rpms/sudo
5
0
Fork 0
Code Issues Pull Requests Releases Activity

update to 1.8.5

Browse Source 
- fixed CVE-2012-2337
- temporarily disabled SSSD support
This commit is contained in:
Daniel Kopecek 2012-05-17 12:51:44 +02:00
parent 74fe5b93c4
commit 86c7e6867b
6 changed files with 480 additions and 507 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
sudo-1.8.1p2-getgrouplist.patch
View File

@ -1,44 +0,0 @@
diff -up sudo-1.8.1p2/configure.in.getgrouplist sudo-1.8.1p2/configure.in
--- sudo-1.8.1p2/configure.in.getgrouplist 2011-07-12 12:13:29.562597933 +0200
+++ sudo-1.8.1p2/configure.in 2011-07-12 12:15:27.116597851 +0200
@@ -2007,7 +2007,7 @@ dnl
AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strrchr sysconf tzset strftime initgroups getgroups fstat \
regcomp setlocale nl_langinfo getaddrinfo mbr_check_membership \
- setrlimit64 sysctl)
+ setrlimit64 sysctl getgrouplist)
AC_CHECK_FUNCS(getline, [], [
AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist sudo-1.8.1p2/plugins/sudoers/pwutil.c
--- sudo-1.8.1p2/plugins/sudoers/pwutil.c.getgrouplist 2011-07-12 12:13:17.346597942 +0200
+++ sudo-1.8.1p2/plugins/sudoers/pwutil.c 2011-07-12 12:19:02.171597700 +0200
@@ -711,6 +711,28 @@ user_in_group(struct passwd *pw, const c
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST
+ if (user_ngroups >= 0 &&
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
+
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
+ for (i = 0; i < n_groups; i++)
+ if (grouplist[i] == grp->gr_gid) {
+ free(grouplist);
+ retval = TRUE;
+ goto done;
+ }
+ free(grouplist);
+ }
+ }
+#endif /* HAVE_GETGROUPLIST */
+
done:
if (grp != NULL)
gr_delref(grp);

28
sudo-1.8.3-pipelist.patch
View File

@ -1,28 +0,0 @@
diff -up sudo-1.8.3/src/ttysize.c.pipelist sudo-1.8.3/src/ttysize.c
--- sudo-1.8.3/src/ttysize.c.pipelist 2011-10-21 15:01:26.000000000 +0200
+++ sudo-1.8.3/src/ttysize.c 2011-10-26 02:09:39.582790562 +0200
@@ -20,6 +20,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
+#include <sys/stat.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
@@ -48,6 +49,16 @@ void
get_ttysize(int *rowp, int *colp)
{
char *p;
+ struct stat st;
+
+ if (fstat(STDOUT_FILENO, &st) == 0) {
+ if (S_ISFIFO(st.st_mode)) {
+ *rowp = 0;
+ *colp = 0;
+ return;
+ }
+ }
+
#ifdef TIOCGWINSZ
struct winsize wsize;

23
sudo-1.8.3p1-CVE-2012-0809.patch
View File

@ -1,23 +0,0 @@
--- sudo-1.8.3p1/src/sudo.c Fri Oct 21 09:01:26 2011
+++ sudo-1.8.3p1/src/sudo.c Tue Jan 24 15:59:03 2012
@@ -1208,15 +1208,15 @@
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
- char *fmt2;
+ char *buf;
if (level > debug_level)
return;
- /* Backet fmt with program name and a newline to make it a single write */
- easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
+ /* Bracket fmt with program name and a newline to make it a single write */
va_start(ap, fmt);
- vfprintf(stderr, fmt2, ap);
+ evasprintf(&buf, fmt, ap);
va_end(ap);
- efree(fmt2);
+ fprintf(stderr, "%s: %s\n", getprogname(), buf);
+ efree(buf);
}

29
sudo-1.8.5-pipelist.patch Normal file
View File

@ -0,0 +1,29 @@
diff -up sudo-1.8.5rc5/common/ttysize.c.pipelist sudo-1.8.5rc5/common/ttysize.c
--- sudo-1.8.5rc5/common/ttysize.c.pipelist 2012-04-06 21:43:19.000000000 +0200
+++ sudo-1.8.5rc5/common/ttysize.c 2012-05-16 13:03:17.184034854 +0200
@@ -20,6 +20,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
+#include <sys/stat.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
@@ -71,8 +72,17 @@ get_ttysize_ioctl(int *rowp, int *colp)
void
get_ttysize(int *rowp, int *colp)
{
+ struct stat st;
debug_decl(fork_cmnd, SUDO_DEBUG_EXEC)
+ if (fstat(STDOUT_FILENO, &st) == 0) {
+ if (S_ISFIFO(st.st_mode)) {
+ *rowp = 0;
+ *colp = 0;
+ return;
+ }
+ }
+
if (get_ttysize_ioctl(rowp, colp) == -1) {
char *p;

831
sudo-1.8.3p1-sssd-support.patch → sudo-1.8.5-sssd-support.patch
View File

File diff suppressed because it is too large Load Diff

26
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.8.3p1 Version: 1.8.5
Release: 6%{?dist} Release: 1%{?dist}
License: ISC License: ISC
Group: Applications/System Group: Applications/System
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -29,11 +29,9 @@ Patch2: sudo-1.7.2p1-envdebug.patch
# add m4/ to paths in aclocal.m4 # add m4/ to paths in aclocal.m4
Patch3: sudo-1.7.4p3-m4path.patch Patch3: sudo-1.7.4p3-m4path.patch
# disable word wrapping if the ouput is piped # disable word wrapping if the ouput is piped
Patch4: sudo-1.8.3-pipelist.patch Patch4: sudo-1.8.5-pipelist.patch
# CVE-2012-0809
Patch5: sudo-1.8.3p1-CVE-2012-0809.patch
# SSSD support # SSSD support
Patch6: sudo-1.8.3p1-sssd-support.patch Patch5: sudo-1.8.5-sssd-support.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
@ -62,8 +60,7 @@ plugins that use %{name}.
%patch2 -p1 -b .envdebug %patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path %patch3 -p1 -b .m4path
%patch4 -p1 -b .pipelist %patch4 -p1 -b .pipelist
%patch5 -p1 -b .CVE-2012-0809 %patch5 -p1 -b .sssd-support
%patch6 -p1 -b .sssd-support
# Remove execute permission on this script so we don't pull in perl deps # Remove execute permission on this script so we don't pull in perl deps
chmod -x plugins/sudoers/sudoers2ldif chmod -x plugins/sudoers/sudoers2ldif
@ -95,8 +92,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
--with-ldap \ --with-ldap \
--with-selinux \ --with-selinux \
--with-passprompt="[sudo] password for %p: " \ --with-passprompt="[sudo] password for %p: " \
--with-linux-audit \ --with-linux-audit
--with-sssd # --with-sssd
# --without-kerb5 \ # --without-kerb5 \
# --without-kerb4 # --without-kerb4
make make
@ -141,9 +138,6 @@ rm -rf $RPM_BUILD_ROOT
%files -f sudo_all.lang %files -f sudo_all.lang
%defattr(-,root,root) %defattr(-,root,root)
%doc ChangeLog NEWS README* MANIFEST
%doc doc/HISTORY doc/LICENSE doc/TROUBLESHOOTING doc/UPGRADE
%doc doc/schema.* plugins/sudoers/sudoers2ldif doc/sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/ %attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo
@ -162,6 +156,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8* %{_mandir}/man8/visudo.8*
%{_docdir}/sudo-%{version}/*
# Make sure permissions are ok even if we're updating # Make sure permissions are ok even if we're updating
@ -175,6 +170,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8* %{_mandir}/man8/sudo_plugin.8*
%changelog %changelog
* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
- update to 1.8.5
- fixed CVE-2012-2337
- temporarily disabled SSSD support
* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6 * Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
- fixed problems with undefined symbols (rhbz#798517) - fixed problems with undefined symbols (rhbz#798517)