import sudo-1.9.5p2-7.el9

.gitignore

@@ -0,0 +1 @@
+SOURCES/sudo-1.9.5p2.tar.gz

.sudo.metadata

@@ -0,0 +1 @@
+08bde247a1e08bc881eec43e09733f7ca06408f5 SOURCES/sudo-1.9.5p2.tar.gz

SOURCES/covscan.patch

@@ -0,0 +1,35 @@
+diff -up ./lib/eventlog/eventlog.c.covscan ./lib/eventlog/eventlog.c
+--- ./lib/eventlog/eventlog.c.covscan	2021-08-26 11:06:35.068915415 +0200
++++ ./lib/eventlog/eventlog.c	2021-08-26 11:13:32.432472325 +0200
+@@ -1075,10 +1075,13 @@ do_logfile_sudo(const char *logline, con
+     if (ferror(fp)) {
+ 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ 	    "unable to write log file %s", logfile);
+-	goto done;
++	goto ddone;
+     }
+     ret = true;
+ 
++ddone:
++    (void)free(full_line);
++
+ done:
+     (void)sudo_lock_file(fileno(fp), SUDO_UNLOCK);
+     evl_conf.close_log(EVLOG_FILE, fp);
+diff -up ./logsrvd/logsrvd.c.covscan ./logsrvd/logsrvd.c
+diff -up ./plugins/audit_json/audit_json.c.covscan ./plugins/audit_json/audit_json.c
+diff -up ./plugins/sudoers/ldap.c.covscan ./plugins/sudoers/ldap.c
+--- ./plugins/sudoers/ldap.c.covscan	2021-08-26 15:46:11.614179451 +0200
++++ ./plugins/sudoers/ldap.c	2021-08-26 15:51:40.871812534 +0200
+@@ -443,6 +443,8 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMe
+ 	goto done;
+     }
+ 
++    free(cp);
++
+     /* Walk through options, appending to defs. */
+     for (p = bv; *p != NULL; p++) {
+ 	char *var, *val;
+diff -up ./plugins/sudoers/logging.c.covscan ./plugins/sudoers/logging.c
+diff -up ./plugins/sudoers/rcstr.c.covscan ./plugins/sudoers/rcstr.c
+diff -up ./src/utmp.c.covscan ./src/utmp.c

SOURCES/sudo-1.9.5-selinux-t.patch

@@ -0,0 +1,74 @@
+From 73006fb25f0ebc35bc46b8f20036d40fcbb6de53 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Thu, 1 Apr 2021 21:42:03 +0200
+Subject: [PATCH] Removed depricated security_context_t
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/selinux.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/src/selinux.c b/src/selinux.c
+index a2f73f8d0..c2f50aafb 100644
+--- a/src/selinux.c
++++ b/src/selinux.c
+@@ -58,10 +58,10 @@
+ #include "sudo_exec.h"
+ 
+ static struct selinux_state {
+-    security_context_t old_context;
+-    security_context_t new_context;
+-    security_context_t tty_con_raw;
+-    security_context_t new_tty_con_raw;
++    char * old_context;
++    char * new_context;
++    char * tty_con_raw;
++    char * new_tty_con_raw;
+     const char *ttyn;
+     int ttyfd;
+     int enforcing;
+@@ -69,8 +69,8 @@ static struct selinux_state {
+ 
+ #ifdef HAVE_LINUX_AUDIT
+ static int
+-audit_role_change(const security_context_t old_context,
+-    const security_context_t new_context, const char *ttyn, int result)
++audit_role_change(const char * old_context,
++    const char * new_context, const char *ttyn, int result)
+ {
+     int au_fd, rc = -1;
+     char *message;
+@@ -111,7 +111,7 @@ int
+ selinux_restore_tty(void)
+ {
+     int ret = -1;
+-    security_context_t chk_tty_con_raw = NULL;
++    char * chk_tty_con_raw = NULL;
+     debug_decl(selinux_restore_tty, SUDO_DEBUG_SELINUX);
+ 
+     if (se_state.ttyfd == -1 || se_state.new_tty_con_raw == NULL) {
+@@ -166,8 +166,8 @@ selinux_restore_tty(void)
+ static int
+ relabel_tty(const char *ttyn, int ptyfd)
+ {
+-    security_context_t tty_con = NULL;
+-    security_context_t new_tty_con = NULL;
++    char * tty_con = NULL;
++    char * new_tty_con = NULL;
+     struct stat sb;
+     int fd;
+     debug_decl(relabel_tty, SUDO_DEBUG_SELINUX);
+@@ -308,10 +308,10 @@ relabel_tty(const char *ttyn, int ptyfd)
+  * Returns a new security context based on the old context and the
+  * specified role and type.
+  */
+-security_context_t
+-get_exec_context(security_context_t old_context, const char *role, const char *type)
++char *
++get_exec_context(char * old_context, const char *role, const char *type)
+ {
+-    security_context_t new_context = NULL;
++    char * new_context = NULL;
+     context_t context = NULL;
+     char *typebuf = NULL;
+     debug_decl(get_exec_context, SUDO_DEBUG_SELINUX);

SOURCES/sudo-1.9.5-sesh-bad-condition.patch

@@ -0,0 +1,51 @@
+From 613a8053dbc3ab43cf0cdaf09f207ffdb0b40e08 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Wed, 7 Apr 2021 14:43:40 +0200
+Subject: [PATCH] Fixed bad condition for sesh args
+
+In selinux_edit_copy_tfiles() when there is only one file and the open()
+fails then number of arguments is lower than expected.
+Sudo should return error with or without "Defaults !sudoedit_checkdir" set.
+
+This was found with regression testing of CVE-2021-23240.
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/sudo_edit.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/sudo_edit.c b/src/sudo_edit.c
+index 41fc61c3a..15c75d8c4 100644
+--- a/src/sudo_edit.c
++++ b/src/sudo_edit.c
+@@ -529,6 +529,8 @@ selinux_edit_copy_tfiles(struct command_details *command_details,
+     if (nfiles < 1)
+ 	debug_return_int(0);
+ 
++    const int check_dir = ISSET(command_details->flags, CD_SUDOEDIT_CHECKDIR);
++
+     /* Construct common args for sesh */
+     sesh_nargs = 5 + (nfiles * 2) + 1;
+     sesh_args = sesh_ap = reallocarray(NULL, sesh_nargs, sizeof(char *));
+@@ -538,7 +540,7 @@ selinux_edit_copy_tfiles(struct command_details *command_details,
+     }
+     *sesh_ap++ = "sesh";
+     *sesh_ap++ = "-e";
+-    if (ISSET(command_details->flags, CD_SUDOEDIT_CHECKDIR)) {
++    if (check_dir) {
+ 	if ((user_str = selinux_fmt_sudo_user()) == NULL) {
+ 	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ 	    goto done;
+@@ -581,7 +583,11 @@ selinux_edit_copy_tfiles(struct command_details *command_details,
+     if (tfd != -1)
+ 	close(tfd);
+ 
+-    if (sesh_ap - sesh_args > 3) {
++    /*
++     * check dir adds two more args to the array
++     */
++    if ((!check_dir && sesh_ap - sesh_args > 3)
++        || (check_dir && sesh_ap - sesh_args > 5)) {
+ 	/* Run sesh -e 1 <t1> <o1> ... <tn> <on> */
+ 	error = selinux_run_helper(command_details->cred.uid, command_details->cred.gid,
+ 	    command_details->cred.ngroups, command_details->cred.groups, sesh_args,

SOURCES/sudo-1.9.5-undefined-symbol.patch

@@ -0,0 +1,19 @@
+diff -up ./plugins/sudoers/audit.c.undefined ./plugins/sudoers/audit.c
+--- ./plugins/sudoers/audit.c.undefined	2021-07-12 14:59:53.472306208 +0200
++++ ./plugins/sudoers/audit.c	2021-07-12 15:00:45.620620369 +0200
+@@ -197,7 +197,6 @@ sudoers_audit_open(unsigned int version,
+     debug_return_int(ret);
+ }
+ 
+-#ifdef SUDOERS_LOG_CLIENT
+ static void
+ audit_to_eventlog(struct eventlog *evlog, char * const command_info[],
+     char * const run_argv[], char * const run_envp[])
+@@ -244,6 +243,7 @@ audit_to_eventlog(struct eventlog *evlog
+     debug_return;
+ }
+ 
++#ifdef SUDOERS_LOG_CLIENT
+ static bool
+ log_server_accept(char * const command_info[], char * const run_argv[],
+     char * const run_envp[])

SOURCES/sudo-1.9.5-utmp-leak.patch

@@ -0,0 +1,22 @@
+From 3fc3a07a03ef74fde99db40ce9ef43ccab336205 Mon Sep 17 00:00:00 2001
+From: MertsA <andrewmerts@gmail.com>
+Date: Fri, 23 Jul 2021 03:36:05 -0700
+Subject: [PATCH] Rewind utmp file pointer after searching for entry
+
+getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries.
+---
+ src/utmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/utmp.c b/src/utmp.c
+index 544a37519..952bf3043 100644
+--- a/src/utmp.c
++++ b/src/utmp.c
+@@ -210,6 +210,7 @@ utmp_login(const char *from_line, const char *to_line, int ttyfd,
+ 	memset(&utbuf, 0, sizeof(utbuf));
+ 	strncpy(utbuf.ut_line, from_line, sizeof(utbuf.ut_line));
+ 	ut_old = sudo_getutline(&utbuf);
++	sudo_setutent();
+     }
+     utmp_fill(to_line, user, ut_old, &utbuf);
+     if (sudo_pututline(&utbuf) != NULL)

SOURCES/sudo-conf.patch

@@ -0,0 +1,25 @@
+diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
+--- ./examples/sudo.conf.in.fix	2021-07-09 16:29:45.854347994 +0200
++++ ./examples/sudo.conf.in	2021-07-09 16:31:01.144410540 +0200
+@@ -11,9 +11,9 @@
+ # The plugin_options are optional.
+ #
+ # The sudoers plugin is used by default if no Plugin lines are present.
+-#Plugin sudoers_policy sudoers.so
+-#Plugin sudoers_io sudoers.so
+-#Plugin sudoers_audit sudoers.so
++Plugin sudoers_policy sudoers.so
++Plugin sudoers_io sudoers.so
++Plugin sudoers_audit sudoers.so
+ 
+ #
+ # Sudo askpass:
+@@ -78,7 +78,7 @@
+ # To aid in debugging sudo problems, you may wish to enable core
+ # dumps by setting "disable_coredump" to false.
+ #
+-#Set disable_coredump false
++Set disable_coredump false
+ 
+ #
+ # User groups:

SOURCES/sudo-ldap.conf

@@ -0,0 +1,86 @@
+## BINDDN DN
+##  The BINDDN parameter specifies the identity, in the form of a Dis‐
+##  tinguished Name (DN), to use when performing LDAP operations.  If
+##  not specified, LDAP operations are performed with an anonymous
+##  identity.  By default, most LDAP servers will allow anonymous
+##  access.
+##
+#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+## BINDPW secret
+##  The BINDPW parameter specifies the password to use when performing
+##  LDAP operations.  This is typically used in conjunction with the
+##  BINDDN parameter.
+##
+#bindpw secret
+
+## SSL start_tls
+##  If the SSL parameter is set to start_tls, the LDAP server connec‐
+##  tion is initiated normally and TLS encryption is begun before the
+##  bind credentials are sent.  This has the advantage of not requiring
+##  a dedicated port for encrypted communications.  This parameter is
+##  only supported by LDAP servers that honor the start_tls extension,
+##  such as the OpenLDAP and Tivoli Directory servers.
+##
+#ssl start_tls
+
+## TLS_CACERTFILE file name
+##  The path to a certificate authority bundle which contains the cer‐
+##  tificates for all the Certificate Authorities the client knows to
+##  be valid, e.g. /etc/ssl/ca-bundle.pem.  This option is only sup‐
+##  ported by the OpenLDAP libraries.  Netscape-derived LDAP libraries
+##  use the same certificate database for CA and client certificates
+##  (see TLS_CERT).
+##
+#tls_cacertfile /path/to/CA.crt
+
+## TLS_CHECKPEER on/true/yes/off/false/no
+##  If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
+##  cated to be verified.  If the server's TLS certificate cannot be
+##  verified (usually because it is signed by an unknown certificate
+##  authority), sudo will be unable to connect to it.  If TLS_CHECKPEER
+##  is disabled, no check is made.  Note that disabling the check cre‐
+##  ates an opportunity for man-in-the-middle attacks since the
+##  server's identity will not be authenticated.  If possible, the CA's
+##  certificate should be installed locally so it can be verified.
+##  This option is not supported by the Tivoli Directory Server LDAP
+##  libraries.
+#tls_checkpeer yes
+
+##
+## URI ldap[s]://[hostname[:port]] ...
+##  Specifies a whitespace-delimited list of one or more
+##  URIs describing the LDAP server(s) to connect to. 
+##
+#uri ldap://ldapserver
+
+##
+## SUDOERS_BASE base
+##  The base DN to use when performing sudo LDAP queries.
+##  Multiple SUDOERS_BASE lines may be specified, in which
+##  case they are queried in the order specified.
+##
+#sudoers_base ou=SUDOers,dc=example,dc=com
+
+##
+## BIND_TIMELIMIT seconds
+##  The BIND_TIMELIMIT parameter specifies the amount of
+##  time to wait while trying to connect to an LDAP server.
+##
+#bind_timelimit 30
+
+##
+## TIMELIMIT seconds
+##  The TIMELIMIT parameter specifies the amount of time
+##  to wait for a response to an LDAP query.
+##
+#timelimit 30
+
+##
+## SUDOERS_DEBUG debug_level
+##  This sets the debug level for sudo LDAP queries. Debugging
+##  information is printed to the standard error. A value of 1
+##  results in a moderate amount of debugging information.
+##  A value of 2 shows the results of the matches themselves.
+##
+#sudoers_debug 1

SOURCES/sudoers

@@ -0,0 +1,120 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+## 
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using 
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias     FILESERVERS = fs1, fs2
+# Host_Alias     MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults   !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults    always_set_home
+Defaults    match_group_by_gid
+
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults    always_query_group_plugin
+
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults   env_keep += "HOME"
+
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on 
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## 	user	MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere 
+root	ALL=(ALL) 	ALL
+
+## Allows members of the 'sys' group to run networking, software, 
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel	ALL=(ALL)	ALL
+
+## Same thing without a password
+# %wheel	ALL=(ALL)	NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the 
+## cdrom as root
+# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users  localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d