update to 1.8.5

- fixed CVE-2012-2337 - temporarily disabled SSSD support
2012-05-17 12:51:44 +02:00 · 2012-05-17 12:51:44 +02:00 · 86c7e6867b
commit 86c7e6867b
parent 74fe5b93c4
6 changed files with 480 additions and 507 deletions
--- a/sudo-1.8.1p2-getgrouplist.patch
+++ b/sudo-1.8.1p2-getgrouplist.patch
@ -1,44 +0,0 @@
-diff -up sudo-1.8.1p2/configure.in.getgrouplist sudo-1.8.1p2/configure.in
--- sudo-1.8.1p2/configure.in.getgrouplist	2011-07-12 12:13:29.562597933 +0200
-+++ sudo-1.8.1p2/configure.in	2011-07-12 12:15:27.116597851 +0200
-@@ -2007,7 +2007,7 @@ dnl
- AC_FUNC_GETGROUPS
- AC_CHECK_FUNCS(strrchr sysconf tzset strftime initgroups getgroups fstat \
- 	       regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \
-	       setrlimit64 sysctl)
-+	       setrlimit64 sysctl getgrouplist)
- AC_CHECK_FUNCS(getline, [], [
-     AC_LIBOBJ(getline)
-     AC_CHECK_FUNCS(fgetln)
-diff -up sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist sudo-1.8.1p2/plugins/sudoers/pwutil.c
--- sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist	2011-07-12 12:13:17.346597942 +0200
-+++ sudo-1.8.1p2/plugins/sudoers/pwutil.c	2011-07-12 12:19:02.171597700 +0200
-@@ -711,6 +711,28 @@ user_in_group(struct passwd *pw, const c
-     }
- #endif /* HAVE_MBR_CHECK_MEMBERSHIP */
- 
-+#ifdef HAVE_GETGROUPLIST
-+    if (user_ngroups >= 0 &&
-+       strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
-+    {
-+       gid_t *grouplist, grouptmp;
-+       int n_groups, i;
-+       n_groups = 1;
-+
-+       if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
-+           grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
-+           if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
-+               for (i = 0; i < n_groups; i++)
-+                   if (grouplist[i] == grp->gr_gid) {
-+                       free(grouplist);
-+                       retval = TRUE;
-+                       goto done;
-+                   }
-+           free(grouplist);
-+       }
-+    }
-+#endif /* HAVE_GETGROUPLIST */
-+
- done:
-     if (grp != NULL)
- 	gr_delref(grp);
--- a/sudo-1.8.3-pipelist.patch
+++ b/sudo-1.8.3-pipelist.patch
@ -1,28 +0,0 @@
-diff -up sudo-1.8.3/src/ttysize.c.pipelist sudo-1.8.3/src/ttysize.c
--- sudo-1.8.3/src/ttysize.c.pipelist	2011-10-21 15:01:26.000000000 +0200
-+++ sudo-1.8.3/src/ttysize.c	2011-10-26 02:09:39.582790562 +0200
-@@ -20,6 +20,7 @@
- 
- #include <sys/types.h>
- #include <sys/ioctl.h>
-+#include <sys/stat.h>
- #include <stdio.h>
- #ifdef STDC_HEADERS
- # include <stdlib.h>
-@@ -48,6 +49,16 @@ void
- get_ttysize(int *rowp, int *colp)
- {
-     char *p;
-+    struct stat st;
-+
-+    if (fstat(STDOUT_FILENO, &st) == 0) {
-+	 if (S_ISFIFO(st.st_mode)) {
-+	   *rowp = 0;
-+	   *colp = 0;
-+	   return;
-+	 }
-+    }
-+
- #ifdef TIOCGWINSZ
-     struct winsize wsize;
- 
--- a/sudo-1.8.3p1-CVE-2012-0809.patch
+++ b/sudo-1.8.3p1-CVE-2012-0809.patch
@ -1,23 +0,0 @@
--- sudo-1.8.3p1/src/sudo.c	Fri Oct 21 09:01:26 2011
-+++ sudo-1.8.3p1/src/sudo.c	Tue Jan 24 15:59:03 2012
-@@ -1208,15 +1208,15 @@ 
- sudo_debug(int level, const char *fmt, ...)
- {
-     va_list ap;
-    char *fmt2;
-+    char *buf;
- 
-     if (level > debug_level)
- 	return;
- 
-    /* Backet fmt with program name and a newline to make it a single write */
-    easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
-+    /* Bracket fmt with program name and a newline to make it a single write */
-     va_start(ap, fmt);
-    vfprintf(stderr, fmt2, ap);
-+    evasprintf(&buf, fmt, ap);
-     va_end(ap);
-    efree(fmt2);
-+    fprintf(stderr, "%s: %s\n", getprogname(), buf);
-+    efree(buf);
- }
--- a/sudo-1.8.5-pipelist.patch
+++ b/sudo-1.8.5-pipelist.patch
@ -0,0 +1,29 @@
+diff -up sudo-1.8.5rc5/common/ttysize.c.pipelist sudo-1.8.5rc5/common/ttysize.c
+--- sudo-1.8.5rc5/common/ttysize.c.pipelist	2012-04-06 21:43:19.000000000 +0200
+++ sudo-1.8.5rc5/common/ttysize.c	2012-05-16 13:03:17.184034854 +0200
+@@ -20,6 +20,7 @@
+ 
+ #include <sys/types.h>
+ #include <sys/ioctl.h>
+#include <sys/stat.h>
+ #include <stdio.h>
+ #ifdef STDC_HEADERS
+ # include <stdlib.h>
+@@ -71,8 +72,17 @@ get_ttysize_ioctl(int *rowp, int *colp)
+ void
+ get_ttysize(int *rowp, int *colp)
+ {
+    struct stat st;
+     debug_decl(fork_cmnd, SUDO_DEBUG_EXEC)
+ 
+    if (fstat(STDOUT_FILENO, &st) == 0) {
+	 if (S_ISFIFO(st.st_mode)) {
+	   *rowp = 0;
+	   *colp = 0;
+	   return;
+	 }
+    }
+
+     if (get_ttysize_ioctl(rowp, colp) == -1) {
+ 	char *p;
+ 
--- a/sudo-1.8.3p1-sssd-support.patch
+++ b/sudo-1.8.3p1-sssd-support.patch
--- a/sudo.spec
+++ b/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.3p1
-Release: 6%{?dist}
+Version: 1.8.5
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@ -29,11 +29,9 @@ Patch2: sudo-1.7.2p1-envdebug.patch
 # add m4/ to paths in aclocal.m4
 Patch3: sudo-1.7.4p3-m4path.patch
 # disable word wrapping if the ouput is piped
-Patch4: sudo-1.8.3-pipelist.patch
-# CVE-2012-0809
-Patch5: sudo-1.8.3p1-CVE-2012-0809.patch
+Patch4: sudo-1.8.5-pipelist.patch
 # SSSD support
-Patch6: sudo-1.8.3p1-sssd-support.patch
+Patch5: sudo-1.8.5-sssd-support.patch

 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -62,8 +60,7 @@ plugins that use %{name}.
 %patch2 -p1 -b .envdebug
 %patch3 -p1 -b .m4path
 %patch4 -p1 -b .pipelist
-%patch5 -p1 -b .CVE-2012-0809
-%patch6 -p1 -b .sssd-support
+%patch5 -p1 -b .sssd-support

 # Remove execute permission on this script so we don't pull in perl deps
 chmod -x plugins/sudoers/sudoers2ldif
@ -95,8 +92,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
        --with-ldap \
 	--with-selinux \
 	--with-passprompt="[sudo] password for %p: " \
-	--with-linux-audit	  \
-	--with-sssd
+	--with-linux-audit
+#	--with-sssd
 #	--without-kerb5 \
 #	--without-kerb4
 make
@ -141,9 +138,6 @@ rm -rf $RPM_BUILD_ROOT

 %files -f sudo_all.lang
 %defattr(-,root,root)
-%doc ChangeLog NEWS README* MANIFEST
-%doc doc/HISTORY doc/LICENSE doc/TROUBLESHOOTING doc/UPGRADE
-%doc doc/schema.* plugins/sudoers/sudoers2ldif doc/sample.*
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
 %attr(0750,root,root) %dir /etc/sudoers.d/
 %config(noreplace) /etc/pam.d/sudo
@ -162,6 +156,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudoedit.8*
 %{_mandir}/man8/sudoreplay.8*
 %{_mandir}/man8/visudo.8*
+%{_docdir}/sudo-%{version}/*


 # Make sure permissions are ok even if we're updating
@ -175,6 +170,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*

 %changelog
+* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
+- update to 1.8.5
+- fixed CVE-2012-2337
+- temporarily disabled SSSD support 
+
 * Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
 - fixed problems with undefined symbols (rhbz#798517)