import sudo-1.8.29-8.el8

2022-05-10 03:18:42 -04:00 · 2022-05-10 03:18:42 -04:00 · 6c0248553e
commit 6c0248553e
parent bc5d849802
4 changed files with 109 additions and 7 deletions
--- a/SOURCES/sudo-1.9.5-sudoedit-selinux.patch
+++ b/SOURCES/sudo-1.9.5-sudoedit-selinux.patch
@ -0,0 +1,11 @@
+diff -up ./src/sudo_edit.c.rest ./src/sudo_edit.c
+--- ./src/sudo_edit.c.rest	2021-11-21 18:41:09.420657680 +0100
+++ ./src/sudo_edit.c	2021-11-21 18:42:23.214272777 +0100
+@@ -878,6 +878,7 @@ selinux_edit_create_tfiles(struct comman
+         }
+         close(tfd);
+     }
+    ret = nfiles;
+ 
+ done:
+     /* Contents of tf will be freed by caller. */
--- a/SOURCES/sudo-1.9.7-krb5ccname.patch
+++ b/SOURCES/sudo-1.9.7-krb5ccname.patch
@ -0,0 +1,54 @@
+diff -up ./plugins/sudoers/auth/pam.c.krb5ccname ./plugins/sudoers/auth/pam.c
+--- ./plugins/sudoers/auth/pam.c.krb5ccname	2019-10-28 13:27:38.000000000 +0100
+++ ./plugins/sudoers/auth/pam.c	2021-12-06 11:14:15.580226222 +0100
+@@ -119,10 +119,10 @@ conv_filter_init(void)
+ 
+ 	/*
+ 	 * Messages from PAM account management when trusted mode is enabled:
+-	 *  1 Last   successful login for %s: %s  
+-	 *  2 Last   successful login for %s: %s on %s 
+-	 *  3 Last unsuccessful login for %s: %s      
+-	 *  4 Last unsuccessful login for %s: %s on %s 
+	 *  1 Last   successful login for %s: %s
+	 *  2 Last   successful login for %s: %s on %s
+	 *  3 Last unsuccessful login for %s: %s
+	 *  4 Last unsuccessful login for %s: %s on %s
+ 	 */
+ 	if ((catd = catopen("pam_comsec", NL_CAT_LOCALE)) != -1) {
+ 	    maxfilters += 4;
+@@ -290,6 +290,7 @@ sudo_pam_init_quiet(struct passwd *pw, s
+ int
+ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+    const char *envccname;
+     const char *s;
+     int *pam_status = (int *) auth->data;
+     debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH)
+@@ -298,8 +299,27 @@ sudo_pam_verify(struct passwd *pw, char
+     getpass_error = false;	/* set by converse if user presses ^C */
+     conv_callback = callback;	/* passed to conversation function */
+ 
+	/* Set KRB5CCNAME from the user environment if not set to propagate this
+	 * information to PAM modules that may use it to authentication. */
+	envccname = sudo_getenv("KRB5CCNAME");
+	if (envccname == NULL && user_ccname != NULL) {
+		if (sudo_setenv("KRB5CCNAME", user_ccname, true) != 0) {
+			sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+			"unable to set KRB5CCNAME");
+			debug_return_int(AUTH_FAILURE);
+		}
+	}
+
+     /* PAM_SILENT prevents the authentication service from generating output. */
+     *pam_status = pam_authenticate(pamh, PAM_SILENT);
+
+	/* Restore KRB5CCNAME to its original value. */
+	if (envccname == NULL && sudo_unsetenv("KRB5CCNAME") != 0) {
+		sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+		"unable to restore KRB5CCNAME");
+		debug_return_int(AUTH_FAILURE);
+	}
+
+     if (getpass_error) {
+ 	/* error or ^C from tgetpass() */
+ 	debug_return_int(AUTH_INTR);
--- a/SOURCES/sudo-1.9.7-utmp-leak.patch
+++ b/SOURCES/sudo-1.9.7-utmp-leak.patch
@ -0,0 +1,22 @@
+From 3fc3a07a03ef74fde99db40ce9ef43ccab336205 Mon Sep 17 00:00:00 2001
+From: MertsA <andrewmerts@gmail.com>
+Date: Fri, 23 Jul 2021 03:36:05 -0700
+Subject: [PATCH] Rewind utmp file pointer after searching for entry
+
+getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries.
+---
+ src/utmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/utmp.c b/src/utmp.c
+index 544a37519..952bf3043 100644
+--- a/src/utmp.c
+++ b/src/utmp.c
+@@ -210,6 +210,7 @@ utmp_login(const char *from_line, const char *to_line, int ttyfd,
+ 	memset(&utbuf, 0, sizeof(utbuf));
+ 	strncpy(utbuf.ut_line, from_line, sizeof(utbuf.ut_line));
+ 	ut_old = sudo_getutline(&utbuf);
+	sudo_setutent();
+     }
+     utmp_fill(to_line, user, ut_old, &utbuf);
+     if (sudo_pututline(&utbuf) != NULL)
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.29
-Release: 7%{?dist}.1
+Release: 8%{?dist}
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@ -67,8 +67,14 @@ Patch16: sudo-1.9.5-CVE-2021-23240-3.patch
 Patch17: sudo-1.9.5-CVE-2021-23240-4.patch
 Patch18: sudo-1.9.5-CVE-2021-23240-5.patch

-# 2015136 - Request to backport https://www.sudo.ws/repos/sudo/rev/b4c91a0f72e7 to RHEL 8 [rhel-8.4.0.z]
-Patch19: sudo-1.9.7-sigchild.patch
+# 2029551 - sudoedit does not work with selinux args
+Patch19: sudo-1.9.5-sudoedit-selinux.patch
+# 1999751 - Request to backport https://www.sudo.ws/repos/sudo/rev/b4c91a0f72e7 to RHEL 8
+Patch20: sudo-1.9.7-sigchild.patch
+# 1917379 - [RFE] pass KRB5CCNAME to pam_authenticate environment if available
+Patch21: sudo-1.9.7-krb5ccname.patch
+# 1986572 - utmp resource leak in sudo
+Patch22: sudo-1.9.7-utmp-leak.patch

 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -116,8 +122,11 @@ plugins that use %{name}.
 %patch17 -p1 -b .symbolic-link-attack-4
 %patch18 -p1 -b .symbolic-link-attack-5

-%patch19 -p1 -b .sigchild
+%patch19 -p1 -b .sudoedit-selinux

+%patch20 -p1 -b .sigchild
+%patch21 -p1 -b .krb5ccname
+%patch22 -p1 -b .utmp-leak

 %build
 # Remove bundled copy of zlib
@ -277,10 +286,16 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*

 %changelog
-* Tue Oct 19 2021 RAdovan Sroka <rsroka@redhat.com> - 1.8.29-7.1
-RHEL 8.4.0 ZSTREAM ERRATUM
+* Mon Dec 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8
+RHEL 8.6.0 ERRATUM
+- sudoedit does not work with selinux args
+Resolves: rhbz#2029551
 - Make sure SIGCHLD is not ignored when sudo is executed
-Resolves: rhbz#2015136
+Resolves: rhbz#1999751
+- [RFE] pass KRB5CCNAME to pam_authenticate environment if available
+Resolves: rhbz#1917379
+- utmp resource leak in sudo
+Resolves: rhbz#1986572

 * Tue Feb 02 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-7
 - RHEL 8.4 ERRATUM