Accepting request 181328 from Base:System

Update to upstream release 1.8.7, obsoleted patches. (forwarded request 181200 from stroeder)

OBS-URL: https://build.opensuse.org/request/show/181328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=55

sudo-1.8.6p3-CVE-2013-1775.patch

@@ -1,68 +0,0 @@
-63210a2b8f2f199b521f6c8213bb29775c09375c
- plugins/sudoers/check.c |   53 +++++++++++++++++++++++++----------------------
- 1 file changed, 28 insertions(+), 25 deletions(-)
-
-Index: sudo-1.8.6p3/plugins/sudoers/check.c
-===================================================================
---- sudo-1.8.6p3.orig/plugins/sudoers/check.c	2012-09-18 15:56:29.000000000 +0200
-+++ sudo-1.8.6p3/plugins/sudoers/check.c	2013-03-01 12:10:34.285863069 +0100
-@@ -627,31 +627,34 @@ timestamp_status(char *timestampdir, cha
-      */
-     if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
- 	mtim_get(&sb, &mtime);
--	/* Negative timeouts only expire manually (sudo -k). */
--	if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
--	    status = TS_CURRENT;
--	else {
--	    now = time(NULL);
--	    if (def_timestamp_timeout &&
--		now - mtime.tv_sec < 60 * def_timestamp_timeout) {
--		/*
--		 * Check for bogus time on the stampfile.  The clock may
--		 * have been set back or someone could be trying to spoof us.
--		 */
--		if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
--		    time_t tv_sec = (time_t)mtime.tv_sec;
--		    log_error(0,
--			_("timestamp too far in the future: %20.20s"),
--			4 + ctime(&tv_sec));
--		    if (timestampfile)
--			(void) unlink(timestampfile);
--		    else
--			(void) rmdir(timestampdir);
--		    status = TS_MISSING;
--		} else if (get_boottime(&boottime) && timevalcmp(&mtime, &boottime, <)) {
--		    status = TS_OLD;
--		} else {
--		    status = TS_CURRENT;
-+	if (timevalisset(&mtime)) {
-+	    /* Negative timeouts only expire manually (sudo -k). */
-+	    if (def_timestamp_timeout < 0) {
-+		status = TS_CURRENT;
-+	    } else {
-+		now = time(NULL);
-+		if (def_timestamp_timeout &&
-+		    now - mtime.tv_sec < 60 * def_timestamp_timeout) {
-+		    /*
-+		     * Check for bogus time on the stampfile.  The clock may
-+		     * have been set back or user could be trying to spoof us.
-+		     */
-+		    if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
-+			time_t tv_sec = (time_t)mtime.tv_sec;
-+			log_error(0,
-+			    _("timestamp too far in the future: %20.20s"),
-+			    4 + ctime(&tv_sec));
-+			if (timestampfile)
-+			    (void) unlink(timestampfile);
-+			else
-+			    (void) rmdir(timestampdir);
-+			status = TS_MISSING;
-+		    } else if (get_boottime(&boottime) &&
-+			timevalcmp(&mtime, &boottime, <)) {
-+			status = TS_OLD;
-+		    } else {
-+			status = TS_CURRENT;
-+		    }
- 		}
- 	    }
- 	}

sudo-1.8.6p3-CVE-2013-1776.patch

@@ -1,71 +0,0 @@
-2b18d55589975e70dd98f24bca5b0aaabc56a9b5
- plugins/sudoers/check.c   |    4 +++-
- plugins/sudoers/sudoers.c |    4 ++++
- plugins/sudoers/sudoers.h |    3 ++-
- 3 files changed, 9 insertions(+), 2 deletions(-)
-
-Index: sudo-1.8.6p3/plugins/sudoers/check.c
-===================================================================
---- sudo-1.8.6p3.orig/plugins/sudoers/check.c	2013-03-01 12:10:18.668403327 +0100
-+++ sudo-1.8.6p3/plugins/sudoers/check.c	2013-03-01 12:10:18.684403798 +0100
-@@ -82,6 +82,7 @@ static struct tty_info {
-     dev_t rdev;			/* tty device ID */
-     ino_t ino;			/* tty inode number */
-     struct timeval ctime;	/* tty inode change time */
-+    pid_t sid;			/* ID of session with controlling tty */
- } tty_info;
- 
- static int   build_timestamp(char **, char **);
-@@ -138,13 +139,14 @@ check_user(int validated, int mode)
-     if (ISSET(mode, MODE_IGNORE_TICKET))
- 	SET(validated, FLAG_CHECK_USER);
- 
--    /* Stash the tty's ctime for tty ticket comparison. */
-+    /* Stash the tty's device, session ID and ctime for ticket comparison. */
-     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
- 	tty_info.dev = sb.st_dev;
- 	tty_info.ino = sb.st_ino;
- 	tty_info.rdev = sb.st_rdev;
- 	if (tty_is_devpts(user_ttypath))
- 	    ctim_get(&sb, &tty_info.ctime);
-+	tty_info.sid = user_sid;
-     }
- 
-     if (build_timestamp(&timestampdir, &timestampfile) == -1) {
-Index: sudo-1.8.6p3/plugins/sudoers/sudoers.c
-===================================================================
---- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.c	2012-09-18 15:56:30.000000000 +0200
-+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c	2013-03-01 12:10:18.685403827 +0100
-@@ -1410,6 +1410,10 @@ deserialize_info(char * const args[], ch
- 	    sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
- 	    continue;
- 	}
-+	if (MATCHES(*cur, "sid=")) {
-+	    sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
-+	    continue;
-+	}
-     }
-     if (user_cwd == NULL)
- 	user_cwd = "unknown";
-Index: sudo-1.8.6p3/plugins/sudoers/sudoers.h
-===================================================================
---- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.h	2012-09-18 15:57:43.000000000 +0200
-+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h	2013-03-01 12:10:18.685403827 +0100
-@@ -95,6 +95,7 @@ struct sudo_user {
-     int   flags;
-     uid_t uid;
-     uid_t gid;
-+    pid_t sid;
- };
- 
- /*
-@@ -171,8 +172,8 @@ struct sudo_user {
- #define user_name		(sudo_user.name)
- #define user_uid		(sudo_user.uid)
- #define user_gid		(sudo_user.gid)
-+#define user_sid		(sudo_user.sid)
- #define user_passwd		(sudo_user.pw->pw_passwd)
--#define user_uuid		(sudo_user.uuid)
- #define user_dir		(sudo_user.pw->pw_dir)
- #define user_gids		(sudo_user.gids)
- #define user_ngids		(sudo_user.ngids)

sudo-1.8.6p3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8130df04268f678880c3f423337c56e7d437a0f508a46b1dfefae16b0b20c92e
-size 1854962

sudo-1.8.7.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:39626cf3d48c4fd5a9139a2627d42bfefac7ce47f470bdba3aeb4e3d7c49566a
+size 2027065

sudo-sudoers.patch

@@ -1,80 +0,0 @@
-Index: sudo-1.8.0/plugins/sudoers/sudoers.in
-===================================================================
---- sudo-1.8.0.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.8.0/plugins/sudoers/sudoers.in
-@@ -31,37 +31,36 @@
- ##
- ## Defaults specification
- ##
--## You may wish to keep some of the following environment variables
--## when running commands via sudo.
--##
--## Locale settings
--# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
--##
--## Run X applications through sudo; HOME is used to find the
--## .Xauthority file.  Note that other programs use HOME to find   
--## configuration files and this may lead to privilege escalation!
--# Defaults env_keep += "HOME"
--##
--## X11 resource path settings
--# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
--##
--## Desktop path settings
--# Defaults env_keep += "QTDIR KDEDIR"
--##
--## Allow sudo-run commands to inherit the callers' ConsoleKit session
--# Defaults env_keep += "XDG_SESSION_COOKIE"
--##
--## Uncomment to enable special input methods.  Care should be taken as
--## this may allow users to subvert the command being run via sudo.
--# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
-+## Prevent environment variables from influencing programs in an
-+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
-+Defaults always_set_home
-+Defaults env_reset
-+## Change env_reset to !env_reset in previous line to keep all environment variables
-+## Following list will no longer be necessary after this change
-+
-+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
-+## Comment out the preceding line and uncomment the following one if you need
-+## to use special input methods. This may allow users to compromise  the root
-+## account if they are allowed to run commands without authentication.
-+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
-+
-+## Do not insult users when they enter an incorrect password.
-+Defaults !insults
-+
- ##
- ## Uncomment to enable logging of a command's output, except for
- ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
- # Defaults log_output
- # Defaults!/usr/bin/sudoreplay !log_output
--# Defaults!/usr/local/bin/sudoreplay !log_output
- # Defaults!/sbin/reboot !log_output
- 
-+## In the default (unconfigured) configuration, sudo asks for the root password.
-+## This allows use of an ordinary user account for administration of a freshly
-+## installed system. When configuring sudo, delete the two
-+## following lines:
-+Defaults targetpw   # ask for the password of the target user i.e. root
-+ALL	ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
-+
- ##
- ## Runas alias specification
- ##
-@@ -77,14 +76,6 @@ root ALL=(ALL) ALL
- ## Same thing without a password
- # %wheel ALL=(ALL) NOPASSWD: ALL
- 
--## Uncomment to allow members of group sudo to execute any command
--# %sudo	ALL=(ALL) ALL
--
--## Uncomment to allow any user to run sudo if they know the password
--## of the user they are running the command as (root by default).
--# Defaults targetpw  # Ask for the password of the target user
--# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
--
- ## Read drop-in files from @sysconfdir@/sudoers.d
- ## (the '#' here does not indicate a comment)
- #includedir @sysconfdir@/sudoers.d

sudo.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com
+
+- Update to upstream release 1.8.7
+  * especially all local patches are obsoleted by upstream fixes
+
 -------------------------------------------------------------------
 Fri Mar  1 11:12:28 UTC 2013 - vcizek@suse.com
 

sudo.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sudo
-Version:        1.8.6p3
+Version:        1.8.7
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -26,10 +26,6 @@ Url:            http://www.sudo.ws/
 Source0:        http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
 Source1:        sudo.pamd
 Source2:        README.SUSE
-Patch0:         sudoers2ldif-env.patch
-Patch1:         sudo-sudoers.patch
-Patch2:         sudo-1.8.6p3-CVE-2013-1775.patch
-Patch3:         sudo-1.8.6p3-CVE-2013-1776.patch
 BuildRequires:  audit-devel
 BuildRequires:  groff
 BuildRequires:  libselinux-devel
@@ -57,10 +53,6 @@ These header files are needed for building of sudo plugins.
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
 
 %build
 %ifarch s390 s390x %sparc

sudoers2ldif-env.patch

@@ -1,10 +0,0 @@
-Index: sudo-1.8.0/plugins/sudoers/sudoers2ldif
-===================================================================
---- sudo-1.8.0.orig/plugins/sudoers/sudoers2ldif
-+++ sudo-1.8.0/plugins/sudoers/sudoers2ldif
-@@ -1,4 +1,4 @@
--#!/usr/bin/env perl
-+#!/usr/bin/perl
- use strict;
- 
- #