diff --git a/sudo-1.9.13p3.tar.gz b/sudo-1.9.13p3.tar.gz deleted file mode 100644 index 17ef87b..0000000 --- a/sudo-1.9.13p3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:92334a12bb93e0c056b09f53e255ccb7d6f67c6350e2813cd9593ceeca78560b -size 5100355 diff --git a/sudo-1.9.13p3.tar.gz.sig b/sudo-1.9.13p3.tar.gz.sig deleted file mode 100644 index df70796..0000000 Binary files a/sudo-1.9.13p3.tar.gz.sig and /dev/null differ diff --git a/sudo-1.9.14p1.tar.gz b/sudo-1.9.14p1.tar.gz new file mode 100644 index 0000000..d39a035 --- /dev/null +++ b/sudo-1.9.14p1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e91bf5ef2e09d857ee901c3465cf7ddb37e43c763b65d19fa0862d1dec128faf +size 5230440 diff --git a/sudo-1.9.14p1.tar.gz.sig b/sudo-1.9.14p1.tar.gz.sig new file mode 100644 index 0000000..db015d2 Binary files /dev/null and b/sudo-1.9.14p1.tar.gz.sig differ diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch index e58b23e..9730b21 100644 --- a/sudo-sudoers.patch +++ b/sudo-sudoers.patch @@ -1,7 +1,7 @@ -diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in -index 5efda5d..e757da4 100644 ---- a/plugins/sudoers/sudoers.in -+++ b/plugins/sudoers/sudoers.in +Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in +=================================================================== +--- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.14p1/plugins/sudoers/sudoers.in @@ -32,32 +32,23 @@ ## ## Defaults specification @@ -50,9 +50,9 @@ index 5efda5d..e757da4 100644 +## Use this PATH instead of the user's to find commands. +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin" ## - ## Uncomment to send mail if the user does not enter the correct password. - # Defaults mail_badpass -@@ -68,10 +59,16 @@ + ## Uncomment to restore the historic behavior where a command is run in + ## the user's own terminal. +@@ -72,10 +63,16 @@ ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output @@ -70,7 +70,7 @@ index 5efda5d..e757da4 100644 ## ## Runas alias specification ## -@@ -87,13 +84,5 @@ root ALL=(ALL:ALL) ALL +@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL diff --git a/sudo.changes b/sudo.changes index 76cbe62..8426118 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,86 @@ +------------------------------------------------------------------- +Wed Jul 12 09:27:18 UTC 2023 - Paolo Stivanin + +- Update to 1.9.14p1: + * Fixed an invalid free bug in sudo_logsrvd that was introduced + in version 1.9.14 which could cause sudo_logsrvd to crash. + * The sudoers plugin no longer tries to send the terminal name + to the log server when no terminal is present. This bug was + introduced in version 1.9.14. + * Fixed a bug where if the "intercept" or "log_subcmds" sudoers + option was enabled and a sub-command was run where the first + entry of the argument vector didn't match the command being run. + This resulted in commands like "sudo su -" being killed due to + the mismatch. Bug #1050. + * The sudoers plugin now canonicalizes command path names before + matching (where possible). This fixes a bug where sudo could + execute the wrong path if there are multiple symbolic links with + the same target and the same base name in sudoers that a user is + allowed to run. GitHub issue #228. + * Improved command matching when a chroot is specified in sudoers. + The sudoers plugin will now change the root directory id needed + before performing command matching. Previously, the root directory + was simply prepended to the path that was being processed. + * When NETGROUP_BASE is set in the ldap.conf file, sudo will now + perform its own netgroup lookups of the host name instead of + using the system innetgr(3) function. This guarantees that user + and host netgroup lookups are performed using the same LDAP + server (or servers). + * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing + " ; " separator between environment variables and the command + in log entries. + * The visudo utility now displays a warning when it ignores a file + in an include dir such as /etc/sudoers.d. + * When running a command in a pseudo-terminal, sudo will initialize + the terminal settings even if it is the background process. + Previously, sudo only initialized the pseudo-terminal when running + in the foreground. This fixes an issue where a program that + checks the window size would read the wrong value when sudo was + running in the background. + * Fixed a bug where only the first two digits of the TSID field + being was logged. Bug #1046. + * The "log_pty" sudoers option is now enabled by default. To + restore the historic behavior where a command is run in the + user's terminal, add "Defaults !use_pty" to the sudoers file. + GitHub issue #258. + * Sudo's "-b" option now works when the command is run in a + pseudo-terminal. + * When disabling core dumps, sudo now only modifies the soft limit + and leaves the hard limit as-is. This avoids problems on Linux + when sudo does not have CAP_SYS_RESOURCE, which may be the case + when run inside a container. GitHub issue #42. + * Sudo configuration file paths have been converted to colon-separated + lists of paths. This makes it possible to have configuration + files on a read-only file system while still allowing for local + modifications in a different (writable) directory. The new + --enable-adminconf configure option can be used to specify a + directory that is searched for configuration files in preference + to the sysconfdir (which is usually /etc). + * The "intercept_verify" sudoers option is now only applied when + the "intercept" option is set in sudoers. Previously, it was + also applied when "log_subcmds" was enabled. + * The NETGROUP_QUERY ldap.conf parameter can now be disabled for + LDAP servers that do not support querying the nisNetgroup object + by its nisNetgroupTriple attribute, while still allowing sudo to + query the LDAP server directly to determine netgroup membership. + * Fixed a long-standing bug where a sudoers rule without an explicit + runas list allowed the user to run a command as root and any + group instead of just one of the groups that root is a member + of. For example, a rule such as "myuser ALL = ALL" would permit + "sudo -u root -g othergroup" even if root did not belong to + "othergroup". + * Fixed a bug where a sudoers rule with an explicit runas list + allowed a user to run sudo commands as themselves. For example, + a rule such as "myuser ALL = (root) ALL", "myuser" should only + allow commands to be run as root (optionally using one of root's + groups). However, the rule also allowed the user to run + "sudo -u myuser -g myuser command". + * Fixed a bug that prevented the user from specifying a group on + the command line via "sudo -g" if the rule's Runas_Spec contained + a Runas_Alias. + * Sudo now requires a C compiler that conforms to ISO C99 or higher + to build. + ------------------------------------------------------------------- Fri Mar 31 13:05:27 UTC 2023 - Michal Koutný diff --git a/sudo.spec b/sudo.spec index f612945..bdbb2f9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.13p3 +Version: 1.9.14p1 Release: 0 Summary: Execute some commands as root License: ISC