From 2edf02caabb241481232ea372066e777b08455a12595f9578b7f94aa785c446d Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Sun, 19 Jun 2016 21:14:17 +0000
Subject: [PATCH] Accepting request 403502 from
 home:stroeder:branches:Base:System

update to upstream release 1.8.17

OBS-URL: https://build.opensuse.org/request/show/403502
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=103
---
 sudo-1.8.16-pam_groups.patch | 100 -----------------------------------
 sudo-1.8.16.tar.gz           |   3 --
 sudo-1.8.16.tar.gz.sig       | Bin 72 -> 0 bytes
 sudo-1.8.17.tar.gz           |   3 ++
 sudo-1.8.17.tar.gz.sig       | Bin 0 -> 72 bytes
 sudo.changes                 |  50 ++++++++++++++++++
 sudo.spec                    |   4 +-
 7 files changed, 54 insertions(+), 106 deletions(-)
 delete mode 100644 sudo-1.8.16-pam_groups.patch
 delete mode 100644 sudo-1.8.16.tar.gz
 delete mode 100644 sudo-1.8.16.tar.gz.sig
 create mode 100644 sudo-1.8.17.tar.gz
 create mode 100644 sudo-1.8.17.tar.gz.sig

diff --git a/sudo-1.8.16-pam_groups.patch b/sudo-1.8.16-pam_groups.patch
deleted file mode 100644
index 03ffc31..0000000
--- a/sudo-1.8.16-pam_groups.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@courtesan.com>
-# Date 1461862918 21600
-# Node ID 814cda6025419e40b417f7d797757e11259feef2
-# Parent  ef0a5428a5744ca1c7fcb1874d1fff37becc6a90
-Do group setup in policy_init_session() before calling out to the
-plugin.  This makes it possible for the pam_group module to change
-the group in pam_setcred().  It's a bit bogus since pam_setcred()
-is documented as not changing the group or user ID, but pam_group
-is shipped with stock Linux-PAM so we need to support it.
-
-diff -r ef0a5428a574 -r 814cda602541 src/sudo.c
---- a/src/sudo.c	Tue Apr 26 14:39:42 2016 -0600
-+++ b/src/sudo.c	Thu Apr 28 11:01:58 2016 -0600
-@@ -939,7 +939,8 @@
- }
- 
- /*
-- * Setup the execution environment immediately prior to the call to execve()
-+ * Setup the execution environment immediately prior to the call to execve().
-+ * Group setup is performed by policy_init_session(), called earlier.
-  * Returns true on success and false on failure.
-  */
- bool
-@@ -1018,30 +1019,6 @@
- #endif /* HAVE_LOGIN_CAP_H */
-     }
- 
--    /*
--     * Set groups, including supplementary group vector.
--     */
--    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
--	if (details->ngroups >= 0) {
--	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
--		sudo_warn(U_("unable to set supplementary group IDs"));
--		goto done;
--	    }
--	}
--    }
--#ifdef HAVE_SETEUID
--    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
--	sudo_warn(U_("unable to set effective gid to runas gid %u"),
--	    (unsigned int)details->egid);
--	goto done;
--    }
--#endif
--    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
--	sudo_warn(U_("unable to set gid to runas gid %u"),
--	    (unsigned int)details->gid);
--	goto done;
--    }
--
-     if (ISSET(details->flags, CD_SET_PRIORITY)) {
- 	if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
- 	    sudo_warn(U_("unable to set process priority"));
-@@ -1365,6 +1342,35 @@
-     int rval = true;
-     debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
- 
-+    /*
-+     * We set groups, including supplementary group vector,
-+     * as part of the session setup.  This allows for dynamic
-+     * groups to be set via pam_group(8) in pam_setcred(3).
-+     */
-+    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
-+	if (details->ngroups >= 0) {
-+	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
-+		sudo_warn(U_("unable to set supplementary group IDs"));
-+		rval = -1;
-+		goto done;
-+	    }
-+	}
-+    }
-+#ifdef HAVE_SETEUID
-+    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
-+	sudo_warn(U_("unable to set effective gid to runas gid %u"),
-+	    (unsigned int)details->egid);
-+	rval = -1;
-+	goto done;
-+    }
-+#endif
-+    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
-+	sudo_warn(U_("unable to set gid to runas gid %u"),
-+	    (unsigned int)details->gid);
-+	rval = -1;
-+	goto done;
-+    }
-+
-     if (policy_plugin.u.policy->init_session) {
- 	/*
- 	 * Backwards compatibility for older API versions
-@@ -1381,6 +1387,7 @@
- 	}
- 	sudo_debug_set_active_instance(sudo_debug_instance);
-     }
-+done:
-     debug_return_int(rval);
- }
- 
-
diff --git a/sudo-1.8.16.tar.gz b/sudo-1.8.16.tar.gz
deleted file mode 100644
index b6b8b15..0000000
--- a/sudo-1.8.16.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2d83826fc5125bf073acc203dbda1cf2abeee017090ccc9dddb0431a53d5064d
-size 2707358
diff --git a/sudo-1.8.16.tar.gz.sig b/sudo-1.8.16.tar.gz.sig
deleted file mode 100644
index 7b701cdbb0c1729ef787e7de77c1d6a3b0d3095b508e794b1ce68e8abff87132..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 72
zcmV-O0Jr~$Mg#y60ssaD0#@qR`2Y$D5L$`fqJHFX#KFY?pKc?S<?u!bnH^#%Apt?O
ey$V4j=>VT*cK6@=6|48hUB+2r90^81@?J3Fryb1z

diff --git a/sudo-1.8.17.tar.gz b/sudo-1.8.17.tar.gz
new file mode 100644
index 0000000..38dca00
--- /dev/null
+++ b/sudo-1.8.17.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62b12c4fa9a3ad4f20f6e7576bc6405b2ec8d76222ea44a1c94830c68cccec8c
+size 2786216
diff --git a/sudo-1.8.17.tar.gz.sig b/sudo-1.8.17.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..fc16516f5117259e56085ee43748ad9cd34b7030900346a35fb3e68a9307cc54
GIT binary patch
literal 72
zcmV-O0Jr~$Mg#y60ssaD0#{_VjsOY?5L$`fqJHFX#6$Q1poJ11lZKucY84VqDps30
eKgwkSQvjfWSw~qCHZ0QGF_b9ZFe^YEOn|37^B9x>

literal 0
HcmV?d00001

diff --git a/sudo.changes b/sudo.changes
index 45809e3..df6b0c7 100644
--- a/sudo.changes
+++ b/sudo.changes
@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Sun Jun 19 14:01:44 UTC 2016 - michael@stroeder.com
+
+- removed obsolete patch sudo-1.8.16-pam_groups.patch
+- update to 1.8.17:
+ * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
+   but pam_start(3) fails, fall back to AIX authentication.
+   Bug #740.
+ * Sudo now takes all sudoers sources into account when determining
+   whether or not "sudo -l" or "sudo -b" should prompt for a password.
+   In other words, if both file and ldap sudoers sources are in
+   specified in /etc/nsswitch.conf, "sudo -v" will now require that
+   all entries in both sources be have NOPASSWD (file) or !authenticate
+   (ldap) in the entries.
+ * Sudo now ignores SIGPIPE until the command is executed.  Previously,
+   SIGPIPE was only ignored in a few select places.  Bug #739.
+ * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
+   file entries were missing the newline when loglinelen is set to
+   a non-positive number.  Bug #742.
+ * Unix groups are now set before the plugin session intialization
+   code is run.  This makes it possible to use dynamic groups with
+   the Linux-PAM pam_group module.
+ * Fixed a bug where a debugging statement could dereference a NULL
+   pointer when looking up a group that doesn't exist.  Bug #743.
+ * Sudo has been run through the Coverity code scanner.  A number of
+   minor bugs have been fixed as a result.  None were security issues.
+ * SELinux support, which was broken in 1.8.16, has been repaired.
+ * Fixed a bug when logging I/O where all output buffers might not
+   get flushed at exit.
+ * Forward slashes are no longer escaped in the JSON output of
+   "visudo -x".  This was never required by the standard and not
+   escaping them improves readability of the output.
+ * Sudo no longer treats PAM_SESSION_ERR as a fatal error when
+   opening the PAM session.  Other errors from pam_open_session()
+   are still treated as fatal.  This avoids the "policy plugin
+   failed session initialization" error message seen on some systems.
+ * Korean translation for sudo and sudoers from translationproject.org.
+ * Fixed a bug on AIX where the stack size hard resource limit was
+   being set to 2GB instead of 4GB on 64-bit systems.
+ * The SSSD backend now properly supports "sudo -U otheruser -l".
+ * The SSSD backend now uses the value of "ipa_hostname"
+   from sssd.conf, if specified, when matching the host name.
+ * Fixed a hang on some systems when the command is being run in
+   a pty and it failed to execute.
+ * When performing a wildcard match in sudoers, check for an exact
+   string match if the user command was fully-qualified (or resolved
+   via the PATH).  This fixes an issue executing scripts on Linux
+   when there are multiple wildcard matches with the same base name.
+   Bug #746.
+
 -------------------------------------------------------------------
 Mon May 23 08:22:12 UTC 2016 - egeorget@openmailbox.org
 
diff --git a/sudo.spec b/sudo.spec
index cefb064..f766d37 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -17,7 +17,7 @@
 
 
 Name:           sudo
-Version:        1.8.16
+Version:        1.8.17
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -33,7 +33,6 @@ Source6:        %{name}.keyring
 Patch0:         sudoers2ldif-env.patch
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch1:         sudo-sudoers.patch
-Patch2:         sudo-1.8.16-pam_groups.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@@ -75,7 +74,6 @@ Tests for fate#313276
 %setup -q
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
 
 %build
 %ifarch s390 s390x %sparc