rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

update to 1.8.6p7

Browse Source 
- fixes CVE-2013-1775 and CVE-2013-1776
- fixed several packaging issues (thanks to ville.skytta@iki.fi)
  - build with system zlib.
  - let rpmbuild strip libexecdir/*.so.
  - own the %{_docdir}/sudo-* dir.
  - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
  - fix bogus %changelog dates.
This commit is contained in:
Daniel Kopecek 2013-02-28 13:19:12 +01:00
parent d201380f8e
commit 392812324b
3 changed files with 35 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ sudo-1.7.2p2-sudoers
/sudo-1.8.5.tar.gz /sudo-1.8.5.tar.gz
/sudo-1.8.6.tar.gz /sudo-1.8.6.tar.gz
/sudo-1.8.6p3.tar.gz /sudo-1.8.6p3.tar.gz
/sudo-1.8.6p7.tar.gz

2
sources
View File

@ -1,2 +1,2 @@
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers 56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers
a7b5c39a904721956eccddd30689250f sudo-1.8.6p3.tar.gz 126abfa2e841139e774d4c67d80f0e5b sudo-1.8.6p7.tar.gz

57
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.8.6p3 Version: 1.8.6p7
Release: 3%{?dist} Release: 1%{?dist}
License: ISC License: ISC
Group: Applications/System Group: Applications/System
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -20,15 +20,12 @@ BuildRequires: audit-libs-devel libcap-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: sendmail BuildRequires: sendmail
BuildRequires: gettext BuildRequires: gettext
BuildRequires: zlib-devel
# don't strip # don't strip
Patch1: sudo-1.6.7p5-strip.patch Patch1: sudo-1.6.7p5-strip.patch
# configure.in fix # configure.in fix
Patch2: sudo-1.7.2p1-envdebug.patch Patch2: sudo-1.7.2p1-envdebug.patch
# Do not inform the user that the command was not permitted by the policy
# if they do not successfully authenticate. This is a regression introduced
# in sudo 1.8.6.
Patch3: sudo-1.8.6p3-noauthwarn-regression.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
@ -55,7 +52,6 @@ plugins that use %{name}.
%patch1 -p1 -b .strip %patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug %patch2 -p1 -b .envdebug
%patch3 -p1 -b .noauthwarn-regression
%build %build
autoreconf -I m4 -fv --install autoreconf -I m4 -fv --install
@ -72,22 +68,22 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
--prefix=%{_prefix} \ --prefix=%{_prefix} \
--sbindir=%{_sbindir} \ --sbindir=%{_sbindir} \
--libdir=%{_libdir} \ --libdir=%{_libdir} \
--docdir=%{_datadir}/doc/%{name}-%{version} \ --docdir=%{_datadir}/doc/%{name}-%{version} \
--with-logging=syslog \ --with-logging=syslog \
--with-logfac=authpriv \ --with-logfac=authpriv \
--with-pam \ --with-pam \
--with-pam-login \ --with-pam-login \
--with-editor=/bin/vi \ --with-editor=/bin/vi \
--with-env-editor \ --with-env-editor \
--with-ignore-dot \ --with-ignore-dot \
--with-tty-tickets \ --with-tty-tickets \
--with-ldap \ --with-ldap \
--with-selinux \ --with-selinux \
--with-passprompt="[sudo] password for %p: " \ --with-passprompt="[sudo] password for %p: " \
--with-linux-audit \ --with-linux-audit \
--with-sssd --with-sssd
# --without-kerb5 \ # --without-kerb5 \
# --without-kerb4 # --without-kerb4
make make
%install %install
@ -99,6 +95,8 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files
# Remove execute permission on this script so we don't pull in perl deps # Remove execute permission on this script so we don't pull in perl deps
chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
@ -110,7 +108,7 @@ rm sudo.lang sudoers.lang
mkdir -p $RPM_BUILD_ROOT/etc/pam.d mkdir -p $RPM_BUILD_ROOT/etc/pam.d
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
#%PAM-1.0 #%%PAM-1.0
auth include system-auth auth include system-auth
account include system-auth account include system-auth
password include system-auth password include system-auth
@ -119,7 +117,7 @@ session required pam_limits.so
EOF EOF
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
#%PAM-1.0 #%%PAM-1.0
auth include sudo auth include sudo
account include sudo account include sudo
password include sudo password include sudo
@ -128,7 +126,7 @@ session required pam_limits.so
EOF EOF
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%files -f sudo_all.lang %files -f sudo_all.lang
@ -143,14 +141,15 @@ rm -rf $RPM_BUILD_ROOT
%attr(0111,root,root) %{_bindir}/sudoreplay %attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh %attr(0755,root,root) %{_libexecdir}/sesh
%{_libexecdir}/sudo_noexec.* %attr(0644,root,root) %{_libexecdir}/sudo_noexec.so
%{_libexecdir}/sudoers.* %attr(0644,root,root) %{_libexecdir}/sudoers.so
%{_mandir}/man5/sudoers.5* %{_mandir}/man5/sudoers.5*
%{_mandir}/man5/sudoers.ldap.5* %{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8* %{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8* %{_mandir}/man8/visudo.8*
%dir %{_docdir}/sudo-%{version}
%{_docdir}/sudo-%{version}/* %{_docdir}/sudo-%{version}/*
@ -165,6 +164,16 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8* %{_mandir}/man8/sudo_plugin.8*
%changelog %changelog
* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
- update to 1.8.6p7
- fixes CVE-2013-1775 and CVE-2013-1776
- fixed several packaging issues (thanks to ville.skytta@iki.fi)
- build with system zlib.
- let rpmbuild strip libexecdir/*.so.
- own the %%{_docdir}/sudo-* dir.
- fix some rpmlint warnings (spaces vs tabs, unescaped macros).
- fix bogus %%changelog dates.
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3 * Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
@ -211,7 +220,7 @@ rm -rf $RPM_BUILD_ROOT
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1 * Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
- update to 1.8.3p1 - update to 1.8.3p1
- disable output word wrapping if the output is piped - disable output word wrapping if the output is piped
@ -344,7 +353,7 @@ rm -rf $RPM_BUILD_ROOT
- upgrade to the latest upstream release - upgrade to the latest upstream release
- add selinux support - add selinux support
* Mon Feb 02 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6 * Mon Feb 04 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6
- sparc64 needs to be in the -fPIE list with s390 - sparc64 needs to be in the -fPIE list with s390
* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5 * Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
@ -470,7 +479,7 @@ rm -rf $RPM_BUILD_ROOT
* Thu Apr 1 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-25 * Thu Apr 1 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-25
- fixed spec file: sesh in file section with selinux flag (#119682) - fixed spec file: sesh in file section with selinux flag (#119682)
* Thu Mar 30 2004 Colin Walters <walters@redhat.com> 1.6.7p5-24 * Tue Mar 30 2004 Colin Walters <walters@redhat.com> 1.6.7p5-24
- Enhance sesh.c to fork/exec children itself, to avoid - Enhance sesh.c to fork/exec children itself, to avoid
having sudo reap all domains. having sudo reap all domains.
- Only reinstall default signal handlers immediately before - Only reinstall default signal handlers immediately before
@ -632,7 +641,7 @@ rm -rf $RPM_BUILD_ROOT
* Tue Oct 27 1998 Preston Brown <pbrown@redhat.com> * Tue Oct 27 1998 Preston Brown <pbrown@redhat.com>
- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
* Fri Oct 08 1998 Michael Maher <mike@redhat.com> * Thu Oct 08 1998 Michael Maher <mike@redhat.com>
- built package for 5.2 - built package for 5.2
* Mon May 18 1998 Michael Maher <mike@redhat.com> * Mon May 18 1998 Michael Maher <mike@redhat.com>