diff --git a/sudo-1.8.6p3-CVE-2013-1775.patch b/sudo-1.8.6p3-CVE-2013-1775.patch deleted file mode 100644 index 33ba421..0000000 --- a/sudo-1.8.6p3-CVE-2013-1775.patch +++ /dev/null @@ -1,68 +0,0 @@ -63210a2b8f2f199b521f6c8213bb29775c09375c - plugins/sudoers/check.c | 53 +++++++++++++++++++++++++---------------------- - 1 file changed, 28 insertions(+), 25 deletions(-) - -Index: sudo-1.8.6p3/plugins/sudoers/check.c -=================================================================== ---- sudo-1.8.6p3.orig/plugins/sudoers/check.c 2012-09-18 15:56:29.000000000 +0200 -+++ sudo-1.8.6p3/plugins/sudoers/check.c 2013-03-01 12:10:34.285863069 +0100 -@@ -627,31 +627,34 @@ timestamp_status(char *timestampdir, cha - */ - if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) { - mtim_get(&sb, &mtime); -- /* Negative timeouts only expire manually (sudo -k). */ -- if (def_timestamp_timeout < 0 && mtime.tv_sec != 0) -- status = TS_CURRENT; -- else { -- now = time(NULL); -- if (def_timestamp_timeout && -- now - mtime.tv_sec < 60 * def_timestamp_timeout) { -- /* -- * Check for bogus time on the stampfile. The clock may -- * have been set back or someone could be trying to spoof us. -- */ -- if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) { -- time_t tv_sec = (time_t)mtime.tv_sec; -- log_error(0, -- _("timestamp too far in the future: %20.20s"), -- 4 + ctime(&tv_sec)); -- if (timestampfile) -- (void) unlink(timestampfile); -- else -- (void) rmdir(timestampdir); -- status = TS_MISSING; -- } else if (get_boottime(&boottime) && timevalcmp(&mtime, &boottime, <)) { -- status = TS_OLD; -- } else { -- status = TS_CURRENT; -+ if (timevalisset(&mtime)) { -+ /* Negative timeouts only expire manually (sudo -k). */ -+ if (def_timestamp_timeout < 0) { -+ status = TS_CURRENT; -+ } else { -+ now = time(NULL); -+ if (def_timestamp_timeout && -+ now - mtime.tv_sec < 60 * def_timestamp_timeout) { -+ /* -+ * Check for bogus time on the stampfile. The clock may -+ * have been set back or user could be trying to spoof us. -+ */ -+ if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) { -+ time_t tv_sec = (time_t)mtime.tv_sec; -+ log_error(0, -+ _("timestamp too far in the future: %20.20s"), -+ 4 + ctime(&tv_sec)); -+ if (timestampfile) -+ (void) unlink(timestampfile); -+ else -+ (void) rmdir(timestampdir); -+ status = TS_MISSING; -+ } else if (get_boottime(&boottime) && -+ timevalcmp(&mtime, &boottime, <)) { -+ status = TS_OLD; -+ } else { -+ status = TS_CURRENT; -+ } - } - } - } diff --git a/sudo-1.8.6p3-CVE-2013-1776.patch b/sudo-1.8.6p3-CVE-2013-1776.patch deleted file mode 100644 index 91777c7..0000000 --- a/sudo-1.8.6p3-CVE-2013-1776.patch +++ /dev/null @@ -1,71 +0,0 @@ -2b18d55589975e70dd98f24bca5b0aaabc56a9b5 - plugins/sudoers/check.c | 4 +++- - plugins/sudoers/sudoers.c | 4 ++++ - plugins/sudoers/sudoers.h | 3 ++- - 3 files changed, 9 insertions(+), 2 deletions(-) - -Index: sudo-1.8.6p3/plugins/sudoers/check.c -=================================================================== ---- sudo-1.8.6p3.orig/plugins/sudoers/check.c 2013-03-01 12:10:18.668403327 +0100 -+++ sudo-1.8.6p3/plugins/sudoers/check.c 2013-03-01 12:10:18.684403798 +0100 -@@ -82,6 +82,7 @@ static struct tty_info { - dev_t rdev; /* tty device ID */ - ino_t ino; /* tty inode number */ - struct timeval ctime; /* tty inode change time */ -+ pid_t sid; /* ID of session with controlling tty */ - } tty_info; - - static int build_timestamp(char **, char **); -@@ -138,13 +139,14 @@ check_user(int validated, int mode) - if (ISSET(mode, MODE_IGNORE_TICKET)) - SET(validated, FLAG_CHECK_USER); - -- /* Stash the tty's ctime for tty ticket comparison. */ -+ /* Stash the tty's device, session ID and ctime for ticket comparison. */ - if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) { - tty_info.dev = sb.st_dev; - tty_info.ino = sb.st_ino; - tty_info.rdev = sb.st_rdev; - if (tty_is_devpts(user_ttypath)) - ctim_get(&sb, &tty_info.ctime); -+ tty_info.sid = user_sid; - } - - if (build_timestamp(×tampdir, ×tampfile) == -1) { -Index: sudo-1.8.6p3/plugins/sudoers/sudoers.c -=================================================================== ---- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.c 2012-09-18 15:56:30.000000000 +0200 -+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c 2013-03-01 12:10:18.685403827 +0100 -@@ -1410,6 +1410,10 @@ deserialize_info(char * const args[], ch - sudo_user.cols = atoi(*cur + sizeof("cols=") - 1); - continue; - } -+ if (MATCHES(*cur, "sid=")) { -+ sudo_user.sid = atoi(*cur + sizeof("sid=") - 1); -+ continue; -+ } - } - if (user_cwd == NULL) - user_cwd = "unknown"; -Index: sudo-1.8.6p3/plugins/sudoers/sudoers.h -=================================================================== ---- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.h 2012-09-18 15:57:43.000000000 +0200 -+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h 2013-03-01 12:10:18.685403827 +0100 -@@ -95,6 +95,7 @@ struct sudo_user { - int flags; - uid_t uid; - uid_t gid; -+ pid_t sid; - }; - - /* -@@ -171,8 +172,8 @@ struct sudo_user { - #define user_name (sudo_user.name) - #define user_uid (sudo_user.uid) - #define user_gid (sudo_user.gid) -+#define user_sid (sudo_user.sid) - #define user_passwd (sudo_user.pw->pw_passwd) --#define user_uuid (sudo_user.uuid) - #define user_dir (sudo_user.pw->pw_dir) - #define user_gids (sudo_user.gids) - #define user_ngids (sudo_user.ngids) diff --git a/sudo-1.8.6p3.tar.gz b/sudo-1.8.6p3.tar.gz deleted file mode 100644 index 34b9013..0000000 --- a/sudo-1.8.6p3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8130df04268f678880c3f423337c56e7d437a0f508a46b1dfefae16b0b20c92e -size 1854962 diff --git a/sudo-1.8.7.tar.gz b/sudo-1.8.7.tar.gz new file mode 100644 index 0000000..3cf0aa8 --- /dev/null +++ b/sudo-1.8.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:39626cf3d48c4fd5a9139a2627d42bfefac7ce47f470bdba3aeb4e3d7c49566a +size 2027065 diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch deleted file mode 100644 index a2810f6..0000000 --- a/sudo-sudoers.patch +++ /dev/null @@ -1,80 +0,0 @@ -Index: sudo-1.8.0/plugins/sudoers/sudoers.in -=================================================================== ---- sudo-1.8.0.orig/plugins/sudoers/sudoers.in -+++ sudo-1.8.0/plugins/sudoers/sudoers.in -@@ -31,37 +31,36 @@ - ## - ## Defaults specification - ## --## You may wish to keep some of the following environment variables --## when running commands via sudo. --## --## Locale settings --# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" --## --## Run X applications through sudo; HOME is used to find the --## .Xauthority file. Note that other programs use HOME to find --## configuration files and this may lead to privilege escalation! --# Defaults env_keep += "HOME" --## --## X11 resource path settings --# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" --## --## Desktop path settings --# Defaults env_keep += "QTDIR KDEDIR" --## --## Allow sudo-run commands to inherit the callers' ConsoleKit session --# Defaults env_keep += "XDG_SESSION_COOKIE" --## --## Uncomment to enable special input methods. Care should be taken as --## this may allow users to subvert the command being run via sudo. --# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -+## Prevent environment variables from influencing programs in an -+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) -+Defaults always_set_home -+Defaults env_reset -+## Change env_reset to !env_reset in previous line to keep all environment variables -+## Following list will no longer be necessary after this change -+ -+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" -+## Comment out the preceding line and uncomment the following one if you need -+## to use special input methods. This may allow users to compromise the root -+## account if they are allowed to run commands without authentication. -+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -+ -+## Do not insult users when they enter an incorrect password. -+Defaults !insults -+ - ## - ## Uncomment to enable logging of a command's output, except for - ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. - # Defaults log_output - # Defaults!/usr/bin/sudoreplay !log_output --# Defaults!/usr/local/bin/sudoreplay !log_output - # Defaults!/sbin/reboot !log_output - -+## In the default (unconfigured) configuration, sudo asks for the root password. -+## This allows use of an ordinary user account for administration of a freshly -+## installed system. When configuring sudo, delete the two -+## following lines: -+Defaults targetpw # ask for the password of the target user i.e. root -+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! -+ - ## - ## Runas alias specification - ## -@@ -77,14 +76,6 @@ root ALL=(ALL) ALL - ## Same thing without a password - # %wheel ALL=(ALL) NOPASSWD: ALL - --## Uncomment to allow members of group sudo to execute any command --# %sudo ALL=(ALL) ALL -- --## Uncomment to allow any user to run sudo if they know the password --## of the user they are running the command as (root by default). --# Defaults targetpw # Ask for the password of the target user --# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' -- - ## Read drop-in files from @sysconfdir@/sudoers.d - ## (the '#' here does not indicate a comment) - #includedir @sysconfdir@/sudoers.d diff --git a/sudo.changes b/sudo.changes index a220d30..6abeefb 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com + +- Update to upstream release 1.8.7 + * especially all local patches are obsoleted by upstream fixes + ------------------------------------------------------------------- Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com diff --git a/sudo.spec b/sudo.spec index 64b39b6..823b3b0 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,7 +17,7 @@ Name: sudo -Version: 1.8.6p3 +Version: 1.8.7 Release: 0 Summary: Execute some commands as root License: ISC @@ -26,10 +26,6 @@ Url: http://www.sudo.ws/ Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz Source1: sudo.pamd Source2: README.SUSE -Patch0: sudoers2ldif-env.patch -Patch1: sudo-sudoers.patch -Patch2: sudo-1.8.6p3-CVE-2013-1775.patch -Patch3: sudo-1.8.6p3-CVE-2013-1776.patch BuildRequires: audit-devel BuildRequires: groff BuildRequires: libselinux-devel @@ -57,10 +53,6 @@ These header files are needed for building of sudo plugins. %prep %setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 %build %ifarch s390 s390x %sparc diff --git a/sudoers2ldif-env.patch b/sudoers2ldif-env.patch deleted file mode 100644 index dd58da8..0000000 --- a/sudoers2ldif-env.patch +++ /dev/null @@ -1,10 +0,0 @@ -Index: sudo-1.8.0/plugins/sudoers/sudoers2ldif -=================================================================== ---- sudo-1.8.0.orig/plugins/sudoers/sudoers2ldif -+++ sudo-1.8.0/plugins/sudoers/sudoers2ldif -@@ -1,4 +1,4 @@ --#!/usr/bin/env perl -+#!/usr/bin/perl - use strict; - - #