From b1b93b415f1e9973b11a6f54bbf07c24bb26fed8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 21 2021 04:20:41 +0000 Subject: import sudo-1.8.29-7.el8_4.1 --- diff --git a/SOURCES/sudo-1.9.7-sigchild.patch b/SOURCES/sudo-1.9.7-sigchild.patch new file mode 100644 index 0000000..94fcc94 --- /dev/null +++ b/SOURCES/sudo-1.9.7-sigchild.patch @@ -0,0 +1,35 @@ +From 727056e0c9519d8eecde801e950b35f2f69c72e2 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Fri, 23 Apr 2021 07:41:27 -0600 +Subject: [PATCH] Make sure SIGCHLD is not ignored when sudo is executed. If + SIGCHLD is ignored there is a race condition between when the process is + executed and when the SIGCHLD handler is installed. This fixes the bug + described by GitHub PR #98 + +--- + src/signal.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/signal.c b/src/signal.c +index 7f90d707b..866b64790 100644 +--- a/src/signal.c ++++ b/src/signal.c +@@ -133,6 +133,18 @@ init_signals(void) + case SIGTTOU: + /* Don't install these until exec time. */ + break; ++ case SIGCHLD: ++ /* Sudo needs to be able to catch SIGCHLD. */ ++ if (ss->sa.sa_handler == SIG_IGN) { ++ sudo_debug_printf(SUDO_DEBUG_INFO, ++ "will restore signal %d on exec", SIGCHLD); ++ ss->restore = true; ++ } ++ if (sigaction(SIGCHLD, &sa, NULL) != 0) { ++ sudo_warn(U_("unable to set handler for signal %d"), ++ SIGCHLD); ++ } ++ break; + default: + if (ss->sa.sa_handler != SIG_IGN) { + if (sigaction(ss->signo, &sa, NULL) != 0) { diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 6b5bddc..cb5fb80 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.29 -Release: 7%{?dist} +Release: 7%{?dist}.1 License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -67,6 +67,9 @@ Patch16: sudo-1.9.5-CVE-2021-23240-3.patch Patch17: sudo-1.9.5-CVE-2021-23240-4.patch Patch18: sudo-1.9.5-CVE-2021-23240-5.patch +# 2015136 - Request to backport https://www.sudo.ws/repos/sudo/rev/b4c91a0f72e7 to RHEL 8 [rhel-8.4.0.z] +Patch19: sudo-1.9.7-sigchild.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -113,6 +116,9 @@ plugins that use %{name}. %patch17 -p1 -b .symbolic-link-attack-4 %patch18 -p1 -b .symbolic-link-attack-5 +%patch19 -p1 -b .sigchild + + %build # Remove bundled copy of zlib rm -rf zlib/ @@ -271,6 +277,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Tue Oct 19 2021 RAdovan Sroka - 1.8.29-7.1 +RHEL 8.4.0 ZSTREAM ERRATUM +- Make sure SIGCHLD is not ignored when sudo is executed +Resolves: rhbz#2015136 + * Tue Feb 02 2021 Radovan Sroka - 1.8.29-7 - RHEL 8.4 ERRATUM - CVE-2021-3156