Accepting request 59319 from Base:System

Accepted submit request 59319 from user puzel

OBS-URL: https://build.opensuse.org/request/show/59319
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=32

sudo-CVE-2011-0010.patch

@@ -0,0 +1,93 @@
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1294760019 18000
+# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5
+# Parent  8f9303326db73a2e00cd53c2515db8188386cfc0
+If the user is running sudo as himself but as a different group we
+need to prompt for a password.
+
+Index: sudo-1.7.2p7/check.c
+===================================================================
+--- sudo-1.7.2p7.orig/check.c
++++ sudo-1.7.2p7/check.c
+@@ -93,7 +93,13 @@ check_user(validated, mode)
+ 	/* do not check or update timestamp */
+ 	status = TS_ERROR;
+     } else {
+-	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
++	/*
++	 * Don't prompt for the root passwd or if the user is exempt.
++	 * If the user is not changing uid/gid, no need for a password.
++	 */
++	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
++	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
++	    user_is_exempt())
+ 	    return;
+ 
+ 	build_timestamp(&timestampdir, &timestampfile);
+Index: sudo-1.7.2p7/pwutil.c
+===================================================================
+--- sudo-1.7.2p7.orig/pwutil.c
++++ sudo-1.7.2p7/pwutil.c
+@@ -565,3 +565,50 @@ sudo_endgrent()
+     sudo_freegrcache();
+ #endif
+ }
++
++
++int
++user_in_group(struct passwd *pw, const char *group)
++{
++    char **gr_mem;
++    int i;
++    struct group *grp;
++    int retval = FALSE;
++
++    grp = sudo_getgrnam(group);
++    if (grp == NULL)
++	goto done;
++
++    /* check against user's primary (passwd file) gid */
++    if (grp->gr_gid == pw->pw_gid) {
++	retval = TRUE;
++	goto done;
++    }
++
++    /*
++     * If we are matching the invoking or list user and that user has a
++     * supplementary group vector, check it.
++     */
++    if (user_ngroups > 0 &&
++	strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) {
++	for (i = 0; i < user_ngroups; i++) {
++	    if (grp->gr_gid == user_groups[i]) {
++		retval = TRUE;
++		goto done;
++	    }
++	}
++    } else
++    {
++	if (grp != NULL && grp->gr_mem != NULL) {
++	    for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
++		if (strcmp(*gr_mem, pw->pw_name) == 0) {
++		    retval = TRUE;
++		    goto done;
++		}
++	    }
++	}
++    }
++
++done:
++    return(retval);
++}
+Index: sudo-1.7.2p7/sudo.h
+===================================================================
+--- sudo-1.7.2p7.orig/sudo.h
++++ sudo-1.7.2p7/sudo.h
+@@ -316,6 +316,7 @@ struct passwd *sudo_getpwuid __P((uid_t)
+ struct group *sudo_getgrnam __P((const char *));
+ struct group *sudo_fakegrnam __P((const char *));
+ struct group *sudo_getgrgid __P((gid_t));
++int user_in_group(struct passwd *pw, const char *group);
+ #ifdef HAVE_SELINUX
+ void selinux_exec __P((char *, char *, char **, int));
+ #endif

sudo.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com
+
+- added openldap schema file (bnc#667558) 
+
+-------------------------------------------------------------------
+Thu Jan 13 10:11:35 UTC 2011 - puzel@novell.com
+
+- add sudo-CVE-2011-0010.patch (bnc#663881) 
+
 -------------------------------------------------------------------
 Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
 

sudo.spec

@@ -38,6 +38,7 @@ Patch4:         %{name}-1.7.1-strip.diff
 Patch5:         %{name}-1.7.1-secure_path.diff
 Patch6:         %{name}-1.7.1-env.diff
 Patch7:         %{name}-1.7.1-pam_rhost.diff
+Patch8:         sudo-CVE-2011-0010.patch	
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -66,6 +67,7 @@ Authors:
 %patch5
 %patch6
 %patch7
+%patch8 -p1
 cp %{SOURCE2} .
 
 %build
@@ -102,6 +104,8 @@ install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo
 install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif
 rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit
 ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit
+install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema
+install -m 644 schema.OpenLDAP $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/sudo.schema
 
 %post
 chmod 0440 %{_sysconfdir}/sudoers
@@ -116,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
 %config %{_sysconfdir}/pam.d/sudo
 %attr(4755,root,root) %{_bindir}/sudo
+%dir %{_sysconfdir}/openldap
+%dir %{_sysconfdir}/openldap/schema
+%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
 %{_bindir}/sudoedit
 %{_sbindir}/*
 %{_libexecdir}/sudo