------------------------------------------------------------------
+Wed Nov 22 12:46:00 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Update to 1.9.15p2:
+  * Fixed a bug on BSD systems where sudo would not restore the
+    terminal settings on exit if the terminal had parity enabled.
+    GitHub issue #326.
+- Update to 1.9.15p1:
+  * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
+    sudoers from being able to read the ldap.conf file.
+    GitHub issue #325.
+- Update to 1.9.15:
+  * Fixed an undefined symbol problem on older versions of macOS
+    when "intercept" or "log_subcmds" are enabled in sudoers.
+    GitHub issue #276.
+  * Fixed "make check" failure related to getpwent(3) wrapping
+    on NetBSD.
+  * Fixed the warning message for "sudo -l command" when the command
+    is not permitted.  There was a missing space between "list" and
+    the actual command due to changes in sudo 1.9.14.
+  * Fixed a bug where output could go to the wrong terminal if
+    "use_pty" is enabled (the default) and the standard input, output
+    or error is redirected to a different terminal.  Bug #1056.
+  * The visudo utility will no longer create an empty file when the
+    specified sudoers file does not exist and the user exits the
+    editor without making any changes.  GitHub issue #294.
+  * The AIX and Solaris sudo packages on www.sudo.ws now support
+    "log_subcmds" and "intercept" with both 32-bit and 64-bit
+    binaries.  Previously, they only worked when running binaries
+    with the same word size as the sudo binary.  GitHub issue #289.
+  * The sudoers source is now logged in the JSON event log.  This
+    makes it possible to tell which rule resulted in a match.
+  * Running "sudo -ll command" now produces verbose output that
+    includes matching rule as well as the path to the sudoers file
+    the matching rule came from.  For LDAP sudoers, the name of the
+    matching sudoRole is printed instead.
+  * The embedded copy of zlib has been updated to version 1.3.
+  * The sudoers plugin has been modified to make it more resilient
+    to ROWHAMMER attacks on authentication and policy matching.
+    This addresses CVE-2023-42465.
+  * The sudoers plugin now constructs the user time stamp file path
+    name using the user-ID instead of the user name.  This avoids a
+    potential problem with user names that contain a path separator
+    ('/') being interpreted as part of the path name.  A similar
+    issue in sudo-rs has been assigned CVE-2023-42456.
+  * A path separator ('/') in a user, group or host name is now
+    replaced with an underbar character ('_') when expanding escapes
+    in @include and @includedir directives as well as the "iolog_file"
+    and "iolog_dir" sudoers Default settings.
+  * The "intercept_verify" sudoers option is now only applied when
+    the "intercept" option is set in sudoers.  Previously, it was
+    also applied when "log_subcmds" was enabled.  Sudo 1.9.14
+    contained an incorrect fix for this.  Bug #1058.
+  * Changes to terminal settings are now performed atomically, where
+    possible.  If the command is being run in a pseudo-terminal and
+    the user's terminal is already in raw mode, sudo will not change
+    the user's terminal settings.  This prevents concurrent sudo
+    processes from restoring the terminal settings to the wrong values.
+    GitHub issue #312.
+  * Reverted a change from sudo 1.9.4 that resulted in PAM session
+    modules being called with the environment of the command to be
+    run instead of the environment of the invoking user.
+    GitHub issue #318.
+  * New Indonesian translation from translationproject.org.
+  * The sudo_logsrvd server will now raise its open file descriptor
+    limit to the maximum allowed value when it starts up.  Each
+    connection can require up to nine open file descriptors so the
+    default soft limit may be too low.
+  * Better log message when rejecting a command if the "intercept"
+    option is enabled and the "intercept_allow_setid" option is
+    disabled.  Previously, "command not allowed" would be logged and
+    the user had no way of knowing what the actual problem was.
+  * Sudo will now log the invoking user's environment as "submitenv"
+    in the JSON logs.  The command's environment ("runenv") is no
+    longer logged for commands rejected by the sudoers file or an
+    approval plugin.
+
 -------------------------------------------------------------------
 Tue Nov 21 08:56:42 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/sudo.spec b/sudo.spec
index 020cc26..5266389 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -25,7 +25,7 @@
 %endif
 
 Name:           sudo
-Version:        1.9.14p3
+Version:        1.9.15p2
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC