diff --git a/SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch b/SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch new file mode 100644 index 0000000..e2bda07 --- /dev/null +++ b/SOURCES/sudo-1.8.25-ldap-backend-parsing-1.patch @@ -0,0 +1,65 @@ +From e1a402f1d65f4f107a40237bc19384e43b334546 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Tue, 16 Oct 2018 12:49:34 -0600 +Subject: [PATCH] sudo_ldap_parse_option() never returns '=' as the operator. + When parsing command_timeout, role, type, privs and limitprivs, check that + val is non-NULL instead. Found by PVS Studio. + +--- + plugins/sudoers/ldap_util.c | 37 ++++++++++++++----------------------- + 1 file changed, 14 insertions(+), 23 deletions(-) + +diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c +index d9be95a61..fecb7a6c5 100644 +--- a/plugins/sudoers/ldap_util.c ++++ b/plugins/sudoers/ldap_util.c +@@ -405,32 +405,23 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, + int op; + + op = sudo_ldap_parse_option(opt, &var, &val); +- if (strcmp(var, "command_timeout") == 0) { +- if (op == '=') +- cmndspec->timeout = parse_timeout(val); ++ if (strcmp(var, "command_timeout") == 0 && val != NULL) { ++ cmndspec->timeout = parse_timeout(val); + #ifdef HAVE_SELINUX +- } else if (strcmp(var, "role") == 0) { +- if (op == '=') { +- if ((cmndspec->role = strdup(val)) == NULL) +- goto oom; +- } +- } else if (strcmp(var, "type") == 0) { +- if (op == '=') { +- if ((cmndspec->type = strdup(val)) == NULL) +- goto oom; +- } ++ } else if (strcmp(var, "role") == 0 && val != NULL) { ++ if ((cmndspec->role = strdup(val)) == NULL) ++ goto oom; ++ } else if (strcmp(var, "type") == 0 && val != NULL) { ++ if ((cmndspec->type = strdup(val)) == NULL) ++ goto oom; + #endif /* HAVE_SELINUX */ + #ifdef HAVE_PRIV_SET +- } else if (strcmp(var, "privs") == 0) { +- if (op == '=') { +- if ((cmndspec->privs = strdup(val)) == NULL) +- goto oom; +- } +- } else if (strcmp(var, "limitprivs") == 0) { +- if (op == '=') { +- if ((cmndspec->limitprivs = strdup(val)) == NULL) +- goto oom; +- } ++ } else if (strcmp(var, "privs") == 0 && val != NULL) { ++ if ((cmndspec->privs = strdup(val)) == NULL) ++ goto oom; ++ } else if (strcmp(var, "limitprivs") == 0 && val != NULL) { ++ if ((cmndspec->limitprivs = strdup(val)) == NULL) ++ goto oom; + #endif /* HAVE_PRIV_SET */ + } else if (store_options) { + if (!sudo_ldap_add_default(var, val, op, source, +-- +2.21.0 + diff --git a/SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch b/SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch new file mode 100644 index 0000000..0865e71 --- /dev/null +++ b/SOURCES/sudo-1.8.25-ldap-backend-parsing-2.patch @@ -0,0 +1,57 @@ +From 60f0d65e22ba93988229453eb013728e47e5f84e Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Wed, 17 Oct 2018 06:57:06 -0600 +Subject: [PATCH] Fix expected test output now that command_timeout is parsed + correctly in LDIF. + +--- + .../regress/sudoers/test17.ldif2sudo.ok | 20 +++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok +index 6bc2a36ed..608f52fc4 100644 +--- a/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok ++++ b/plugins/sudoers/regress/sudoers/test17.ldif2sudo.ok +@@ -1,29 +1,29 @@ + Defaults command_timeout=2d8h10m59s + + # sudoRole user0 +-user0 ALL = /usr/bin/id, /usr/bin/who, /bin/ls ++user0 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/who, /bin/ls + + # sudoRole user1 +-user1 ALL = /usr/bin/id ++user1 ALL = TIMEOUT=619830 /usr/bin/id + + # sudoRole user2 +-user2 ALL = /usr/bin/id ++user2 ALL = TIMEOUT=15030 /usr/bin/id + + # sudoRole user3 +-user3 ALL = /usr/bin/id ++user3 ALL = TIMEOUT=630 /usr/bin/id + + # sudoRole user4 +-user4 ALL = /usr/bin/id ++user4 ALL = TIMEOUT=1209600 /usr/bin/id + + # sudoRole user5 +-user5 ALL = /usr/bin/id ++user5 ALL = TIMEOUT=300 /usr/bin/id + + # sudoRole user6 +-user6 ALL = /usr/bin/id ++user6 ALL = TIMEOUT=30 /usr/bin/id + + # sudoRole user7 +-user7 ALL = /usr/bin/id ++user7 ALL = TIMEOUT=45 /usr/bin/id + + # sudoRole user8 +-user8 ALL = /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\ +- /usr/bin/id ++user8 ALL = TIMEOUT=619830 /usr/bin/id, /usr/bin/id, /usr/bin/id, /usr/bin/id,\ ++ /usr/bin/id, /usr/bin/id +-- +2.21.0 + diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 2300d28..4e18ed9 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.25p1 -Release: 4%{?dist} +Release: 4%{?dist}.1 License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -53,6 +53,15 @@ Patch9: sudo-1.8.25-typos-manpages.patch Patch10: sudo-1.8.25-c-option-help.patch Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch +# 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in +# selinux roles not being applied +# https://www.sudo.ws/repos/sudo/rev/10f8cff7cce7 +Patch12: sudo-1.8.25-ldap-backend-parsing-1.patch +# 1738326 - The LDAP backend is not properly parsing sudoOptions, resulting in +# selinux roles not being applied +# https://www.sudo.ws/repos/sudo/rev/ba6cfd26330e +Patch13: sudo-1.8.25-ldap-backend-parsing-2.patch + %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands @@ -89,6 +98,9 @@ plugins that use %{name}. %patch10 -p1 -b .c-option %patch11 -p1 -b .sudoreplay-help +%patch12 -p1 -b .ldap-backend1 +%patch13 -p1 -b .ldap-backend2 + %build # Remove bundled copy of zlib rm -rf zlib/ @@ -247,12 +259,18 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Aug 19 2019 Radovan Sroka - 1.8.25-4.1 +- RHEL 8.0.0z ERRATUM +- Fixed The LDAP backend which is not properly parsing sudoOptions, + resulting in selinux roles not being applied +Resolves: rhbz#1743168 + * Tue Dec 11 2018 Radovan Sroka - 1.8.25-4 - Fix most of the man page scans problems - Resolves: rhbz#1613327 * Fri Oct 12 2018 Daniel Kopecek - 1.8.25-3 -- bump release for new build after gating tests fixes +- bump release for new build after gating tests fixes Resolves: rhbz#1625683 * Thu Oct 11 2018 Daniel Kopecek - 1.8.25-2