From eb31d4d8a0dc02fda356fd590a3e36870619c517 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Mon, 10 Nov 2025 16:56:08 +0100 Subject: [PATCH] RHEL 8.10.0.Z ERRATUM - sudo passes SHELL environment variable twice to the shell being executed [rhel-8] Resolves: RHEL-127360 --- ..._env-Avoid-setting-SHELL-twice-for-sudo-i.patch | 14 ++++++++++++++ sudo.spec | 10 +++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch diff --git a/rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch b/rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch new file mode 100644 index 0000000..98654d7 --- /dev/null +++ b/rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch @@ -0,0 +1,14 @@ +Backported from commit 3d467a705ea6ee53081cb11cc21ecf08eb47700d +rebuild_env: Avoid setting SHELL twice for "sudo -i" +--- + +--- a/plugins/sudoers/env.c 2025-11-10 16:38:59.840775518 +0100 ++++ b/plugins/sudoers/env.c 2025-11-10 16:39:25.439652504 +0100 +@@ -976,6 +976,7 @@ rebuild_env(void) + if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { + CHECK_SETENV2("SHELL", runas_pw->pw_shell, + ISSET(didvar, DID_SHELL), true); ++ SET(didvar, DID_SHELL); + #ifdef _AIX + CHECK_SETENV2("LOGIN", runas_pw->pw_name, + ISSET(didvar, DID_LOGIN), true); diff --git a/sudo.spec b/sudo.spec index 521880f..edc33c1 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.9.5p2 -Release: 1%{?dist}.2 +Release: 1%{?dist}.3 License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -57,6 +57,8 @@ Patch20: sudo-1.9.17-CVE-2025-32462.patch Patch21: sudo-reintroduce-cmnd_no_wait.patch Patch22: sudo-separator.patch +Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -103,6 +105,7 @@ plugins that use %{name}. %patch -P 20 -p1 -b .cve-host %patch -P 21 -p1 -b .cmnd_no_wait %patch -P 22 -p1 -b .separator +%patch -P 23 -p1 -b .double-shell %build # Remove bundled copy of zlib @@ -278,6 +281,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Nov 17 2025 Alejandro López - 1.9.5p2-1.3 +RHEL 8.10.0.Z ERRATUM +- sudo passes SHELL environment variable twice to the shell being executed [rhel-8] +Resolves: RHEL-127360 + * Wed Jul 16 2025 Alejandro López - 1.9.5p2-1.2 RHEL 8.10.0.Z ERRATUM - Reintroduce cmnd_no_wait