.do-not-sync-with-fedora

@@ -0,0 +1 @@
+dkopecek: imported RHEL 7 packaging state which is different from Fedora

.gitignore

@@ -1 +1,20 @@
-SOURCES/sudo-1.9.5p2.tar.gz
+/sudo-1.8.16.tar.gz
+/sudo-1.8.17p1.tar.gz
+/sudo-1.8.18b2.tar.gz
+/sudo-1.8.18rc2.tar.gz
+/sudo-1.8.18rc4.tar.gz
+/sudo-1.8.18.tar.gz
+/sudo-90e4538c001fbe1b791a11d6a2c37607472fafe5.tar.gz
+/sudo-738c3cbf3e8400bf4a5aeab8966427ff6d630cd2.tar.gz
+/sudo-1.8.19p2.tar.gz
+/sudo-1.8.20b1.tar.gz
+/sudo-1.8.20p1.tar.gz
+/sudo-1.8.20p2.tar.gz
+/sudo-1.8.21p2.tar.gz
+/sudo-1.8.22b1.tar.gz
+/sudo-1.8.23.tar.gz
+/sudo-1.8.25p1.tar.gz
+/sudo-1.8.28.tar.gz
+/sudo-1.8.28p1.tar.gz
+/sudo-1.8.29.tar.gz
+/sudo-1.9.5p2.tar.gz

.sudo.metadata

@@ -1 +0,0 @@
-08bde247a1e08bc881eec43e09733f7ca06408f5 SOURCES/sudo-1.9.5p2.tar.gz

SOURCES/sudo-1.9.17-CVE-2025-32462.patch

@@ -1,22 +0,0 @@
-diff -up ./plugins/sudoers/sudoers.c.cve-host ./plugins/sudoers/sudoers.c
---- ./plugins/sudoers/sudoers.c.cve-host	2025-06-25 14:10:11.369219892 +0200
-+++ ./plugins/sudoers/sudoers.c	2025-06-25 14:11:48.395137626 +0200
-@@ -393,6 +393,18 @@ sudoers_policy_main(int argc, char * con
- 	}
-     }
- 
-+    /* The user may only specify a host for "sudo -l". */
-+    if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) {
-+       if (strcmp(user_runhost, user_host) != 0) {
-+           log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
-+               N_("user not allowed to set remote host for command"));
-+           sudo_warnx("%s",
-+               U_("a remote host may only be specified when listing privileges."));
-+           ret = false;
-+           goto done;
-+       }
-+    }
-+
-     /* If given the -P option, set the "preserve_groups" flag. */
-     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
- 	def_preserve_groups = true;

SOURCES/sudo-reintroduce-cmnd_no_wait.patch

@@ -1,78 +0,0 @@
-From 59cd3a7330a402b289641f7d605ce3ae6671a64f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
-Date: Wed, 16 Jul 2025 17:02:45 +0200
-Subject: [PATCH] Reintroduce cmnd_no_wait
-
----
- plugins/sudoers/def_data.c  |  4 ++++
- plugins/sudoers/def_data.h  |  2 ++
- plugins/sudoers/def_data.in |  3 +++
- plugins/sudoers/sudoers.c   | 13 +++++++++++++
- 4 files changed, 22 insertions(+)
-
-diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
-index 56cd224..19188a6 100644
---- a/plugins/sudoers/def_data.c
-+++ b/plugins/sudoers/def_data.c
-@@ -573,6 +573,10 @@ struct sudo_defs_types sudo_defs_table[] = {
- 	"selinux", T_FLAG,
- 	N_("Enable SELinux RBAC support"),
- 	NULL,
-+    }, {
-+	"cmnd_no_wait", T_FLAG,
-+	N_("Don't fork and wait for the command to finish, just exec it"),
-+	NULL,
-     }, {
- 	NULL, 0, NULL
-     }
-diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
-index 5c712b8..86b0886 100644
---- a/plugins/sudoers/def_data.h
-+++ b/plugins/sudoers/def_data.h
-@@ -264,6 +264,8 @@
- #define def_log_format          (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
- #define I_SELINUX               131
- #define def_selinux             (sudo_defs_table[I_SELINUX].sd_un.flag)
-+#define I_CMND_NO_WAIT          132
-+#define def_cmnd_no_wait        (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
- 
- enum def_tuple {
-     never,
-diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
-index e8162e8..b0027c4 100644
---- a/plugins/sudoers/def_data.in
-+++ b/plugins/sudoers/def_data.in
-@@ -412,3 +412,6 @@ log_format
- selinux
- 	T_FLAG
- 	"Enable SELinux RBAC support"
-+cmnd_no_wait
-+	T_FLAG
-+	"Don't fork and wait for the command to finish, just exec it"
-diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
-index 80a7089..4a972df 100644
---- a/plugins/sudoers/sudoers.c
-+++ b/plugins/sudoers/sudoers.c
-@@ -221,6 +221,19 @@ sudoers_init(void *info, char * const envp[])
-     if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
- 	ret = true;
- 
-+    /*
-+     * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
-+     * and I/O logging. This will cause sudo to execute the given command
-+     * directly instead of forking a separate process for it.
-+     */
-+    if (def_cmnd_no_wait) {
-+        def_pam_setcred = false;
-+        def_pam_session = false;
-+        def_use_pty = false;
-+        def_log_input = false;
-+        def_log_output = false;
-+    }
-+
- cleanup:
-     if (!restore_perms())
- 	ret = -1;
--- 
-2.50.1
-

SOURCES/sudo-separator.patch

@@ -1,15 +0,0 @@
-diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c
-index 0febe66..d9f0400 100644
---- a/lib/eventlog/eventlog.c
-+++ b/lib/eventlog/eventlog.c
-@@ -176,6 +176,7 @@ new_logline(int event_type, int flags, struct eventlog_args *args,
-             sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL, " %s",
-                                  evlog->env_add[i]);
-         }
-+        sudo_lbuf_append(&lbuf, " ; ");
-     }
-     if (evlog->command != NULL) {
-         sudo_lbuf_append_esc(&lbuf, LBUF_ESC_CNTRL|LBUF_ESC_BLANK,
--- 
-2.50.1
-

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -0,0 +1 @@
+SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27

sudo.spec

@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.5p2
-Release: 1%{?dist}.2
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@@ -52,10 +52,6 @@ Patch17: sudo-1.9.13-CVE-2023-28486-7-9.patch
 Patch18: linker.patch
 
 Patch19: sudo-1.9.15-CVE-2023-42465.patch
-Patch20: sudo-1.9.17-CVE-2025-32462.patch
-
-Patch21: sudo-reintroduce-cmnd_no_wait.patch
-Patch22: sudo-separator.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -99,10 +95,8 @@ plugins that use %{name}.
 %patch -P 17 -p1 -b .cve-escape-9
 
 %patch -P 18 -p1 -b .linker
+
 %patch -P 19 -p1 -b .rowhammer
-%patch -P 20 -p1 -b .cve-host
-%patch -P 21 -p1 -b .cmnd_no_wait
-%patch -P 22 -p1 -b .separator
 
 %build
 # Remove bundled copy of zlib
@@ -278,18 +272,6 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
-* Wed Jul 16 2025 Alejandro López <allopez@redhat.com> - 1.9.5p2-10.2
-RHEL 8.10.0.Z ERRATUM
-- Reintroduce cmnd_no_wait
-Resolves: RHEL-51956
-- Missing separator in the log
-Resolves: RHEL-71913
-
-* Wed Jun 25 2025 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-10.1
-RHEL 8.10.0.Z ERRATUM
-- CVE-2025-32462 sudo: LPE via host option
-Resolves: RHEL-100014
-
 * Mon Jan 22 2024 Radovan Sroka <rsroka@redhat.com> - 1.9.5p2-1
 RHEL 8.9.0.Z ERRATUM
 - Rebase to 1.9.5p2