.do-not-sync-with-fedora

@@ -0,0 +1 @@
+dkopecek: imported RHEL 7 packaging state which is different from Fedora

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,20 @@
-SOURCES/sudo-1.9.5p2.tar.gz
+/sudo-1.8.16.tar.gz
+/sudo-1.8.17p1.tar.gz
+/sudo-1.8.18b2.tar.gz
+/sudo-1.8.18rc2.tar.gz
+/sudo-1.8.18rc4.tar.gz
+/sudo-1.8.18.tar.gz
+/sudo-90e4538c001fbe1b791a11d6a2c37607472fafe5.tar.gz
+/sudo-738c3cbf3e8400bf4a5aeab8966427ff6d630cd2.tar.gz
+/sudo-1.8.19p2.tar.gz
+/sudo-1.8.20b1.tar.gz
+/sudo-1.8.20p1.tar.gz
+/sudo-1.8.20p2.tar.gz
+/sudo-1.8.21p2.tar.gz
+/sudo-1.8.22b1.tar.gz
+/sudo-1.8.23.tar.gz
+/sudo-1.8.25p1.tar.gz
+/sudo-1.8.28.tar.gz
+/sudo-1.8.28p1.tar.gz
+/sudo-1.8.29.tar.gz
+/sudo-1.9.5p2.tar.gz

.sudo.metadata

@@ -1 +0,0 @@
-08bde247a1e08bc881eec43e09733f7ca06408f5 SOURCES/sudo-1.9.5p2.tar.gz

SOURCES/sudo-1.9.17-CVE-2026-35535-1.patch

@@ -1,58 +0,0 @@
-From fc252b5dd06cb0159fd31309bcffef410c724688 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Fri, 29 Jan 2021 05:42:34 -0700
-Subject: [PATCH] Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo
- 1.9.4. init_eventlog_config() is called immediately after initializing the
- Defaults settings, which is before struct sudo_user is setup.  This adds a
- call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined after the
- invoking user is determined.  Reported by Roman Fiedler.
-
- (cherry picked from commit e5ad88488d57dd30a7f08f46b395bccfd3957293)
----
- plugins/sudoers/logging.c | 7 +------
- plugins/sudoers/policy.c  | 4 ++++
- 2 files changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
-index 776f881e5..06efbf576 100644
---- a/plugins/sudoers/logging.c
-+++ b/plugins/sudoers/logging.c
-@@ -786,11 +786,6 @@ void
- init_eventlog_config(void)
- {
-     int logtype = 0;
--#ifdef NO_ROOT_MAILER
--    uid_t mailuid = user_uid;
--#else
--    uid_t mailuid = ROOT_UID;
--#endif
-     debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
- 
-     if (def_syslog)
-@@ -805,7 +800,7 @@ init_eventlog_config(void)
-     eventlog_set_syslog_alertpri(def_syslog_badpri);
-     eventlog_set_syslog_maxlen(def_syslog_maxlen);
-     eventlog_set_file_maxlen(def_loglinelen);
--    eventlog_set_mailuid(mailuid);
-+    eventlog_set_mailuid(ROOT_UID);
-     eventlog_set_omit_hostname(!def_log_host);
-     eventlog_set_logpath(def_logfile);
-     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
-diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
-index d675d2fd4..074c3f0e8 100644
---- a/plugins/sudoers/policy.c
-+++ b/plugins/sudoers/policy.c
-@@ -518,6 +518,10 @@ sudoers_policy_deserialize_info(void *v)
-     /* Some systems support fexecve() which we use for digest matches. */
-     cmnd_fd = -1;
- 
-+#ifdef NO_ROOT_MAILER
-+    eventlog_set_mailuid(user_uid);
-+#endif
-+
-     /* Dump settings and user info (XXX - plugin args) */
-     for (cur = info->settings; *cur != NULL; cur++)
- 	sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
--- 
-2.53.0
-

ci-tests.fmf

@@ -0,0 +1,17 @@
+/e2e:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/sudo-plans.git
+      name: /generic/e2e_ci
+
+/e2e_internal:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/sudo-plans.git
+      name: /generic/e2e_ci_internal
+
+/rpmverify:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/sudo-plans.git
+      name: /generic/rpmverify

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

sources

@@ -0,0 +1 @@
+SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27

sudo-1.9.17-CVE-2026-35535.patch

@@ -1,4 +1,4 @@
-From 67448bdde671f298ad472e6af6ad4a380f9e3395 Mon Sep 17 00:00:00 2001
+From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001
 From: "Todd C. Miller" <Todd.Miller@sudo.ws>
 Date: Sat, 8 Nov 2025 15:34:02 -0700
 Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer
@@ -7,17 +7,12 @@ Also make a setuid(), setgid() or setgroups() failure fatal.
 
 Found by the ZeroPath AI Security Engineer <https://zeropath.com>
 
-(cherry picked from commit 3e474c2f201484be83d994ae10a4e20e8c81bb69)
+Backported to RHEL 8.10 by Alejandro López <allopez@redhat.com> with some
+help of Claude Code.
 ---
- include/sudo_eventlog.h      |  3 ++-
- lib/eventlog/eventlog.c      | 21 +++++++++++++++++----
- lib/eventlog/eventlog_conf.c |  4 +++-
- plugins/sudoers/logging.c    |  2 +-
- plugins/sudoers/policy.c     |  2 +-
- 5 files changed, 24 insertions(+), 8 deletions(-)
 
 diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h
-index 07ef9dcbe..cdf27f0e8 100644
+index 07ef9dc..cdf27f0 100644
 --- a/include/sudo_eventlog.h
 +++ b/include/sudo_eventlog.h
 @@ -78,6 +78,7 @@ struct eventlog_config {
@@ -38,7 +33,7 @@ index 07ef9dcbe..cdf27f0e8 100644
  void eventlog_set_logpath(const char *path);
  void eventlog_set_time_fmt(const char *fmt);
 diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
-index 0febe66c1..7d042a0ab 100644
+index ca8ca96..1ae1176 100644
 --- a/lib/eventlog/eventlog.c
 +++ b/lib/eventlog/eventlog.c
 @@ -280,15 +280,13 @@ exec_mailer(int pipein)
@@ -49,7 +44,7 @@ index 0febe66c1..7d042a0ab 100644
 -	_exit(127);
 +	goto bad;
      }
- 
+
      /* Build up an argv based on the mailer path and flags */
      if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
  	syslog(LOG_ERR, _("unable to allocate memory")); // -V618
@@ -59,7 +54,7 @@ index 0febe66c1..7d042a0ab 100644
      }
      if ((argv[0] = strrchr(mpath, '/')))
  	argv[0]++;
-@@ -310,11 +309,23 @@ exec_mailer(int pipein)
+@@ -310,11 +308,23 @@ exec_mailer(int pipein)
      if (setuid(ROOT_UID) != 0) {
  	sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
  	    ROOT_UID);
@@ -83,7 +78,7 @@ index 0febe66c1..7d042a0ab 100644
  	}
      }
      sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
-@@ -326,6 +335,9 @@ exec_mailer(int pipein)
+@@ -326,6 +336,9 @@ exec_mailer(int pipein)
      sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
  	mpath, strerror(errno));
      _exit(127);
@@ -91,10 +86,10 @@ index 0febe66c1..7d042a0ab 100644
 +    sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
 +    _exit(127);
  }
- 
+
  /* Send a message to the mailto user */
 diff --git a/lib/eventlog/eventlog_conf.c b/lib/eventlog/eventlog_conf.c
-index 8ad03851f..1c1d0a690 100644
+index 8ad0385..1c1d0a6 100644
 --- a/lib/eventlog/eventlog_conf.c
 +++ b/lib/eventlog/eventlog_conf.c
 @@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = {
@@ -107,7 +102,7 @@ index 8ad03851f..1c1d0a690 100644
      "%h %e %T",			/* time_fmt */
 @@ -151,9 +152,10 @@ eventlog_set_file_maxlen(int len)
  }
- 
+
  void
 -eventlog_set_mailuid(uid_t uid)
 +eventlog_set_mailuser(uid_t uid, gid_t gid)
@@ -115,34 +110,32 @@ index 8ad03851f..1c1d0a690 100644
      evl_conf.mailuid = uid;
 +    evl_conf.mailgid = gid;
  }
- 
+
  void
 diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
-index 06efbf576..da03f3d96 100644
+index 776f881..6046783 100644
 --- a/plugins/sudoers/logging.c
 +++ b/plugins/sudoers/logging.c
-@@ -800,7 +800,7 @@ init_eventlog_config(void)
+@@ -788,8 +788,10 @@ init_eventlog_config(void)
+     int logtype = 0;
+ #ifdef NO_ROOT_MAILER
+     uid_t mailuid = user_uid;
++    gid_t mailgid = user_gid;
+ #else
+     uid_t mailuid = ROOT_UID;
++    gid_t mailgid = ROOT_GID;
+ #endif
+     debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
+
+@@ -805,7 +807,7 @@ init_eventlog_config(void)
      eventlog_set_syslog_alertpri(def_syslog_badpri);
      eventlog_set_syslog_maxlen(def_syslog_maxlen);
      eventlog_set_file_maxlen(def_loglinelen);
--    eventlog_set_mailuid(ROOT_UID);
-+    eventlog_set_mailuser(ROOT_UID, ROOT_GID);
+-    eventlog_set_mailuid(mailuid);
++    eventlog_set_mailuser(mailuid, mailgid);
      eventlog_set_omit_hostname(!def_log_host);
      eventlog_set_logpath(def_logfile);
      eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
-diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
-index 074c3f0e8..cb4c9bbdf 100644
---- a/plugins/sudoers/policy.c
-+++ b/plugins/sudoers/policy.c
-@@ -519,7 +519,7 @@ sudoers_policy_deserialize_info(void *v)
-     cmnd_fd = -1;
- 
- #ifdef NO_ROOT_MAILER
--    eventlog_set_mailuid(user_uid);
-+    eventlog_set_mailuser(user_uid, user_gid);
- #endif
- 
-     /* Dump settings and user info (XXX - plugin args) */
--- 
+--
 2.53.0
 

sudo.spec

@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 1%{?dist}.5
+Release: 1%{?dist}.4
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@@ -59,8 +59,7 @@ Patch22: sudo-separator.patch
 
 Patch23: rebuild_env-Avoid-setting-SHELL-twice-for-sudo-i.patch
 
-Patch24: sudo-1.9.17-CVE-2026-35535-1.patch
-Patch25: sudo-1.9.17-CVE-2026-35535-2.patch
+Patch24: sudo-1.9.17-CVE-2026-35535.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -109,9 +108,7 @@ plugins that use %{name}.
 %patch -P 21 -p1 -b .cmnd_no_wait
 %patch -P 22 -p1 -b .separator
 %patch -P 23 -p1 -b .double-shell
-%patch -P 24 -p1 -b .cve-2026-35535-1
-%patch -P 25 -p1 -b .cve-2026-35535-2
-
+%patch -P 24 -p1 -b .cve-2026-35535
 
 %build
 # Remove bundled copy of zlib
@@ -287,7 +284,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
-* Thu Apr 24 2026 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.5
+* Thu Apr 16 2026 Alejandro López <allopez@redhat.com> - 1.9.5p2-1.4
 RHEL 8.10.0.Z ERRATUM
 - CVE-2026-35535 - Privilege escalation due to failure in privilege drop calls
 Resolves: RHEL-166060