Accepting request 41584 from Base:System

Copy from Base:System/sudo based on submit request 41584 from user puzel OBS-URL: https://build.opensuse.org/request/show/41584 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sudo?expand=0&rev=28
2010-06-22 08:38:23 +00:00 · 2010-06-22 08:38:23 +00:00 · d5a69a9c43
commit d5a69a9c43
parent cbb9e77c58 c02c3ca0b7
6 changed files with 24 additions and 113 deletions
--- a/sudo-1.7.2p4.tar.gz
+++ b/sudo-1.7.2p4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:57d9adbdffa881e32894231079da7d68ffe99f46942818b63baadf6c795b7bdd
-size 772821
--- a/sudo-1.7.2p7.tar.gz
+++ b/sudo-1.7.2p7.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:07a9c83e628a088314523e558236ac3c4cb0d54d7d7093e5b3e4c8101b1a2bea
+size 772356
--- a/sudo-CVE-2010-1163.patch
+++ b/sudo-CVE-2010-1163.patch
@ -1,16 +0,0 @@
-Index: sudo-1.7.2p4/find_path.c
-===================================================================
--- sudo-1.7.2p4.orig/find_path.c	2010-05-18 17:40:20.000000000 +0200
-+++ sudo-1.7.2p4/find_path.c	2010-05-18 17:46:44.000000000 +0200
-@@ -126,7 +126,10 @@ find_path(infile, outfile, sbp, path)
-      * Check current dir if dot was in the PATH
-      */
-     if (!result && checkdot) {
-	result = sudo_goodpath(infile, sbp);
-+        len = snprintf(command, sizeof(command), "./%s", infile);
-+        if (len <= 0 || len >= sizeof(command))
-+            errorx(1, "%s: File name too long", infile);
-+        result = sudo_goodpath(command, sbp);
- 	if (result && def_ignore_dot)
- 	    return(NOT_FOUND_DOT);
-     }
--- a/sudo-CVE-2010-1646.patch
+++ b/sudo-CVE-2010-1646.patch
@ -1,87 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@courtesan.com>
-# Date 1275055525 14400
-# Node ID a09c6812eaecd6a18f424e66419e6acaf80befc9
-# Parent  c17c54dc03b35472377a73544ad91384a81303f8
-Handle duplicate variables in the environment.  For unsetenv(),
-keep looking even after remove the first instance.  For sudo_putenv(),
-check for and remove dupes after we replace an existing value.
-
-Index: sudo-1.7.2p4/env.c
-===================================================================
--- sudo-1.7.2p4.orig/env.c	2010-06-02 12:20:58.000000000 +0200
-+++ sudo-1.7.2p4/env.c	2010-06-02 12:23:42.000000000 +0200
-@@ -321,7 +321,7 @@ int
- unsetenv(var)
-     const char *var;
- {
-    char **ep;
-+    char **ep = env.envp;
-     size_t len;
- 
-     if (strchr(var, '=') != NULL) {
-@@ -359,13 +359,15 @@ unsetenv(var)
-     }
- 
-     len = strlen(var);
-    for (ep = env.envp; *ep; ep++) {
-+    while (*ep != NULL) {
- 	if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
- 	    /* Found it; shift remainder + NULL over by one and update len. */
- 	    memmove(ep, ep + 1,
- 		(env.env_len - (ep - env.envp)) * sizeof(char *));
- 	    env.env_len--;
-	    break;
-+	    /* Keep going, could be multiple instances of the var. */
-+	} else {
-+	    ep++;
- 	}
-     }
- #ifndef UNSETENV_VOID
-@@ -433,6 +435,7 @@ sudo_putenv(str, dupcheck, overwrite)
- {
-     char **ep;
-     size_t len;
-+    int found = FALSE;
- 
-     /* Make sure there is room for the new entry plus a NULL. */
-     if (env.env_len + 2 > env.env_size) {
-@@ -452,19 +455,33 @@ sudo_putenv(str, dupcheck, overwrite)
- 
-     if (dupcheck) {
- 	    len = (strchr(str, '=') - str) + 1;
-	    for (ep = env.envp; *ep; ep++) {
-+	for (ep = env.envp; !found && *ep != NULL; ep++) {
- 		if (strncmp(str, *ep, len) == 0) {
- 		    if (overwrite)
- 			*ep = str;
-		    return;
-+		found = TRUE;
-+	    }
-+	}
-+	/* Prune out duplicate variables. */
-+	if (found && overwrite) {
-+	    while (*ep != NULL) {
-+		if (strncmp(str, *ep, len) == 0) {
-+		    memmove(ep, ep + 1,
-+			(env.env_len - (ep - env.envp)) * sizeof(char *));
-+		    env.env_len--;
-+		} else {
-+		    ep++;
-+		}
-+	    }
- 		}
- 	    }
-    } else
-	ep = env.envp + env.env_len;
- 
-+    if (!found) {
-+	ep = env.envp + env.env_len;
-     env.env_len++;
-     *ep++ = str;
-     *ep = NULL;
-+    }
- }
- 
- /*
--- a/sudo.changes
+++ b/sudo.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jun 15 21:23:02 UTC 2010 - pascal.bleser@opensuse.org
+
+- update to 1.7.2p7:
+  * portability fixes
+
+- changes from 1.7.2p6:
+  * Handle duplicate variables in the environment
+  * visudo: fix a crash when checking a sudoers file that has aliases
+    that reference themselves
+  * aliases: fix use after free in error message when a duplicate
+    alias exists
+  * visudo: prevent NULL dereference in printf()
+
+- removed sudo-CVE-2010-1163.patch (merged upstream)
+
+- removed sudo-CVE-2010-1646.patch (merged upstream)
+
 -------------------------------------------------------------------
 Wed Jun  2 10:32:42 UTC 2010 - puzel@novell.com

--- a/sudo.spec
+++ b/sudo.spec
@ -1,5 +1,5 @@
 #
-# spec file for package sudo (Version 1.7.2p4)
+# spec file for package sudo (Version 1.7.2p7)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -22,8 +22,8 @@ Name:           sudo
 BuildRequires:  openldap2-devel pam-devel postfix
 BuildRequires:  libselinux-devel
 PreReq:         coreutils
-Version:        1.7.2p4
-Release:        3
+Version:        1.7.2p7
+Release:        1
 Group:          System/Base
 License:        BSD3c(or similar)
 Url:            http://www.sudo.ws/
@ -38,8 +38,6 @@ Patch4:         %{name}-1.7.1-strip.diff
 Patch5:         %{name}-1.7.1-secure_path.diff
 Patch6:         %{name}-1.7.1-env.diff
 Patch7:         %{name}-1.7.1-pam_rhost.diff
-Patch8:         sudo-CVE-2010-1163.patch
-Patch9:         sudo-CVE-2010-1646.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -68,8 +66,6 @@ Authors:
 %patch5
 %patch6
 %patch7
-%patch8 -p1
-%patch9 -p1
 cp %{SOURCE2} .

 %build