Accepting request 998921 from Base:System

OBS-URL: https://build.opensuse.org/request/show/998921 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=132
2022-08-25 13:32:59 +00:00 · 2022-08-25 13:32:59 +00:00 · 277f190914
commit 277f190914
parent 5e7d5fb7c8 1b78263838
8 changed files with 212 additions and 13 deletions
--- a/sudo-1.9.10-update_sudouser_to_utf8.patch
+++ b/sudo-1.9.10-update_sudouser_to_utf8.patch
@ -0,0 +1,116 @@
+From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001
+From: William Brown <wbrown@suse.de>
+Date: Mon, 25 Jul 2022 15:21:39 +1000
+Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas
+
+In most unix-style LDAP servers, uid is a utf8 string defined by
+OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined
+as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant
+that sudoUser could only represent a subset of possible values.
+
+In some cases when using sudoers.ldap, the uid from the machine
+which was utf8 was fed back into sudo which would then issue a
+search for sudoUsers. If this uid contained utf8 characters, the
+ldap server would refuse to match into sudoUsers because these
+were limited to IA5.
+
+This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning
+that this change will not impact existing deployments and their
+rules.
+---
+ docs/schema.OpenLDAP | 14 +++++++-------
+ docs/schema.iPlanet  |  6 +++---
+ docs/schema.olcSudo  | 14 +++++++-------
+ 3 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP
+index e1d525f84..451c5250a 100644
+--- a/docs/schema.OpenLDAP
+++ b/docs/schema.OpenLDAP
+@@ -7,9 +7,9 @@
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+     NAME 'sudoUser'
+     DESC 'User(s) who may  run sudo'
+-    EQUALITY caseExactIA5Match
+-    SUBSTR caseExactIA5SubstringsMatch
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    EQUALITY caseExactMatch
+    SUBSTR caseExactSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+     NAME 'sudoHost'
+@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+     NAME 'sudoRunAsUser'
+     DESC 'User(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+     NAME 'sudoRunAsGroup'
+     DESC 'Group(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+     NAME 'sudoNotBefore'
+diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet
+index e51286436..56ad02bc0 100644
+--- a/docs/schema.iPlanet
+++ b/docs/schema.iPlanet
+@@ -1,11 +1,11 @@
+ dn: cn=schema
+-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo
+index 8748dfc2a..8948ca4ae 100644
+--- a/docs/schema.olcSudo
+++ b/docs/schema.olcSudo
+@@ -9,9 +9,9 @@ cn: sudoschema
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
+     NAME 'sudoUser'
+     DESC 'User(s) who may  run sudo'
+-    EQUALITY caseExactIA5Match
+-    SUBSTR caseExactIA5SubstringsMatch
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    EQUALITY caseExactMatch
+    SUBSTR caseExactSubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ #
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
+     NAME 'sudoHost'
+@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
+     NAME 'sudoRunAsUser'
+     DESC 'User(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ #
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
+     NAME 'sudoRunAsGroup'
+     DESC 'Group(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ #
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
+     NAME 'sudoNotBefore'
--- a/sudo-1.9.10.tar.gz
+++ b/sudo-1.9.10.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4
-size 4516568
--- a/sudo-1.9.10.tar.gz.sig
+++ b/sudo-1.9.10.tar.gz.sig
--- a/sudo-1.9.11p3.tar.gz
+++ b/sudo-1.9.11p3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70
+size 4826520
--- a/sudo-1.9.11p3.tar.gz.sig
+++ b/sudo-1.9.11p3.tar.gz.sig
--- a/sudo-sudoers.patch
+++ b/sudo-sudoers.patch
@ -1,7 +1,7 @@
-Index: sudo-1.9.9/plugins/sudoers/sudoers.in
-===================================================================
--- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.9.9/plugins/sudoers/sudoers.in
+diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
+index 5efda5d..ddd311a 100644
+--- a/plugins/sudoers/sudoers.in
+++ b/plugins/sudoers/sudoers.in
@@ -32,30 +32,23 @@
 ##
 ## Defaults specification
@ -50,12 +50,13 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in
 ## Uncomment to use a hard-coded PATH instead of the user's to find commands
 # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 ##
-@@ -66,9 +59,15 @@
- ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+@@ -68,10 +61,16 @@
+ ## Set maxseq to a smaller number if you don't have unlimited disk space.
 # Defaults log_output
 # Defaults!/usr/bin/sudoreplay !log_output
 -# Defaults!/usr/local/bin/sudoreplay !log_output
 # Defaults!REBOOT !log_output
+ # Defaults maxseq = 1000
 
 +## In the default (unconfigured) configuration, sudo asks for the root password.
 +## This allows use of an ordinary user account for administration of a freshly
@ -67,7 +68,7 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in
 ##
 ## Runas alias specification
 ##
-@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
+@@ -87,13 +86,5 @@ root ALL=(ALL:ALL) ALL
 ## Same thing without a password
 # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
 
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,84 @@
+-------------------------------------------------------------------
+Sat Aug 20 02:04:06 UTC 2022 - Jason Sikes <jsikes@suse.com>
+
+- Update to 1.9.11p3:
+  * Changes in Sudo 1.9.11
+    * Fixed a crash in the Python module with Python 3.9.10 on some systems.
+      Additionally, make check now passes for Python 3.9.10.
+    * Error messages sent via email now include more details, including the file
+      name and the line number and column of the error. Multiple errors are sent in
+      a single message. Previously, only the first error was included.
+    * Fixed logging of parse errors in JSON format. Previously, the JSON logger would
+      not write entries unless the command and runuser were set. These may not be
+      known at the time a parse error is encountered.
+    * Fixed a potential crash parsing sudoers lines larger than twice the value of
+      LINE_MAX on systems that lack the getdelim() function.
+    * The tests run by make check now unset the LANGUAGE environment variable.
+      Otherwise, localization strings will not match if LANGUAGE is set to a
+      non-English locale. Bug #1025.
+    * The “starttime” test now passed when run under Debian faketime. Bug #1026.
+    * The Kerberos authentication module now honors the custom password prompt if one
+      has been specified.
+    * The embedded copy of zlib has been updated to version 1.2.12.
+    * Updated the version of libtool used by sudo to version 2.4.7.
+    * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the
+      header files (currently only GNU libc). This is required to allow the use of
+      64-bit time values on some 32-bit systems.
+    * Sudo’s intercept and log_subcmds options no longer force the command to run in
+      its own pseudo-terminal. It is now also possible to intercept the system(3) function.
+    * Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit
+      point messages sent by the server were incorrect if the command was suspended
+      or received a window size change event.
+    * Fixed a potential crash in sudo_logsrvd when the tls_dhparams configuration
+      setting was used.
+    * The intercept and log_subcmds functionality can now use ptrace(2) on Linux
+      systems that support seccomp(2) filtering. This has the advantage of working
+      for both static and dynamic binaries and can work with sudo’s SELinux RBAC mode.
+      The following architectures are currently supported: i386, x86_64, aarch64, arm,
+      mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use
+      ptrace(2) where possible; the new intercept_type sudoers setting can be used
+      to explicitly set the type.
+    * New Georgian translation from translationproject.org.
+    * Fixed creating packages on CentOS Stream.
+    * Fixed a bug in the intercept and log_subcmds support where the execve(2)
+      wrapper was using the current environment instead of the passed environment
+      pointer. Bug #1030.
+    * Added AppArmor integration for Linux. A sudoers rule can now specify an
+      APPARMOR_PROFILE option to run a command confined by the named AppArmor profile.
+    * Fixed parsing of the server_log setting in sudo_logsrvd.conf. Non-paths were
+      being treated as paths and an actual path was treated as an error.
+
+  * Changes in Sudo 1.9.11p1:
+    * Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on
+      some systems when piping a large amount of data through sudo, such as via rsync.
+      Bug #963.
+    * Changes to avoid implementation or unspecified behavior when bit shifting signed
+      values in the protobuf library.
+    * Fixed a compilation error on Linux/aarch64.
+    * Fixed the configure check for seccomp(2) support on Linux.
+    * Corrected the EBNF specification for tags in the sudoers manual page.
+      GitHub issue #153.
+
+  * Changes in Sudo 1.9.11p2:
+    * Fixed a compilation error on Linux/x86_64 with the x32 ABI.
+    * Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to
+      sudo_logsrvd if the command returned no output.
+
+  * Changes in Sudo 1.9.11p3:
+    * Fixed “connection reset” errors on AIX when running shell scripts with the intercept
+      or log_subcmds sudoers options enabled. Bug #1034.
+    * Fixed very slow execution of shell scripts when the intercept or log_subcmds sudoers
+      options are set on systems that enable Nagle’s algorithm on the loopback device,
+      such as AIX. Bug #1034.
+
+  * Modified sudo-sudoers.patch
+
+- Added sudo-1.9.10-update_sudouser_to_utf8.patch
+  * [bsc#1197998]
+  * Enable sudouser LDAP schema to use UTF-8 encodings.
+  * Sourced from https://github.com/sudo-project/sudo/pull/163
+  * Credit to William Brown, william.brown@suse.com
+
 -------------------------------------------------------------------
 Mon Aug  8 09:17:43 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>

--- a/sudo.spec
+++ b/sudo.spec
@ -17,7 +17,7 @@


 Name:           sudo
-Version:        1.9.10
+Version:        1.9.11p3
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@ -33,6 +33,7 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
+Patch1:         sudo-1.9.10-update_sudouser_to_utf8.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@ -235,13 +236,13 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_tmpfilesdir}/sudo.conf

 %files plugin-python
-%{_mandir}/man8/sudo_plugin_python.8%{?ext_man}
+%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
 %{_libexecdir}/%{name}/%{name}/python_plugin.so

 %files devel
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
-%{_mandir}/man8/sudo_plugin.8%{?ext_man}
+%{_mandir}/man5/sudo_plugin.5%{?ext_man}
 %attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
 %{_libexecdir}/%{name}/sudo/*.la
 %{_libexecdir}/%{name}/*.la