From e7179e99d9f13bb0d21ed14e13bb871422007435 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 20:55:13 +0000 Subject: import sudo-1.8.25p1-8.el8_1 --- diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch new file mode 100644 index 0000000..bf2078a --- /dev/null +++ b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch @@ -0,0 +1,103 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1544201494 25200 +# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5 +# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce +The fix for bug #843 was incomplete and caused pam_end() to be called early. +sudo_pam_approval() must not set the global pam status to an error +value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup() +will call pam_end() before sudo_pam_begin_session(). This resulted +in a NULL PAM handle being used in sudo_pam_begin_session(). + +diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c +--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700 ++++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700 +@@ -210,59 +210,68 @@ + sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; ++ int rc, status = AUTH_SUCCESS; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (*pam_status) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { + case PAM_SUCCESS: +- debug_return_int(AUTH_SUCCESS); ++ break; + case PAM_AUTH_ERR: + log_warningx(0, N_("account validation failure, " + "is your account locked?")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_NEW_AUTHTOK_REQD: + /* Ignore if user is exempt from password restrictions. */ + if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ break; + /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); +- *pam_status = pam_chauthtok(pamh, +- PAM_CHANGE_EXPIRED_AUTHTOK); +- if (*pam_status == PAM_SUCCESS) +- debug_return_int(AUTH_SUCCESS); +- if ((s = pam_strerror(pamh, *pam_status)) == NULL) ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) + s = "unknown error"; + log_warningx(0, + N_("unable to change expired password: %s"), s); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + case PAM_AUTHTOK_EXPIRED: + /* Ignore if user is exempt from password restrictions. */ + if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ break; + /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_ACCT_EXPIRED: + log_warningx(0, + N_("Account expired or PAM config lacks an \"account\" " + "section for sudo, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_MAXTRIES: + case PAM_PERM_DENIED: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + default: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + } ++ /* Ignore errors if user is exempt from password restrictions. */ ++ *pam_status = exempt ? PAM_SUCCESS : rc; ++ debug_return_int(status); + } + + int + diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch new file mode 100644 index 0000000..2be1c3c --- /dev/null +++ b/SOURCES/sudo-1.8.23-who-am-i.patch @@ -0,0 +1,56 @@ +commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5 +Author: Todd C. Miller +Date: Wed Jan 2 07:39:33 2019 -0700 + + Fix setting of utmp entry when running command in a pty. + Regression introduced in sudo 1.8.22. + +diff --git a/src/exec_pty.c b/src/exec_pty.c +index cbcccca3..68312a98 100644 +--- a/src/exec_pty.c ++++ b/src/exec_pty.c +@@ -140,7 +140,7 @@ pty_cleanup(void) + * and slavename globals. + */ + static bool +-pty_setup(uid_t uid, const char *tty) ++pty_setup(struct command_details *details, const char *tty) + { + debug_decl(pty_setup, SUDO_DEBUG_EXEC); + +@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty) + } + + if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE], +- slavename, sizeof(slavename), uid)) ++ slavename, sizeof(slavename), details->euid)) + sudo_fatal(U_("unable to allocate pty")); + + /* Add entry to utmp/utmpx? */ +- if (utmp_user != NULL) ++ if (ISSET(details->flags, CD_SET_UTMP)) { ++ utmp_user = ++ details->utmp_user ? details->utmp_user : user_details.username; + utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user); ++ } + + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: %s fd %d, pty master fd %d, pty slave fd %d", +@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat) + /* + * Allocate a pty. + */ +- if (pty_setup(details->euid, user_details.tty)) { +- if (ISSET(details->flags, CD_SET_UTMP)) +- utmp_user = details->utmp_user ? details->utmp_user : user_details.username; +- } else if (TAILQ_EMPTY(&io_plugins)) { +- /* Not logging I/O and didn't allocate a pty. */ +- debug_return_bool(false); ++ if (!pty_setup(details, user_details.tty)) { ++ if (TAILQ_EMPTY(&io_plugins)) { ++ /* Not logging I/O and didn't allocate a pty. */ ++ debug_return_bool(false); ++ } + } + + /* diff --git a/SOURCES/sudo-1.8.25-ipa-hostname.patch b/SOURCES/sudo-1.8.25-ipa-hostname.patch new file mode 100644 index 0000000..4186974 --- /dev/null +++ b/SOURCES/sudo-1.8.25-ipa-hostname.patch @@ -0,0 +1,1063 @@ +From e99082e05b9f0dd0e0f47fa1d2e1b9d922ea8c4c Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 15 Aug 2019 14:20:12 -0600 +Subject: [PATCH] Fix special handling of ipa_hostname that was lost in sudo + 1.8.24. We now include the long and short hostname in sudo parser container. + +--- + plugins/sudoers/file.c | 2 +- + plugins/sudoers/gram.c | 215 ++++++++++++++++++++-------------------- + plugins/sudoers/gram.y | 9 +- + plugins/sudoers/ldap.c | 2 +- + plugins/sudoers/match.c | 23 +++-- + plugins/sudoers/parse.h | 3 +- + plugins/sudoers/sssd.c | 7 +- + 7 files changed, 140 insertions(+), 121 deletions(-) + +diff --git a/plugins/sudoers/file.c b/plugins/sudoers/file.c +index fff78a19..5028ce01 100644 +--- a/plugins/sudoers/file.c ++++ b/plugins/sudoers/file.c +@@ -85,7 +85,7 @@ sudo_file_open(struct sudo_nss *nss) + if (handle != NULL) { + handle->fp = open_sudoers(sudoers_file, false, NULL); + if (handle->fp != NULL) { +- init_parse_tree(&handle->parse_tree); ++ init_parse_tree(&handle->parse_tree, NULL, NULL); + } else { + free(handle); + handle = NULL; +diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c +index 343e4299..6545e129 100644 +--- a/plugins/sudoers/gram.c ++++ b/plugins/sudoers/gram.c +@@ -106,7 +106,9 @@ char *errorfile = NULL; + struct sudoers_parse_tree parsed_policy = { + TAILQ_HEAD_INITIALIZER(parsed_policy.userspecs), + TAILQ_HEAD_INITIALIZER(parsed_policy.defaults), +- NULL /* aliases */ ++ NULL, /* aliases */ ++ NULL, /* lhost */ ++ NULL /* shost */ + }; + + /* +@@ -118,7 +120,7 @@ static bool add_userspec(struct member *, struct privilege *); + static struct defaults *new_default(char *, char *, short); + static struct member *new_member(char *, int); + static struct command_digest *new_digest(int, char *); +-#line 80 "gram.y" ++#line 82 "gram.y" + #ifndef YYSTYPE_DEFINED + #define YYSTYPE_DEFINED + typedef union { +@@ -135,7 +137,7 @@ typedef union { + int tok; + } YYSTYPE; + #endif /* YYSTYPE_DEFINED */ +-#line 133 "gram.c" ++#line 135 "gram.c" + #define COMMAND 257 + #define ALIAS 258 + #define DEFVAR 259 +@@ -675,7 +677,7 @@ short *yysslim; + YYSTYPE *yyvs; + unsigned int yystacksize; + int yyparse(void); +-#line 906 "gram.y" ++#line 908 "gram.y" + void + sudoerserror(const char *s) + { +@@ -1019,11 +1021,14 @@ free_userspec(struct userspec *us) + * Initialized a sudoers parse tree. + */ + void +-init_parse_tree(struct sudoers_parse_tree *parse_tree) ++init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, ++ const char *shost) + { + TAILQ_INIT(&parse_tree->userspecs); + TAILQ_INIT(&parse_tree->defaults); + parse_tree->aliases = NULL; ++ parse_tree->shost = shost; ++ parse_tree->lhost = lhost; + } + + /* +@@ -1100,7 +1105,7 @@ init_options(struct command_options *opts) + opts->limitprivs = NULL; + #endif + } +-#line 1046 "gram.c" ++#line 1051 "gram.c" + /* allocate initial stack or double stack size, up to YYMAXDEPTH */ + #if defined(__cplusplus) || defined(__STDC__) + static int yygrowstack(void) +@@ -1309,23 +1314,23 @@ yyparse() + switch (yyn) + { + case 1: +-#line 178 "gram.y" ++#line 180 "gram.y" + { ; } + break; + case 5: +-#line 186 "gram.y" ++#line 188 "gram.y" + { + ; + } + break; + case 6: +-#line 189 "gram.y" ++#line 191 "gram.y" + { + yyerrok; + } + break; + case 7: +-#line 192 "gram.y" ++#line 194 "gram.y" + { + if (!add_userspec(yyvsp[-1].member, yyvsp[0].privilege)) { + sudoerserror(N_("unable to allocate memory")); +@@ -1334,73 +1339,73 @@ case 7: + } + break; + case 8: +-#line 198 "gram.y" ++#line 200 "gram.y" + { + ; + } + break; + case 9: +-#line 201 "gram.y" ++#line 203 "gram.y" + { + ; + } + break; + case 10: +-#line 204 "gram.y" ++#line 206 "gram.y" + { + ; + } + break; + case 11: +-#line 207 "gram.y" ++#line 209 "gram.y" + { + ; + } + break; + case 12: +-#line 210 "gram.y" ++#line 212 "gram.y" + { + if (!add_defaults(DEFAULTS, NULL, yyvsp[0].defaults)) + YYERROR; + } + break; + case 13: +-#line 214 "gram.y" ++#line 216 "gram.y" + { + if (!add_defaults(DEFAULTS_USER, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 14: +-#line 218 "gram.y" ++#line 220 "gram.y" + { + if (!add_defaults(DEFAULTS_RUNAS, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 15: +-#line 222 "gram.y" ++#line 224 "gram.y" + { + if (!add_defaults(DEFAULTS_HOST, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 16: +-#line 226 "gram.y" ++#line 228 "gram.y" + { + if (!add_defaults(DEFAULTS_CMND, yyvsp[-1].member, yyvsp[0].defaults)) + YYERROR; + } + break; + case 18: +-#line 233 "gram.y" ++#line 235 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].defaults, yyvsp[0].defaults, entries); + yyval.defaults = yyvsp[-2].defaults; + } + break; + case 19: +-#line 239 "gram.y" ++#line 241 "gram.y" + { + yyval.defaults = new_default(yyvsp[0].string, NULL, true); + if (yyval.defaults == NULL) { +@@ -1410,7 +1415,7 @@ case 19: + } + break; + case 20: +-#line 246 "gram.y" ++#line 248 "gram.y" + { + yyval.defaults = new_default(yyvsp[0].string, NULL, false); + if (yyval.defaults == NULL) { +@@ -1420,7 +1425,7 @@ case 20: + } + break; + case 21: +-#line 253 "gram.y" ++#line 255 "gram.y" + { + yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, true); + if (yyval.defaults == NULL) { +@@ -1430,7 +1435,7 @@ case 21: + } + break; + case 22: +-#line 260 "gram.y" ++#line 262 "gram.y" + { + yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '+'); + if (yyval.defaults == NULL) { +@@ -1440,7 +1445,7 @@ case 22: + } + break; + case 23: +-#line 267 "gram.y" ++#line 269 "gram.y" + { + yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '-'); + if (yyval.defaults == NULL) { +@@ -1450,14 +1455,14 @@ case 23: + } + break; + case 25: +-#line 277 "gram.y" ++#line 279 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].privilege, yyvsp[0].privilege, entries); + yyval.privilege = yyvsp[-2].privilege; + } + break; + case 26: +-#line 283 "gram.y" ++#line 285 "gram.y" + { + struct privilege *p = calloc(1, sizeof(*p)); + if (p == NULL) { +@@ -1472,21 +1477,21 @@ case 26: + } + break; + case 27: +-#line 297 "gram.y" ++#line 299 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 28: +-#line 301 "gram.y" ++#line 303 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 29: +-#line 307 "gram.y" ++#line 309 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -1496,7 +1501,7 @@ case 29: + } + break; + case 30: +-#line 314 "gram.y" ++#line 316 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -1506,7 +1511,7 @@ case 30: + } + break; + case 31: +-#line 321 "gram.y" ++#line 323 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, NETGROUP); + if (yyval.member == NULL) { +@@ -1516,7 +1521,7 @@ case 31: + } + break; + case 32: +-#line 328 "gram.y" ++#line 330 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, NTWKADDR); + if (yyval.member == NULL) { +@@ -1526,7 +1531,7 @@ case 32: + } + break; + case 33: +-#line 335 "gram.y" ++#line 337 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, WORD); + if (yyval.member == NULL) { +@@ -1536,7 +1541,7 @@ case 33: + } + break; + case 35: +-#line 345 "gram.y" ++#line 347 "gram.y" + { + struct cmndspec *prev; + prev = HLTQ_LAST(yyvsp[-2].cmndspec, cmndspec, entries); +@@ -1590,7 +1595,7 @@ case 35: + } + break; + case 36: +-#line 398 "gram.y" ++#line 400 "gram.y" + { + struct cmndspec *cs = calloc(1, sizeof(*cs)); + if (cs == NULL) { +@@ -1642,7 +1647,7 @@ case 36: + } + break; + case 37: +-#line 449 "gram.y" ++#line 451 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA224, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1652,7 +1657,7 @@ case 37: + } + break; + case 38: +-#line 456 "gram.y" ++#line 458 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA256, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1662,7 +1667,7 @@ case 38: + } + break; + case 39: +-#line 463 "gram.y" ++#line 465 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA384, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1672,7 +1677,7 @@ case 39: + } + break; + case 40: +-#line 470 "gram.y" ++#line 472 "gram.y" + { + yyval.digest = new_digest(SUDO_DIGEST_SHA512, yyvsp[0].string); + if (yyval.digest == NULL) { +@@ -1682,13 +1687,13 @@ case 40: + } + break; + case 41: +-#line 479 "gram.y" ++#line 481 "gram.y" + { + yyval.member = yyvsp[0].member; + } + break; + case 42: +-#line 482 "gram.y" ++#line 484 "gram.y" + { + if (yyvsp[0].member->type != COMMAND) { + sudoerserror(N_("a digest requires a path name")); +@@ -1700,75 +1705,75 @@ case 42: + } + break; + case 43: +-#line 493 "gram.y" ++#line 495 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 44: +-#line 497 "gram.y" ++#line 499 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 45: +-#line 503 "gram.y" ++#line 505 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 46: +-#line 508 "gram.y" ++#line 510 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 47: +-#line 512 "gram.y" ++#line 514 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 48: +-#line 517 "gram.y" ++#line 519 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 49: +-#line 522 "gram.y" ++#line 524 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 50: +-#line 527 "gram.y" ++#line 529 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 51: +-#line 531 "gram.y" ++#line 533 "gram.y" + { + yyval.string = yyvsp[0].string; + } + break; + case 52: +-#line 536 "gram.y" ++#line 538 "gram.y" + { + yyval.runas = NULL; + } + break; + case 53: +-#line 539 "gram.y" ++#line 541 "gram.y" + { + yyval.runas = yyvsp[-1].runas; + } + break; + case 54: +-#line 544 "gram.y" ++#line 546 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas != NULL) { +@@ -1786,7 +1791,7 @@ case 54: + } + break; + case 55: +-#line 559 "gram.y" ++#line 561 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas == NULL) { +@@ -1798,7 +1803,7 @@ case 55: + } + break; + case 56: +-#line 568 "gram.y" ++#line 570 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas == NULL) { +@@ -1810,7 +1815,7 @@ case 56: + } + break; + case 57: +-#line 577 "gram.y" ++#line 579 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas == NULL) { +@@ -1822,7 +1827,7 @@ case 57: + } + break; + case 58: +-#line 586 "gram.y" ++#line 588 "gram.y" + { + yyval.runas = calloc(1, sizeof(struct runascontainer)); + if (yyval.runas != NULL) { +@@ -1840,13 +1845,13 @@ case 58: + } + break; + case 59: +-#line 603 "gram.y" ++#line 605 "gram.y" + { + init_options(&yyval.options); + } + break; + case 60: +-#line 606 "gram.y" ++#line 608 "gram.y" + { + yyval.options.notbefore = parse_gentime(yyvsp[0].string); + free(yyvsp[0].string); +@@ -1857,7 +1862,7 @@ case 60: + } + break; + case 61: +-#line 614 "gram.y" ++#line 616 "gram.y" + { + yyval.options.notafter = parse_gentime(yyvsp[0].string); + free(yyvsp[0].string); +@@ -1868,7 +1873,7 @@ case 61: + } + break; + case 62: +-#line 622 "gram.y" ++#line 624 "gram.y" + { + yyval.options.timeout = parse_timeout(yyvsp[0].string); + free(yyvsp[0].string); +@@ -1882,7 +1887,7 @@ case 62: + } + break; + case 63: +-#line 633 "gram.y" ++#line 635 "gram.y" + { + #ifdef HAVE_SELINUX + free(yyval.options.role); +@@ -1891,7 +1896,7 @@ case 63: + } + break; + case 64: +-#line 639 "gram.y" ++#line 641 "gram.y" + { + #ifdef HAVE_SELINUX + free(yyval.options.type); +@@ -1900,7 +1905,7 @@ case 64: + } + break; + case 65: +-#line 645 "gram.y" ++#line 647 "gram.y" + { + #ifdef HAVE_PRIV_SET + free(yyval.options.privs); +@@ -1909,7 +1914,7 @@ case 65: + } + break; + case 66: +-#line 651 "gram.y" ++#line 653 "gram.y" + { + #ifdef HAVE_PRIV_SET + free(yyval.options.limitprivs); +@@ -1918,97 +1923,97 @@ case 66: + } + break; + case 67: +-#line 659 "gram.y" ++#line 661 "gram.y" + { + TAGS_INIT(yyval.tag); + } + break; + case 68: +-#line 662 "gram.y" ++#line 664 "gram.y" + { + yyval.tag.nopasswd = true; + } + break; + case 69: +-#line 665 "gram.y" ++#line 667 "gram.y" + { + yyval.tag.nopasswd = false; + } + break; + case 70: +-#line 668 "gram.y" ++#line 670 "gram.y" + { + yyval.tag.noexec = true; + } + break; + case 71: +-#line 671 "gram.y" ++#line 673 "gram.y" + { + yyval.tag.noexec = false; + } + break; + case 72: +-#line 674 "gram.y" ++#line 676 "gram.y" + { + yyval.tag.setenv = true; + } + break; + case 73: +-#line 677 "gram.y" ++#line 679 "gram.y" + { + yyval.tag.setenv = false; + } + break; + case 74: +-#line 680 "gram.y" ++#line 682 "gram.y" + { + yyval.tag.log_input = true; + } + break; + case 75: +-#line 683 "gram.y" ++#line 685 "gram.y" + { + yyval.tag.log_input = false; + } + break; + case 76: +-#line 686 "gram.y" ++#line 688 "gram.y" + { + yyval.tag.log_output = true; + } + break; + case 77: +-#line 689 "gram.y" ++#line 691 "gram.y" + { + yyval.tag.log_output = false; + } + break; + case 78: +-#line 692 "gram.y" ++#line 694 "gram.y" + { + yyval.tag.follow = true; + } + break; + case 79: +-#line 695 "gram.y" ++#line 697 "gram.y" + { + yyval.tag.follow = false; + } + break; + case 80: +-#line 698 "gram.y" ++#line 700 "gram.y" + { + yyval.tag.send_mail = true; + } + break; + case 81: +-#line 701 "gram.y" ++#line 703 "gram.y" + { + yyval.tag.send_mail = false; + } + break; + case 82: +-#line 706 "gram.y" ++#line 708 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -2018,7 +2023,7 @@ case 82: + } + break; + case 83: +-#line 713 "gram.y" ++#line 715 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -2028,7 +2033,7 @@ case 83: + } + break; + case 84: +-#line 720 "gram.y" ++#line 722 "gram.y" + { + struct sudo_command *c = calloc(1, sizeof(*c)); + if (c == NULL) { +@@ -2046,7 +2051,7 @@ case 84: + } + break; + case 87: +-#line 741 "gram.y" ++#line 743 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, HOSTALIAS, +@@ -2058,14 +2063,14 @@ case 87: + } + break; + case 89: +-#line 753 "gram.y" ++#line 755 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 92: +-#line 763 "gram.y" ++#line 765 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, CMNDALIAS, +@@ -2077,14 +2082,14 @@ case 92: + } + break; + case 94: +-#line 775 "gram.y" ++#line 777 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 97: +-#line 785 "gram.y" ++#line 787 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, RUNASALIAS, +@@ -2096,7 +2101,7 @@ case 97: + } + break; + case 100: +-#line 800 "gram.y" ++#line 802 "gram.y" + { + const char *s; + s = alias_add(&parsed_policy, yyvsp[-2].string, USERALIAS, +@@ -2108,28 +2113,28 @@ case 100: + } + break; + case 102: +-#line 812 "gram.y" ++#line 814 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 103: +-#line 818 "gram.y" ++#line 820 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 104: +-#line 822 "gram.y" ++#line 824 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 105: +-#line 828 "gram.y" ++#line 830 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -2139,7 +2144,7 @@ case 105: + } + break; + case 106: +-#line 835 "gram.y" ++#line 837 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -2149,7 +2154,7 @@ case 106: + } + break; + case 107: +-#line 842 "gram.y" ++#line 844 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, NETGROUP); + if (yyval.member == NULL) { +@@ -2159,7 +2164,7 @@ case 107: + } + break; + case 108: +-#line 849 "gram.y" ++#line 851 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, USERGROUP); + if (yyval.member == NULL) { +@@ -2169,7 +2174,7 @@ case 108: + } + break; + case 109: +-#line 856 "gram.y" ++#line 858 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, WORD); + if (yyval.member == NULL) { +@@ -2179,28 +2184,28 @@ case 109: + } + break; + case 111: +-#line 866 "gram.y" ++#line 868 "gram.y" + { + HLTQ_CONCAT(yyvsp[-2].member, yyvsp[0].member, entries); + yyval.member = yyvsp[-2].member; + } + break; + case 112: +-#line 872 "gram.y" ++#line 874 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = false; + } + break; + case 113: +-#line 876 "gram.y" ++#line 878 "gram.y" + { + yyval.member = yyvsp[0].member; + yyval.member->negated = true; + } + break; + case 114: +-#line 882 "gram.y" ++#line 884 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, ALIAS); + if (yyval.member == NULL) { +@@ -2210,7 +2215,7 @@ case 114: + } + break; + case 115: +-#line 889 "gram.y" ++#line 891 "gram.y" + { + yyval.member = new_member(NULL, ALL); + if (yyval.member == NULL) { +@@ -2220,7 +2225,7 @@ case 115: + } + break; + case 116: +-#line 896 "gram.y" ++#line 898 "gram.y" + { + yyval.member = new_member(yyvsp[0].string, WORD); + if (yyval.member == NULL) { +@@ -2229,7 +2234,7 @@ case 116: + } + } + break; +-#line 2175 "gram.c" ++#line 2180 "gram.c" + } + yyssp -= yym; + yystate = *yyssp; +diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y +index 6f437062..e4a0b6d3 100644 +--- a/plugins/sudoers/gram.y ++++ b/plugins/sudoers/gram.y +@@ -63,7 +63,9 @@ char *errorfile = NULL; + struct sudoers_parse_tree parsed_policy = { + TAILQ_HEAD_INITIALIZER(parsed_policy.userspecs), + TAILQ_HEAD_INITIALIZER(parsed_policy.defaults), +- NULL /* aliases */ ++ NULL, /* aliases */ ++ NULL, /* lhost */ ++ NULL /* shost */ + }; + + /* +@@ -1246,11 +1248,14 @@ free_userspec(struct userspec *us) + * Initialized a sudoers parse tree. + */ + void +-init_parse_tree(struct sudoers_parse_tree *parse_tree) ++init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, ++ const char *shost) + { + TAILQ_INIT(&parse_tree->userspecs); + TAILQ_INIT(&parse_tree->defaults); + parse_tree->aliases = NULL; ++ parse_tree->shost = shost; ++ parse_tree->lhost = lhost; + } + + /* +diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c +index 3bbd2523..1a4212bf 100644 +--- a/plugins/sudoers/ldap.c ++++ b/plugins/sudoers/ldap.c +@@ -1665,7 +1665,7 @@ sudo_ldap_open(struct sudo_nss *nss) + } + handle->ld = ld; + /* handle->pw = NULL; */ +- init_parse_tree(&handle->parse_tree); ++ init_parse_tree(&handle->parse_tree, NULL, NULL); + nss->handle = handle; + + done: +diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c +index 1936d4b0..165a8f75 100644 +--- a/plugins/sudoers/match.c ++++ b/plugins/sudoers/match.c +@@ -72,8 +72,10 @@ int + user_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, + const struct member *m) + { +- struct alias *a; ++ const char *lhost = parse_tree->lhost ? parse_tree->lhost : user_runhost; ++ const char *shost = parse_tree->shost ? parse_tree->shost : user_srunhost; + int matched = UNSPEC; ++ struct alias *a; + debug_decl(user_matches, SUDOERS_DEBUG_MATCH) + + switch (m->type) { +@@ -82,8 +84,8 @@ user_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, + break; + case NETGROUP: + if (netgr_matches(m->name, +- def_netgroup_tuple ? user_runhost : NULL, +- def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name)) ++ def_netgroup_tuple ? lhost : NULL, ++ def_netgroup_tuple ? shost : NULL, pw->pw_name)) + matched = !m->negated; + break; + case USERGROUP: +@@ -153,11 +155,13 @@ runaslist_matches(struct sudoers_parse_tree *parse_tree, + const struct member_list *user_list, const struct member_list *group_list, + struct member **matching_user, struct member **matching_group) + { ++ const char *lhost = parse_tree->lhost ? parse_tree->lhost : user_runhost; ++ const char *shost = parse_tree->shost ? parse_tree->shost : user_srunhost; ++ int user_matched = UNSPEC; ++ int group_matched = UNSPEC; + struct member *m; + struct alias *a; + int rc; +- int user_matched = UNSPEC; +- int group_matched = UNSPEC; + debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH) + + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) { +@@ -175,8 +179,8 @@ runaslist_matches(struct sudoers_parse_tree *parse_tree, + break; + case NETGROUP: + if (netgr_matches(m->name, +- def_netgroup_tuple ? user_runhost : NULL, +- def_netgroup_tuple ? user_srunhost : NULL, ++ def_netgroup_tuple ? lhost : NULL, ++ def_netgroup_tuple ? shost : NULL, + runas_pw->pw_name)) + user_matched = !m->negated; + break; +@@ -309,7 +313,10 @@ int + hostlist_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, + const struct member_list *list) + { +- return hostlist_matches_int(parse_tree, pw, user_runhost, user_srunhost, list); ++ const char *lhost = parse_tree->lhost ? parse_tree->lhost : user_runhost; ++ const char *shost = parse_tree->shost ? parse_tree->shost : user_srunhost; ++ ++ return hostlist_matches_int(parse_tree, pw, lhost, shost, list); + } + + /* +diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h +index 30813f6d..f5961f7f 100644 +--- a/plugins/sudoers/parse.h ++++ b/plugins/sudoers/parse.h +@@ -272,6 +272,7 @@ struct sudoers_parse_tree { + struct userspec_list userspecs; + struct defaults_list defaults; + struct rbtree *aliases; ++ const char *shost, *lhost; + }; + + /* alias.c */ +@@ -297,7 +298,7 @@ void free_userspec(struct userspec *us); + void free_userspecs(struct userspec_list *usl); + void free_default(struct defaults *def, struct member_list **binding); + void free_defaults(struct defaults_list *defs); +-void init_parse_tree(struct sudoers_parse_tree *parse_tree); ++void init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *shost, const char *lhost); + void free_parse_tree(struct sudoers_parse_tree *parse_tree); + void reparent_parse_tree(struct sudoers_parse_tree *new_tree); + +diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c +index 4f4464a6..69f6c1f9 100644 +--- a/plugins/sudoers/sssd.c ++++ b/plugins/sudoers/sssd.c +@@ -554,7 +554,6 @@ sudo_sss_open(struct sudo_nss *nss) + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_int(ENOMEM); + } +- init_parse_tree(&handle->parse_tree); + + /* Load symbols */ + handle->ssslib = sudo_dso_load(path, SUDO_DSO_LAZY); +@@ -612,8 +611,6 @@ sudo_sss_open(struct sudo_nss *nss) + debug_return_int(EFAULT); + } + +- nss->handle = handle; +- + /* + * If runhost is the same as the local host, check for ipa_hostname + * in sssd.conf and use it in preference to user_runhost. +@@ -625,6 +622,10 @@ sudo_sss_open(struct sudo_nss *nss) + } + } + ++ /* The "parse tree" contains userspecs, defaults, aliases and hostnames. */ ++ init_parse_tree(&handle->parse_tree, handle->ipa_host, handle->ipa_shost); ++ nss->handle = handle; ++ + sudo_debug_printf(SUDO_DEBUG_DEBUG, "handle=%p", handle); + + debug_return_int(0); diff --git a/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch new file mode 100644 index 0000000..0ae387a --- /dev/null +++ b/SOURCES/sudo-1.8.28-CVE-strtouid-test.patch @@ -0,0 +1,96 @@ +diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c +--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./lib/util/regress/atofoo/atofoo_test.c 2019-10-16 09:38:31.851404545 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2014 Todd C. Miller ++ * Copyright (c) 2014-2019 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -24,6 +24,7 @@ + #else + # include "compat/stdbool.h" + #endif ++#include + + #include "sudo_compat.h" + #include "sudo_util.h" +@@ -78,15 +79,20 @@ static struct strtoid_data { + id_t id; + const char *sep; + const char *ep; ++ int errnum; + } strtoid_data[] = { +- { "0,1", 0, ",", "," }, +- { "10", 10, NULL, NULL }, +- { "-2", -2, NULL, NULL }, ++ { "0,1", 0, ",", ",", 0 }, ++ { "10", 10, NULL, NULL, 0 }, ++ { "-1", 0, NULL, NULL, EINVAL }, ++ { "4294967295", 0, NULL, NULL, EINVAL }, ++ { "4294967296", 0, NULL, NULL, ERANGE }, ++ { "-2147483649", 0, NULL, NULL, ERANGE }, ++ { "-2", -2, NULL, NULL, 0 }, + #if SIZEOF_ID_T != SIZEOF_LONG_LONG +- { "-2", (id_t)4294967294U, NULL, NULL }, ++ { "-2", (id_t)4294967294U, NULL, NULL, 0 }, + #endif +- { "4294967294", (id_t)4294967294U, NULL, NULL }, +- { NULL, 0, NULL, NULL } ++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 }, ++ { NULL, 0, NULL, NULL, 0 } + }; + + static int +@@ -102,11 +108,23 @@ test_strtoid(int *ntests) + (*ntests)++; + errstr = "some error"; + value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr); +- if (errstr != NULL) { +- if (d->id != (id_t)-1) { +- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ if (d->errnum != 0) { ++ if (errstr == NULL) { ++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d", ++ d->idstr, d->errnum); ++ errors++; ++ } else if (value != 0) { ++ sudo_warnx_nodebug("FAIL: %s should return 0 on error", ++ d->idstr); ++ errors++; ++ } else if (errno != d->errnum) { ++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d", ++ d->idstr, errno, d->errnum); + errors++; + } ++ } else if (errstr != NULL) { ++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr); ++ errors++; + } else if (value != d->id) { + sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id); + errors++; +diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok +--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-16 09:29:50.246761680 +0200 +@@ -4,7 +4,7 @@ Parse error in sudoers near line 1. + Entries for user root: + + Command unmatched +-testsudoers: test5.inc should be owned by gid 4294967295 ++testsudoers: test5.inc should be owned by gid 4294967294 + Parse error in sudoers near line 1. + + Entries for user root: +diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh +--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test 2018-04-29 21:59:23.000000000 +0200 ++++ ./plugins/sudoers/regress/testsudoers/test5.sh 2019-10-16 09:29:50.246761680 +0200 +@@ -24,7 +24,7 @@ EOF + + # Test group writable + chmod 664 $TESTFILE +-./testsudoers -U $MYUID -G -1 root id < ++ * Copyright (c) 2013-2019 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -47,6 +47,27 @@ + #include "sudo_util.h" + + /* ++ * Make sure that the ID ends with a valid separator char. ++ */ ++static bool ++valid_separator(const char *p, const char *ep, const char *sep) ++{ ++ bool valid = false; ++ debug_decl(valid_separator, SUDO_DEBUG_UTIL) ++ ++ if (ep != p) { ++ /* check for valid separator (including '\0') */ ++ if (sep == NULL) ++ sep = ""; ++ do { ++ if (*ep == *sep) ++ valid = true; ++ } while (*sep++ != '\0'); ++ } ++ debug_return_bool(valid); ++} ++ ++/* + * Parse a uid/gid in string form. + * If sep is non-NULL, it contains valid separator characters (e.g. comma, space) + * If endp is non-NULL it is set to the next char after the ID. +@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha + char *ep; + id_t ret = 0; + long long llval; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ ++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */ + errno = 0; + llval = strtoll(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); ++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too large"); ++ goto done; + } +- if (!valid) { ++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) { ++ errno = ERANGE; ++ if (errstr != NULL) ++ *errstr = N_("value too small"); ++ goto done; ++ } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } +- if (errno == ERANGE) { +- if (errstr != NULL) { +- if (llval == LLONG_MAX) +- *errstr = N_("value too large"); +- else +- *errstr = N_("value too small"); +- } +- goto done; +- } + ret = (id_t)llval; + if (errstr != NULL) + *errstr = NULL; +@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha + { + char *ep; + id_t ret = 0; +- bool valid = false; + debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL) + + /* skip leading space so we can pick up the sign, if any */ + while (isspace((unsigned char)*p)) + p++; +- if (sep == NULL) +- sep = ""; ++ + errno = 0; + if (*p == '-') { + long lval = strtol(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { +- if (errstr != NULL) +- *errstr = N_("invalid value"); +- errno = EINVAL; +- goto done; +- } + if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) { + errno = ERANGE; + if (errstr != NULL) +@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha + *errstr = N_("value too small"); + goto done; + } +- ret = (id_t)lval; +- } else { +- unsigned long ulval = strtoul(p, &ep, 10); +- if (ep != p) { +- /* check for valid separator (including '\0') */ +- do { +- if (*ep == *sep) +- valid = true; +- } while (*sep++ != '\0'); +- } +- if (!valid) { ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || lval == -1) { + if (errstr != NULL) + *errstr = N_("invalid value"); + errno = EINVAL; + goto done; + } ++ ret = (id_t)lval; ++ } else { ++ unsigned long ulval = strtoul(p, &ep, 10); + if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) { + errno = ERANGE; + if (errstr != NULL) + *errstr = N_("value too large"); + goto done; + } ++ ++ /* Disallow id -1, which means "no change". */ ++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) { ++ if (errstr != NULL) ++ *errstr = N_("invalid value"); ++ errno = EINVAL; ++ goto done; ++ } + ret = (id_t)ulval; + } + if (errstr != NULL) diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 4e18ed9..e550d0d 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.25p1 -Release: 4%{?dist}.1 +Release: 8%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -53,14 +53,26 @@ Patch9: sudo-1.8.25-typos-manpages.patch Patch10: sudo-1.8.25-c-option-help.patch Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch +# RHEL 8.1 +# 1673886 - Problem with sudo-1.8.23 and 'who am i' +Patch12: sudo-1.8.23-who-am-i.patch +# 1676819 - Backporting sudo bug with expired passwords +Patch13: sudo-1.8.23-pam-expired-passwords.patch # 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in # selinux roles not being applied # https://www.sudo.ws/repos/sudo/rev/10f8cff7cce7 -Patch12: sudo-1.8.25-ldap-backend-parsing-1.patch +Patch14: sudo-1.8.25-ldap-backend-parsing-1.patch # 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in # selinux roles not being applied # https://www.sudo.ws/repos/sudo/rev/ba6cfd26330e -Patch13: sudo-1.8.25-ldap-backend-parsing-2.patch +Patch15: sudo-1.8.25-ldap-backend-parsing-2.patch +# 738662 - sudo ipa_hostname not honored +# Fix special handling of ipa_hostname that was lost in sudo +Patch16: sudo-1.8.25-ipa-hostname.patch + +# 1760696 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] +Patch17: sudo-1.8.28-CVE-strtouid.patch +Patch18: sudo-1.8.28-CVE-strtouid-test.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -98,8 +110,14 @@ plugins that use %{name}. %patch10 -p1 -b .c-option %patch11 -p1 -b .sudoreplay-help -%patch12 -p1 -b .ldap-backend1 -%patch13 -p1 -b .ldap-backend2 +%patch12 -p1 -b .whoami +%patch13 -p1 -b .pam-expired +%patch14 -p1 -b .ldap-backend1 +%patch15 -p1 -b .ldap-backend2 +%patch16 -p1 -b .ipa-hostname + +%patch17 -p1 -b .cve-strtouid +%patch18 -p1 -b .cve-strtouid-test %build # Remove bundled copy of zlib @@ -259,18 +277,36 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Mon Aug 19 2019 Radovan Sroka - 1.8.25-4.1 -- RHEL 8.0.0z ERRATUM +* Fri Oct 18 2019 Marek Tamaskovic - 1.8.25p1-8 +- RHEL-8.1.0 +- fixed CVE-2019-14287 + Resolves: rhbz#1760696 + + +* Fri Aug 16 2019 Radovan Sroka - 1.8.25-7 +- RHEL 8.1 ERRATUM +- sudo ipa_hostname not honored +Resolves: rhbz#1738662 + +* Mon Aug 12 2019 Radovan Sroka - 1.8.25-6 +- RHEL 8.1 ERRATUM - Fixed The LDAP backend which is not properly parsing sudoOptions, resulting in selinux roles not being applied -Resolves: rhbz#1743168 +Resolves: rhbz#1738326 + +* Tue May 28 2019 Radovan Sroka - 1.8.25-5 +- RHEL 8.1 ERRATUM +- Fixed problem with sudo-1.8.23 and 'who am i' +Resolves: rhbz#1673886 +- Backporting sudo bug with expired passwords +Resolves: rhbz#1676819 * Tue Dec 11 2018 Radovan Sroka - 1.8.25-4 - Fix most of the man page scans problems - Resolves: rhbz#1613327 * Fri Oct 12 2018 Daniel Kopecek - 1.8.25-3 -- bump release for new build after gating tests fixes +- bump release for new build Resolves: rhbz#1625683 * Thu Oct 11 2018 Daniel Kopecek - 1.8.25-2 @@ -300,7 +336,7 @@ Resolves: rhbz#1633144 * Thu Sep 21 2017 Marek Tamaskovic - 1.8.21p2-1 - update to 1.8.21p2 -- Moved libsudo_util.so from the -devel sub-package to main package (1481225) +- Moved libsudo_util.so from the -devel sub-package to main package (1481225) * Wed Sep 06 2017 Matthew Miller - 1.8.20p2-4 - replace file-based requirements with package-level ones: @@ -389,7 +425,7 @@ Resolves: rhbz#1633144 * Mon Aug 24 2015 Radovan Sroka 1.8.14p3-2 - add patch that resolves initialization problem before sudo_strsplit call -- add patch that resolves deadcode in visudo.c +- add patch that resolves deadcode in visudo.c - add patch that removes extra while in visudo.c and sudoers.c * Mon Jul 27 2015 Radovan Sroka 1.8.14p3-1 @@ -425,9 +461,9 @@ Resolves: rhbz#1633144 - major changes & fixes: - when running a command in the background, sudo will now forward SIGINFO to the command - - the passwords in ldap.conf and ldap.secret may now be encoded in base64. + - the passwords in ldap.conf and ldap.secret may now be encoded in base64. - SELinux role changes are now audited. For sudoedit, we now audit - the actual editor being run, instead of just the sudoedit command. + the actual editor being run, instead of just the sudoedit command. - it is now possible to match an environment variable's value as well as its name using env_keep and env_check - new files created via sudoedit as a non-root user now have the proper group id @@ -527,7 +563,7 @@ Resolves: rhbz#1633144 * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 -- temporarily disabled SSSD support +- temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) @@ -546,7 +582,7 @@ Resolves: rhbz#1633144 * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 -- disable output word wrapping if the output is piped +- disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl @@ -681,7 +717,7 @@ Resolves: rhbz#1633144 - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection +- fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 @@ -783,7 +819,7 @@ Resolves: rhbz#1633144 - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) +- added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh @@ -810,7 +846,7 @@ Resolves: rhbz#1633144 exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r +- change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 @@ -818,7 +854,7 @@ Resolves: rhbz#1633144 - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux +- Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. @@ -843,7 +879,7 @@ Resolves: rhbz#1633144 - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure +- Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. @@ -966,7 +1002,7 @@ Resolves: rhbz#1633144 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher -- built package for 5.2 +- built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file @@ -978,10 +1014,9 @@ Resolves: rhbz#1633144 - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools +- Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD. -