rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS sudo-1.9.17-4.p2.el10

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 15:15:04 -04:00
parent b31d4ee84a
commit 1726eaf283
9 changed files with 77 additions and 3346 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
sudo-1.9.15p5.tar.gz
sudo-1.9.17p2.tar.gz

13
coverity.patch → 0001-coverity.patch
View File

@ -1,7 +1,8 @@
diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
--- ./plugins/sudoers/auth/pam.c.fix 2024-08-19 06:34:03.914643249 +0200
+++ ./plugins/sudoers/auth/pam.c 2024-08-19 06:48:46.136167294 +0200
@@ -454,11 +454,6 @@ sudo_pam_begin_session(const struct sudo
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 973d67b..88d6a52 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -465,11 +465,6 @@ sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
if (pw == NULL) {
if (pamh != NULL) {
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
@ -13,7 +14,7 @@ diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
pamh = NULL;
}
goto done;
@@ -517,11 +512,6 @@ sudo_pam_begin_session(const struct sudo
@@ -528,11 +523,6 @@ sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
errstr = sudo_pam_strerror(pamh, rc);
log_warningx(ctx, 0, N_("%s: %s"), "pam_open_session", errstr);
rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
@ -25,7 +26,7 @@ diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
pamh = NULL;
status = AUTH_ERROR;
goto done;
@@ -577,9 +567,6 @@ sudo_pam_end_session(sudo_auth *auth)
@@ -588,9 +578,6 @@ sudo_pam_end_session(sudo_auth *auth)
}
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
if (rc != PAM_SUCCESS) {

7
sudo-conf.patch → 0002-sudo-conf.patch
View File

@ -1,6 +1,7 @@
diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
--- ./examples/sudo.conf.in.fix 2024-08-20 16:32:04.223791138 +0200
+++ ./examples/sudo.conf.in 2024-08-20 16:33:02.470003955 +0200
diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in
index bdd676c..6c514b5 100644
--- a/examples/sudo.conf.in
+++ b/examples/sudo.conf.in
@@ -11,9 +11,9 @@
# The plugin_options are optional.
#

32
0003-rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch Normal file
View File

@ -0,0 +1,32 @@
From 3d467a705ea6ee53081cb11cc21ecf08eb47700d Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 6 Nov 2025 12:05:24 -0700
Subject: [PATCH] rebuild_env: Avoid setting SHELL twice for "sudo -i"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Make sure DID_SHELL is set when we set SHELL in the "sudo -i" case.
Otherwise, it will be set again when setting fallback values.
Reported by Alejandro López at Red Hat.
The code to make sure that SHELL is setu
---
plugins/sudoers/env.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c
index 866ef3991..61b615513 100644
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -966,6 +966,7 @@ rebuild_env(const struct sudoers_context *ctx)
if (ISSET(ctx->mode, MODE_LOGIN_SHELL)) {
CHECK_SETENV2("SHELL", ctx->runas.pw->pw_shell,
ISSET(didvar, DID_SHELL), true);
+ SET(didvar, DID_SHELL);
#ifdef _AIX
CHECK_SETENV2("LOGIN", ctx->runas.pw->pw_name,
ISSET(didvar, DID_LOGIN), true);
--
2.51.1

10
cve-2026-35535.patch → 0004-cve-2026-35535.patch
View File

@ -6,15 +6,13 @@ Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer
Also make a setuid(), setgid() or setgroups() failure fatal.
Found by the ZeroPath AI Security Engineer <https://zeropath.com>
Backported to RHEL 10.1.z by Alejandro López <allopez@redhat.com>
---
diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
index eb9f4f4a8..485d2593e 100644
--- a/include/sudo_eventlog.h
+++ b/include/sudo_eventlog.h
@@ -79,6 +79,7 @@ struct eventlog_config {
@@ -80,6 +80,7 @@ struct eventlog_config {
int syslog_rejectpri;
int syslog_alertpri;
uid_t mailuid;
@ -22,7 +20,7 @@ index eb9f4f4a8..485d2593e 100644
bool omit_hostname;
const char *logpath;
const char *time_fmt;
@@ -150,7 +151,7 @@ void eventlog_set_syslog_rejectpri(int pri);
@@ -151,7 +152,7 @@ void eventlog_set_syslog_rejectpri(int pri);
void eventlog_set_syslog_alertpri(int pri);
void eventlog_set_syslog_maxlen(size_t len);
void eventlog_set_file_maxlen(size_t len);
@ -115,7 +113,7 @@ diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
index ec092d14e..1626a28cb 100644
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -1142,7 +1142,7 @@ init_eventlog_config(void)
@@ -1157,7 +1157,7 @@ init_eventlog_config(void)
eventlog_set_syslog_alertpri(def_syslog_badpri);
eventlog_set_syslog_maxlen(def_syslog_maxlen);
eventlog_set_file_maxlen(def_loglinelen);
@ -128,7 +126,7 @@ diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
index af3210dda..706c492b7 100644
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -628,7 +628,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
@@ -639,7 +639,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
}
#ifdef NO_ROOT_MAILER

109
cve-2025-32462.patch
View File

@ -1,109 +0,0 @@
# Local Privilege Escalation via host option
Sudo's host (`-h` or `--host`) option is intended to be used in
conjunction with the list option (`-l` or `--list`) to list a user's
sudo privileges on a host other than the current one. However, due
to a bug it was not restricted to listing privileges and could be
used when running a command via `sudo` or editing a file with
`sudoedit`. Depending on the rules present in the sudoers file
this could allow a local privilege escalation attack.
## Sudo versions affected:
Sudo versions 1.8.8 to 1.9.17 inclusive are affected.
## CVE ID:
This vulnerability has been assigned
[CVE-2025-32462](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462)
in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database.
## Details:
The intent of sudo's `-h` (`--host`) option is to make it possible
to list a user's sudo privileges for a host other than the current
one. It was only intended be used with in conjunction with the
`-l` (`--list`) option.
The bug effectively makes the hostname portion of a sudoers rule
irrelevant since the user can set the host to be used when evaluating
the rules themselves. A user must still be listed in the sudoers
file, but they do not needed to have an entry for the current host.
For example, given the sudoers rule:
``` plain
alice cerebus = ALL
```
user __alice__ would be able to run `sudo -h cerebus id` on any host,
not just _cerebus_. For example:
``` plain
alice@hades$ sudo -l
Sorry, user alice may not run sudo on hades.
alice@hades$ sudo -l -h cerebus
User alice may run the following commands on cerebus:
(root) ALL
alice@hades$ sudo -h cerebus id
uid=0(root) gid=0(root) groups=0(root)
```
## Impact:
Sudoers files that include rules where the host field is not the
current host or _ALL_ are affected. This primarily affects sites
that use a common sudoers file that is distributed to multiple
machines. Sites that use LDAP-based sudoers (including SSSD) are
similarly impacted.
For example, a sudoers rule such as:
``` plain
bob ALL = ALL
```
is not affected since the host _ALL_ already matches any hosts,
but a rule like:
``` plain
alice cerebus = ALL
```
could allow user __alice__ to run any command even if the current
host is not _cerebus_.
## Fix:
The bug is fixed in sudo 1.9.17p1.
## Credit:
Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for
reporting and analyzing the bug.
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 70a0c1a52..ad2fa2f61 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
time_t now;
debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
+ /* The user may only specify a host for "sudo -l". */
+ if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+ if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+ log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+ N_("user not allowed to set remote host for command"));
+ sudo_warnx("%s",
+ U_("a remote host may only be specified when listing privileges."));
+ ret = false;
+ goto done;
+ }
+ }
+
/* If given the -P option, set the "preserve_groups" flag. */
if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
def_preserve_groups = true;

3207
cve-2025-32463.patch
View File

File diff suppressed because it is too large Load Diff

2
sources
View File

@ -1 +1 @@
SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
SHA512 (sudo-1.9.17p2.tar.gz) = c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93

41
sudo.spec
View File

@ -1,22 +1,22 @@
## START: Set by rpmautospec
## (rpmautospec version 0.8.3)
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 10;
release_number = 4;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
# comment out if no extra version
%global extraver p5
%global extraver p2
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.9.15
# remove -b 3 after rebase !!!
Version: 1.9.17
# Remove "-b 3" after a rebase !!!
# use "-p -e % {?extraver}" when beta
# use "-e % {?extraver}"" when patch version
# use "-e % {?extraver}" when patch version
# use nothing special when normal version
Release: %autorelease -e %{?extraver}
License: ISC
@ -42,11 +42,10 @@ BuildRequires: gettext
BuildRequires: zlib-devel
Patch1: coverity.patch
Patch2: sudo-conf.patch
Patch3: cve-2025-32462.patch
Patch4: cve-2025-32463.patch
Patch5: cve-2026-35535.patch
Patch1: 0001-coverity.patch
Patch2: 0002-sudo-conf.patch
Patch3: 0003-rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch
Patch4: 0004-cve-2026-35535.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -249,10 +248,26 @@ EOF
%changelog
## START: Generated by rpmautospec
* Wed Apr 08 2026 Alejandro López <allopez@redhat.com> - 1.9.15-10.p5
- Resolves: RHEL-164619 - CVE-2026-35535 sudo: Sudo: Privilege escalation
* Fri Apr 10 2026 Alejandro López <allopez@redhat.com> - 1.9.17-4.p2
- Bump release number
- Resolves: RHEL-164620 - CVE-2026-35535 sudo: Sudo: Privilege escalation
due to failure in privilege drop calls
* Tue Apr 07 2026 Alejandro López <allopez@redhat.com> - 1.9.17-3.p2
- Resolves: RHEL-164620 - CVE-2026-35535 sudo: Sudo: Privilege escalation
due to failure in privilege drop calls
* Fri Nov 14 2025 Alejandro López <allopez@redhat.com> - 1.9.17-2.p2
- Resolves: RHEL-59136 - sudo passes SHELL environment variable twice to
the shell being executed [rhel-10]
- Resolves: RHEL-128212 - [RFE] request to backport support for regex in
sudo [rhel-10]
- Resolves: RHEL-112100 - Rebase of sudo to 1.9.17p2 [rhel-10]
* Fri Oct 24 2025 Alejandro López <allopez@redhat.com> - 1.9.17-1.p2
- Rebase sudo to 1.9.17p2
- Resolves: RHEL-122752
* Tue Jul 08 2025 Alejandro López <allopez@redhat.com> - 1.9.15-9.p5
- RHEL 10.1 ERRATUM
- CVE-2025-32462 sudo: LPE via host option Resolves: RHEL-100009