From ac3c1963433cd9ee1def78ac686a1f1543e1ecb7d4c14b80bcce39b233780be8 Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Fri, 7 Feb 2020 16:27:51 +0000 Subject: [PATCH] Accepting request 772142 from home:kstreitova:branches:Base:System - Update to 1.8.31 Major changes between version 1.8.31 and 1.8.30: * This version fixes a potential security issue that can lead to a buffer overflow if the pwfeedback option is enabled in sudoers [CVE-2019-18634] [bsc#1162202] * The sudoedit_checkdir option now treats a user-owned directory as writable, even if it does not have the write bit set at the time of check. Symbolic links will no longer be followed by sudoedit in any user-owned directory. Bug #912. * Fixed a crash introduced in sudo 1.8.30 when suspending sudo at the password prompt. Bug #914. * Fixed compilation on systems where the mmap MAP_ANON flag is not available. Bug #915. Major changes between version 1.8.30 and 1.8.29: * Sudo now closes file descriptors before changing uids. This prevents a non-root process from interfering with sudo's ability to close file descriptors on systems that support the prlimit(2) system call. * Sudo now treats an attempt to run sudo sudoedit as simply sudoedit If the sudoers file contains a fully-qualified path to sudoedit, sudo will now treat it simply as sudoedit (with no path). Visudo will will now treat a fully-qualified path to sudoedit as an error. Bug #871. * Fixed a bug introduced in sudo 1.8.28 where sudo would warn about a missing /etc/environment file on AIX and Linux when PAM is not enabled. Bug #907. * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented the askpass program from running due to an unlimited stack size resource limit. Bug #908. * If a group provider plugin has optional arguments, the argument OBS-URL: https://build.opensuse.org/request/show/772142 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=160 --- sudo-1.8.28p1.tar.gz | 3 -- sudo-1.8.28p1.tar.gz.sig | Bin 543 -> 0 bytes sudo-1.8.31.tar.gz | 3 ++ sudo-1.8.31.tar.gz.sig | Bin 0 -> 543 bytes sudo-sudoers.patch | 22 ++++++------ sudo.changes | 76 +++++++++++++++++++++++++++++++++++++++ sudo.spec | 4 +-- 7 files changed, 92 insertions(+), 16 deletions(-) delete mode 100644 sudo-1.8.28p1.tar.gz delete mode 100644 sudo-1.8.28p1.tar.gz.sig create mode 100644 sudo-1.8.31.tar.gz create mode 100644 sudo-1.8.31.tar.gz.sig diff --git a/sudo-1.8.28p1.tar.gz b/sudo-1.8.28p1.tar.gz deleted file mode 100644 index 4585690..0000000 --- a/sudo-1.8.28p1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:23ba5a84af31e3b5ded58d4be6d3f6939a495a55561fba92c6941b79a6e8b027 -size 3310254 diff --git a/sudo-1.8.28p1.tar.gz.sig b/sudo-1.8.28p1.tar.gz.sig deleted file mode 100644 index 3ad442811b5a3d7381eba62d9179bf5abb6095df27a876b47b2048a9260abacf..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0SEvF1p-~C2%P{52@t9Dz#-10aQlA(5C2J4bZ&sR;NsK#%tSFf zjX#2?e@KFXOE)W{LD1*aIj}`TYrh}(pArp$ooh9d1 z_oD8T?IZA(>ED-upJu_Wc$pJ7xFFq?93RzP-A5hutSx~`%?*)g(+|ynY1jcTRd?IU zsyd+U;yUx*$i~lURvuw*oJ>n)FT6V2@G%(&2_D^NNr*5T=M+hvYEkJuD?hT%k(N_L zf0VtTMv%Ho7C3kby&I)?NB0zeiPQZLiIkT4rI4w@cbE;w^$F{IW=&A{7YS}ETMG^~ z`-}{3hq()Hko&gUrhXGN1-7wdl<$kzrgc5Cpt6zN>mjy;DU>?-9q}q`+{eJ5^OV$3 zMuhi9&d30rahoxEn+KwZd<3-(*CmPjhzk^EKNN2D506?{(NP;hQ3r4OFyF9c`t!(!9G)CYvvejBo^8nq;?jT{~OsvccNeWpMO3FGe4wSEAad?Ltag;F*pc@n z=!z$;(M`i)`~v@Ar-(si&F9Hk2&PJLlQ?PM%WhU>S^Bhr1>V<^Wc5U}XN$ zRg(CDV8#taMA z1siF*cQxZrvABis{BAjq#TotTzF$50IXoK z(O>uOAN;!E%gDk2b4JIp$FEis;I`v6bv3b#8orv9^;KX+Alt1Jc|!)8hQDpnEb)2f z2;5z@7-K{Q1L0*mnM#^J24XTSZePSio)-d@z^l+2kH059L8R!Zwx!GC6g%EUCFoT@ zUJ=x;>`1ez2x|slw#o9KCQ#M!@_Me*UtQ#~osvX<;E0_xi@sXx91of5TX|lPu?=fU zk78bLW`Z^m&e_t#9!sJ`RW<|ju2$=ks?>Uhs-3)rVwjvni^)zO!zbSvX>Y9{j<+Zma%+g9FwX6y49 hP3rp(xoZzj+S&Rl_R)IIDhG8)I3B$!*2KK?mb~W;4t@Xt literal 0 HcmV?d00001 diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index 33f8018..6d9df27 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -1,7 +1,7 @@ -Index: sudo-1.8.28/plugins/sudoers/sudoers.in +Index: sudo-1.8.31/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.8.28.orig/plugins/sudoers/sudoers.in 2019-10-14 17:00:02.176362373 +0200 -+++ sudo-1.8.28/plugins/sudoers/sudoers.in 2019-10-14 17:00:04.688378325 +0200 +--- sudo-1.8.31.orig/plugins/sudoers/sudoers.in ++++ sudo-1.8.31/plugins/sudoers/sudoers.in @@ -32,30 +32,23 @@ ## ## Defaults specification @@ -82,11 +82,11 @@ Index: sudo-1.8.28/plugins/sudoers/sudoers.in ## Read drop-in files from @sysconfdir@/sudoers.d ## (the '#' here does not indicate a comment) #includedir @sysconfdir@/sudoers.d -Index: sudo-1.8.28/doc/sudoers.mdoc.in +Index: sudo-1.8.31/doc/sudoers.mdoc.in =================================================================== ---- sudo-1.8.28.orig/doc/sudoers.mdoc.in 2019-10-14 17:00:02.176362373 +0200 -+++ sudo-1.8.28/doc/sudoers.mdoc.in 2019-10-14 17:03:30.841685660 +0200 -@@ -1972,7 +1972,7 @@ is present in the +--- sudo-1.8.31.orig/doc/sudoers.mdoc.in ++++ sudo-1.8.31/doc/sudoers.mdoc.in +@@ -1985,7 +1985,7 @@ is present in the .Em env_keep list, both of which are strongly discouraged. This flag is @@ -95,16 +95,16 @@ Index: sudo-1.8.28/doc/sudoers.mdoc.in by default. .It authenticate If set, users must authenticate themselves via a password (or other -@@ -2364,7 +2364,7 @@ If set, +@@ -2376,7 +2376,7 @@ If set, .Nm sudo will insult users when they enter an incorrect password. This flag is -.Em @insults@ +.Em off by default. - .It log_host - If set, the host name will be logged in the (non-syslog) -@@ -2941,7 +2941,7 @@ database as an argument to the + .It log_allowed + If set, +@@ -3009,7 +3009,7 @@ database as an argument to the .Fl u option. This flag is diff --git a/sudo.changes b/sudo.changes index 2eb98d3..bcdf697 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,79 @@ +------------------------------------------------------------------- +Thu Feb 6 19:21:23 UTC 2020 - Kristyna Streitova + +- Update to 1.8.31 + Major changes between version 1.8.31 and 1.8.30: + * This version fixes a potential security issue that can lead to + a buffer overflow if the pwfeedback option is enabled in + sudoers [CVE-2019-18634] [bsc#1162202] + * The sudoedit_checkdir option now treats a user-owned directory + as writable, even if it does not have the write bit set at the + time of check. Symbolic links will no longer be followed by + sudoedit in any user-owned directory. Bug #912. + * Fixed a crash introduced in sudo 1.8.30 when suspending sudo + at the password prompt. Bug #914. + * Fixed compilation on systems where the mmap MAP_ANON flag is + not available. Bug #915. + Major changes between version 1.8.30 and 1.8.29: + * Sudo now closes file descriptors before changing uids. This + prevents a non-root process from interfering with sudo's ability + to close file descriptors on systems that support the prlimit(2) + system call. + * Sudo now treats an attempt to run sudo sudoedit as simply + sudoedit If the sudoers file contains a fully-qualified path + to sudoedit, sudo will now treat it simply as sudoedit + (with no path). Visudo will will now treat a fully-qualified + path to sudoedit as an error. Bug #871. + * Fixed a bug introduced in sudo 1.8.28 where sudo would warn + about a missing /etc/environment file on AIX and Linux when + PAM is not enabled. Bug #907. + * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented + the askpass program from running due to an unlimited stack size + resource limit. Bug #908. + * If a group provider plugin has optional arguments, the argument + list passed to the plugin is now NULL terminated as per the + documentation. + * The user's time stamp file is now only updated if both authentication + and approval phases succeed. This is consistent with the behavior + of sudo prior to version 1.8.23. Bug #910. + * The new allow_unknown_runas_id sudoers setting can be used to + enable or disable the use of unknown user or group IDs. + Previously, sudo would always allow unknown user or group IDs if + the sudoers entry permitted it, including via the ALL alias. + As of sudo 1.8.30, the admin must explicitly enable support for + unknown IDs. + * The new runas_check_shell sudoers setting can be used to require + that the runas user have a shell listed in the /etc/shells file. + On many systems, users such as bin, do not have a valid shell and + this flag can be used to prevent commands from being run as + those users. + * Fixed a problem restoring the SELinux tty context during reboot + if mctransd is killed before sudo finishes. GitHub Issue #17. + * Fixed an intermittent warning on NetBSD when sudo restores the + initial stack size limit. + Major changes between version 1.8.29 and 1.8.28p1: + * The cvtsudoers command will now reject non-LDIF input when + converting from LDIF format to sudoers or JSON formats. + * The new log_allowed and log_denied sudoers settings make it + possible to disable logging and auditing of allowed and/or + denied commands. + * The umask is now handled differently on systems with PAM or + login.conf. If the umask is explicitly set in sudoers, that + value is used regardless of what PAM or login.conf may specify. + However, if the umask is not explicitly set in sudoers, PAM or + login.conf may now override the default sudoers umask. Bug #900. + * For make install, the sudoers file is no longer checked for syntax + errors when DESTDIR is set. The default sudoers file includes the + contents of /etc/sudoers.d which may not be readable as non-root. + Bug #902. + * Sudo now sets most resource limits to their maximum value to avoid + problems caused by insufficient resources, such as an inability to + allocate memory or open files and pipes. Fixed a regression introduced + in sudo 1.8.28 where sudo would refuse to run if the parent process was + not associated with a session. This was due to sudo passing a session + ID of -1 to the plugin. +- refresh sudo-sudoers.patch + ------------------------------------------------------------------- Fri Dec 6 08:38:45 UTC 2019 - Thorsten Kukuk diff --git a/sudo.spec b/sudo.spec index 7828057..9649215 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ # # spec file for package sudo # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %endif Name: sudo -Version: 1.8.28p1 +Version: 1.8.31 Release: 0 Summary: Execute some commands as root License: ISC