From e1791d3a47bbf439a163e52193a4586e07e25bb4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 07:18:42 +0000 Subject: import sudo-1.8.29-8.el8 --- diff --git a/SOURCES/sudo-1.9.5-sudoedit-selinux.patch b/SOURCES/sudo-1.9.5-sudoedit-selinux.patch new file mode 100644 index 0000000..ece57bd --- /dev/null +++ b/SOURCES/sudo-1.9.5-sudoedit-selinux.patch @@ -0,0 +1,11 @@ +diff -up ./src/sudo_edit.c.rest ./src/sudo_edit.c +--- ./src/sudo_edit.c.rest 2021-11-21 18:41:09.420657680 +0100 ++++ ./src/sudo_edit.c 2021-11-21 18:42:23.214272777 +0100 +@@ -878,6 +878,7 @@ selinux_edit_create_tfiles(struct comman + } + close(tfd); + } ++ ret = nfiles; + + done: + /* Contents of tf will be freed by caller. */ diff --git a/SOURCES/sudo-1.9.7-krb5ccname.patch b/SOURCES/sudo-1.9.7-krb5ccname.patch new file mode 100644 index 0000000..4339423 --- /dev/null +++ b/SOURCES/sudo-1.9.7-krb5ccname.patch @@ -0,0 +1,54 @@ +diff -up ./plugins/sudoers/auth/pam.c.krb5ccname ./plugins/sudoers/auth/pam.c +--- ./plugins/sudoers/auth/pam.c.krb5ccname 2019-10-28 13:27:38.000000000 +0100 ++++ ./plugins/sudoers/auth/pam.c 2021-12-06 11:14:15.580226222 +0100 +@@ -119,10 +119,10 @@ conv_filter_init(void) + + /* + * Messages from PAM account management when trusted mode is enabled: +- * 1 Last successful login for %s: %s +- * 2 Last successful login for %s: %s on %s +- * 3 Last unsuccessful login for %s: %s +- * 4 Last unsuccessful login for %s: %s on %s ++ * 1 Last successful login for %s: %s ++ * 2 Last successful login for %s: %s on %s ++ * 3 Last unsuccessful login for %s: %s ++ * 4 Last unsuccessful login for %s: %s on %s + */ + if ((catd = catopen("pam_comsec", NL_CAT_LOCALE)) != -1) { + maxfilters += 4; +@@ -290,6 +290,7 @@ sudo_pam_init_quiet(struct passwd *pw, s + int + sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) + { ++ const char *envccname; + const char *s; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH) +@@ -298,8 +299,27 @@ sudo_pam_verify(struct passwd *pw, char + getpass_error = false; /* set by converse if user presses ^C */ + conv_callback = callback; /* passed to conversation function */ + ++ /* Set KRB5CCNAME from the user environment if not set to propagate this ++ * information to PAM modules that may use it to authentication. */ ++ envccname = sudo_getenv("KRB5CCNAME"); ++ if (envccname == NULL && user_ccname != NULL) { ++ if (sudo_setenv("KRB5CCNAME", user_ccname, true) != 0) { ++ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, ++ "unable to set KRB5CCNAME"); ++ debug_return_int(AUTH_FAILURE); ++ } ++ } ++ + /* PAM_SILENT prevents the authentication service from generating output. */ + *pam_status = pam_authenticate(pamh, PAM_SILENT); ++ ++ /* Restore KRB5CCNAME to its original value. */ ++ if (envccname == NULL && sudo_unsetenv("KRB5CCNAME") != 0) { ++ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, ++ "unable to restore KRB5CCNAME"); ++ debug_return_int(AUTH_FAILURE); ++ } ++ + if (getpass_error) { + /* error or ^C from tgetpass() */ + debug_return_int(AUTH_INTR); diff --git a/SOURCES/sudo-1.9.7-utmp-leak.patch b/SOURCES/sudo-1.9.7-utmp-leak.patch new file mode 100644 index 0000000..5c45ae6 --- /dev/null +++ b/SOURCES/sudo-1.9.7-utmp-leak.patch @@ -0,0 +1,22 @@ +From 3fc3a07a03ef74fde99db40ce9ef43ccab336205 Mon Sep 17 00:00:00 2001 +From: MertsA +Date: Fri, 23 Jul 2021 03:36:05 -0700 +Subject: [PATCH] Rewind utmp file pointer after searching for entry + +getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries. +--- + src/utmp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/utmp.c b/src/utmp.c +index 544a37519..952bf3043 100644 +--- a/src/utmp.c ++++ b/src/utmp.c +@@ -210,6 +210,7 @@ utmp_login(const char *from_line, const char *to_line, int ttyfd, + memset(&utbuf, 0, sizeof(utbuf)); + strncpy(utbuf.ut_line, from_line, sizeof(utbuf.ut_line)); + ut_old = sudo_getutline(&utbuf); ++ sudo_setutent(); + } + utmp_fill(to_line, user, ut_old, &utbuf); + if (sudo_pututline(&utbuf) != NULL) diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index cb5fb80..ea0036c 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.29 -Release: 7%{?dist}.1 +Release: 8%{?dist} License: ISC Group: Applications/System URL: https://www.sudo.ws/ @@ -67,8 +67,14 @@ Patch16: sudo-1.9.5-CVE-2021-23240-3.patch Patch17: sudo-1.9.5-CVE-2021-23240-4.patch Patch18: sudo-1.9.5-CVE-2021-23240-5.patch -# 2015136 - Request to backport https://www.sudo.ws/repos/sudo/rev/b4c91a0f72e7 to RHEL 8 [rhel-8.4.0.z] -Patch19: sudo-1.9.7-sigchild.patch +# 2029551 - sudoedit does not work with selinux args +Patch19: sudo-1.9.5-sudoedit-selinux.patch +# 1999751 - Request to backport https://www.sudo.ws/repos/sudo/rev/b4c91a0f72e7 to RHEL 8 +Patch20: sudo-1.9.7-sigchild.patch +# 1917379 - [RFE] pass KRB5CCNAME to pam_authenticate environment if available +Patch21: sudo-1.9.7-krb5ccname.patch +# 1986572 - utmp resource leak in sudo +Patch22: sudo-1.9.7-utmp-leak.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -116,8 +122,11 @@ plugins that use %{name}. %patch17 -p1 -b .symbolic-link-attack-4 %patch18 -p1 -b .symbolic-link-attack-5 -%patch19 -p1 -b .sigchild +%patch19 -p1 -b .sudoedit-selinux +%patch20 -p1 -b .sigchild +%patch21 -p1 -b .krb5ccname +%patch22 -p1 -b .utmp-leak %build # Remove bundled copy of zlib @@ -277,10 +286,16 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Tue Oct 19 2021 RAdovan Sroka - 1.8.29-7.1 -RHEL 8.4.0 ZSTREAM ERRATUM +* Mon Dec 06 2021 Radovan Sroka - 1.8.29-8 +RHEL 8.6.0 ERRATUM +- sudoedit does not work with selinux args +Resolves: rhbz#2029551 - Make sure SIGCHLD is not ignored when sudo is executed -Resolves: rhbz#2015136 +Resolves: rhbz#1999751 +- [RFE] pass KRB5CCNAME to pam_authenticate environment if available +Resolves: rhbz#1917379 +- utmp resource leak in sudo +Resolves: rhbz#1986572 * Tue Feb 02 2021 Radovan Sroka - 1.8.29-7 - RHEL 8.4 ERRATUM