pool/sudo
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 181328 from Base:System

Browse Source 
Update to upstream release 1.8.7, obsoleted patches. (forwarded request 181200 from stroeder)

OBS-URL: https://build.opensuse.org/request/show/181328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=55
This commit is contained in:
Stephan Kulow 2013-06-29 12:51:55 +00:00 committed by Git OBS Bridge
commit 5e4d59ada8
8 changed files with 10 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
sudo-1.8.6p3-CVE-2013-1775.patch
View File

@ -1,68 +0,0 @@
63210a2b8f2f199b521f6c8213bb29775c09375c
plugins/sudoers/check.c | 53 +++++++++++++++++++++++++----------------------
1 file changed, 28 insertions(+), 25 deletions(-)
Index: sudo-1.8.6p3/plugins/sudoers/check.c
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/check.c 2012-09-18 15:56:29.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/check.c 2013-03-01 12:10:34.285863069 +0100
@@ -627,31 +627,34 @@ timestamp_status(char *timestampdir, cha
*/
if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
mtim_get(&sb, &mtime);
- /* Negative timeouts only expire manually (sudo -k). */
- if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
- status = TS_CURRENT;
- else {
- now = time(NULL);
- if (def_timestamp_timeout &&
- now - mtime.tv_sec < 60 * def_timestamp_timeout) {
- /*
- * Check for bogus time on the stampfile. The clock may
- * have been set back or someone could be trying to spoof us.
- */
- if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
- time_t tv_sec = (time_t)mtime.tv_sec;
- log_error(0,
- _("timestamp too far in the future: %20.20s"),
- 4 + ctime(&tv_sec));
- if (timestampfile)
- (void) unlink(timestampfile);
- else
- (void) rmdir(timestampdir);
- status = TS_MISSING;
- } else if (get_boottime(&boottime) && timevalcmp(&mtime, &boottime, <)) {
- status = TS_OLD;
- } else {
- status = TS_CURRENT;
+ if (timevalisset(&mtime)) {
+ /* Negative timeouts only expire manually (sudo -k). */
+ if (def_timestamp_timeout < 0) {
+ status = TS_CURRENT;
+ } else {
+ now = time(NULL);
+ if (def_timestamp_timeout &&
+ now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+ /*
+ * Check for bogus time on the stampfile. The clock may
+ * have been set back or user could be trying to spoof us.
+ */
+ if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+ time_t tv_sec = (time_t)mtime.tv_sec;
+ log_error(0,
+ _("timestamp too far in the future: %20.20s"),
+ 4 + ctime(&tv_sec));
+ if (timestampfile)
+ (void) unlink(timestampfile);
+ else
+ (void) rmdir(timestampdir);
+ status = TS_MISSING;
+ } else if (get_boottime(&boottime) &&
+ timevalcmp(&mtime, &boottime, <)) {
+ status = TS_OLD;
+ } else {
+ status = TS_CURRENT;
+ }
}
}
}

71
sudo-1.8.6p3-CVE-2013-1776.patch
View File

@ -1,71 +0,0 @@
2b18d55589975e70dd98f24bca5b0aaabc56a9b5
plugins/sudoers/check.c | 4 +++-
plugins/sudoers/sudoers.c | 4 ++++
plugins/sudoers/sudoers.h | 3 ++-
3 files changed, 9 insertions(+), 2 deletions(-)
Index: sudo-1.8.6p3/plugins/sudoers/check.c
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/check.c 2013-03-01 12:10:18.668403327 +0100
+++ sudo-1.8.6p3/plugins/sudoers/check.c 2013-03-01 12:10:18.684403798 +0100
@@ -82,6 +82,7 @@ static struct tty_info {
dev_t rdev; /* tty device ID */
ino_t ino; /* tty inode number */
struct timeval ctime; /* tty inode change time */
+ pid_t sid; /* ID of session with controlling tty */
} tty_info;
static int build_timestamp(char **, char **);
@@ -138,13 +139,14 @@ check_user(int validated, int mode)
if (ISSET(mode, MODE_IGNORE_TICKET))
SET(validated, FLAG_CHECK_USER);
- /* Stash the tty's ctime for tty ticket comparison. */
+ /* Stash the tty's device, session ID and ctime for ticket comparison. */
if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
tty_info.dev = sb.st_dev;
tty_info.ino = sb.st_ino;
tty_info.rdev = sb.st_rdev;
if (tty_is_devpts(user_ttypath))
ctim_get(&sb, &tty_info.ctime);
+ tty_info.sid = user_sid;
}
if (build_timestamp(&timestampdir, &timestampfile) == -1) {
Index: sudo-1.8.6p3/plugins/sudoers/sudoers.c
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.c 2012-09-18 15:56:30.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c 2013-03-01 12:10:18.685403827 +0100
@@ -1410,6 +1410,10 @@ deserialize_info(char * const args[], ch
sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
continue;
}
+ if (MATCHES(*cur, "sid=")) {
+ sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
+ continue;
+ }
}
if (user_cwd == NULL)
user_cwd = "unknown";
Index: sudo-1.8.6p3/plugins/sudoers/sudoers.h
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.h 2012-09-18 15:57:43.000000000 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h 2013-03-01 12:10:18.685403827 +0100
@@ -95,6 +95,7 @@ struct sudo_user {
int flags;
uid_t uid;
uid_t gid;
+ pid_t sid;
};
/*
@@ -171,8 +172,8 @@ struct sudo_user {
#define user_name (sudo_user.name)
#define user_uid (sudo_user.uid)
#define user_gid (sudo_user.gid)
+#define user_sid (sudo_user.sid)
#define user_passwd (sudo_user.pw->pw_passwd)
-#define user_uuid (sudo_user.uuid)
#define user_dir (sudo_user.pw->pw_dir)
#define user_gids (sudo_user.gids)
#define user_ngids (sudo_user.ngids)

3
sudo-1.8.6p3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8130df04268f678880c3f423337c56e7d437a0f508a46b1dfefae16b0b20c92e
size 1854962

3
sudo-1.8.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:39626cf3d48c4fd5a9139a2627d42bfefac7ce47f470bdba3aeb4e3d7c49566a
size 2027065

80
sudo-sudoers.patch
View File

@ -1,80 +0,0 @@
Index: sudo-1.8.0/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in
+++ sudo-1.8.0/plugins/sudoers/sudoers.in
@@ -31,37 +31,36 @@
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
+
##
## Runas alias specification
##
@@ -77,14 +76,6 @@ root ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
## (the '#' here does not indicate a comment)
#includedir @sysconfdir@/sudoers.d

6
sudo.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Jun 27 18:03:10 UTC 2013 - michael@stroeder.com
- Update to upstream release 1.8.7
* especially all local patches are obsoleted by upstream fixes
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com

10
sudo.spec
View File

@ -17,7 +17,7 @@
Name: sudo Name: sudo
Version: 1.8.6p3 Version: 1.8.7
Release: 0 Release: 0
Summary: Execute some commands as root Summary: Execute some commands as root
License: ISC License: ISC
@ -26,10 +26,6 @@ Url: http://www.sudo.ws/
Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
Source1: sudo.pamd Source1: sudo.pamd
Source2: README.SUSE Source2: README.SUSE
Patch0: sudoers2ldif-env.patch
Patch1: sudo-sudoers.patch
Patch2: sudo-1.8.6p3-CVE-2013-1775.patch
Patch3: sudo-1.8.6p3-CVE-2013-1776.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: groff BuildRequires: groff
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
@ -57,10 +53,6 @@ These header files are needed for building of sudo plugins.
%prep %prep
%setup -q %setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build %build
%ifarch s390 s390x %sparc %ifarch s390 s390x %sparc

10
sudoers2ldif-env.patch
View File

@ -1,10 +0,0 @@
Index: sudo-1.8.0/plugins/sudoers/sudoers2ldif
===================================================================
--- sudo-1.8.0.orig/plugins/sudoers/sudoers2ldif
+++ sudo-1.8.0/plugins/sudoers/sudoers2ldif
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
use strict;
#