bnc#667558, bnc#663881

OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=18
2011-01-28 11:22:22 +00:00 · 2011-01-28 11:22:22 +00:00 · 89efcc0d2c
commit 89efcc0d2c
parent 1d242cbebb
3 changed files with 110 additions and 0 deletions
--- a/sudo-CVE-2011-0010.patch
+++ b/sudo-CVE-2011-0010.patch
@ -0,0 +1,93 @@
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1294760019 18000
+# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5
+# Parent  8f9303326db73a2e00cd53c2515db8188386cfc0
+If the user is running sudo as himself but as a different group we
+need to prompt for a password.
+
+Index: sudo-1.7.2p7/check.c
+===================================================================
+--- sudo-1.7.2p7.orig/check.c
+++ sudo-1.7.2p7/check.c
+@@ -93,7 +93,13 @@ check_user(validated, mode)
+ 	/* do not check or update timestamp */
+ 	status = TS_ERROR;
+     } else {
+-	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
+	/*
+	 * Don't prompt for the root passwd or if the user is exempt.
+	 * If the user is not changing uid/gid, no need for a password.
+	 */
+	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
+	    user_is_exempt())
+ 	    return;
+ 
+ 	build_timestamp(&timestampdir, &timestampfile);
+Index: sudo-1.7.2p7/pwutil.c
+===================================================================
+--- sudo-1.7.2p7.orig/pwutil.c
+++ sudo-1.7.2p7/pwutil.c
+@@ -565,3 +565,50 @@ sudo_endgrent()
+     sudo_freegrcache();
+ #endif
+ }
+
+
+int
+user_in_group(struct passwd *pw, const char *group)
+{
+    char **gr_mem;
+    int i;
+    struct group *grp;
+    int retval = FALSE;
+
+    grp = sudo_getgrnam(group);
+    if (grp == NULL)
+	goto done;
+
+    /* check against user's primary (passwd file) gid */
+    if (grp->gr_gid == pw->pw_gid) {
+	retval = TRUE;
+	goto done;
+    }
+
+    /*
+     * If we are matching the invoking or list user and that user has a
+     * supplementary group vector, check it.
+     */
+    if (user_ngroups > 0 &&
+	strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) {
+	for (i = 0; i < user_ngroups; i++) {
+	    if (grp->gr_gid == user_groups[i]) {
+		retval = TRUE;
+		goto done;
+	    }
+	}
+    } else
+    {
+	if (grp != NULL && grp->gr_mem != NULL) {
+	    for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
+		if (strcmp(*gr_mem, pw->pw_name) == 0) {
+		    retval = TRUE;
+		    goto done;
+		}
+	    }
+	}
+    }
+
+done:
+    return(retval);
+}
+Index: sudo-1.7.2p7/sudo.h
+===================================================================
+--- sudo-1.7.2p7.orig/sudo.h
+++ sudo-1.7.2p7/sudo.h
+@@ -316,6 +316,7 @@ struct passwd *sudo_getpwuid __P((uid_t)
+ struct group *sudo_getgrnam __P((const char *));
+ struct group *sudo_fakegrnam __P((const char *));
+ struct group *sudo_getgrgid __P((gid_t));
+int user_in_group(struct passwd *pw, const char *group);
+ #ifdef HAVE_SELINUX
+ void selinux_exec __P((char *, char *, char **, int));
+ #endif
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com
+
+- added openldap schema file (bnc#667558) 
+
+-------------------------------------------------------------------
+Thu Jan 13 10:11:35 UTC 2011 - puzel@novell.com
+
+- add sudo-CVE-2011-0010.patch (bnc#663881) 
+
 -------------------------------------------------------------------
 Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de

--- a/sudo.spec
+++ b/sudo.spec
@ -38,6 +38,7 @@ Patch4:         %{name}-1.7.1-strip.diff
 Patch5:         %{name}-1.7.1-secure_path.diff
 Patch6:         %{name}-1.7.1-env.diff
 Patch7:         %{name}-1.7.1-pam_rhost.diff
+Patch8:         sudo-CVE-2011-0010.patch	
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -66,6 +67,7 @@ Authors:
 %patch5
 %patch6
 %patch7
+%patch8 -p1
 cp %{SOURCE2} .

 %build
@ -102,6 +104,8 @@ install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo
 install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif
 rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit
 ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit
+install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema
+install -m 644 schema.OpenLDAP $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/sudo.schema

 %post
 chmod 0440 %{_sysconfdir}/sudoers
@ -116,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
 %config %{_sysconfdir}/pam.d/sudo
 %attr(4755,root,root) %{_bindir}/sudo
+%dir %{_sysconfdir}/openldap
+%dir %{_sysconfdir}/openldap/schema
+%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
 %{_bindir}/sudoedit
 %{_sbindir}/*
 %{_libexecdir}/sudo