diff --git a/SOURCES/sudo-1.8.19p2-display-privs.patch b/SOURCES/sudo-1.8.19p2-display-privs.patch
new file mode 100644
index 0000000..234aa8d
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-display-privs.patch
@@ -0,0 +1,16 @@
+diff -up ./plugins/sudoers/sudo_nss.c.display-privs ./plugins/sudoers/sudo_nss.c
+--- ./plugins/sudoers/sudo_nss.c.display-privs 2017-01-13 23:30:15.000000000 -0500
++++ ./plugins/sudoers/sudo_nss.c 2017-08-31 07:41:02.764738698 -0400
+@@ -348,7 +348,11 @@ display_privs(struct sudo_nss_list *snl,
+ sudo_lbuf_destroy(&defs);
+ sudo_lbuf_destroy(&privs);
+
+- debug_return_int(count > 0);
++/*
++ * This is ok, we return 1 which is success in this case
++ * and we don't want return failure even when there is nothing to print
++ */
++ debug_return_int(1);
+ bad:
+ sudo_lbuf_destroy(&defs);
+ sudo_lbuf_destroy(&privs);
diff --git a/SOURCES/sudo-1.8.19p2-iologtruncate.patch b/SOURCES/sudo-1.8.19p2-iologtruncate.patch
new file mode 100644
index 0000000..ee358eb
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-iologtruncate.patch
@@ -0,0 +1,171 @@
+diff --git a/src/exec_pty.c b/src/exec_pty.c
+index 7403506..56b2899 100644
+--- a/src/exec_pty.c
++++ b/src/exec_pty.c
+@@ -711,8 +711,10 @@ io_buf_new(int rfd, int wfd,
+ int
+ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
+ {
++ struct plugin_container *plugin;
+ struct command_status cstat;
+- int io_pipe[3][2];
++ int io_pipe[3][2] = { { -1, -1 }, { -1, -1 }, { -1, -1 } };
++ bool interpose[3] = { false, false, false };
+ sigaction_t sa;
+ sigset_t mask;
+ pid_t child;
+@@ -738,6 +740,16 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
+ sigaddset(&ttyblock, SIGTTIN);
+ sigaddset(&ttyblock, SIGTTOU);
+
++ /* Determine whether any of std{in,out,err} should be logged. */
++ TAILQ_FOREACH(plugin, &io_plugins, entries) {
++ if (plugin->u.io->log_stdin)
++ interpose[STDIN_FILENO] = true;
++ if (plugin->u.io->log_stdout)
++ interpose[STDOUT_FILENO] = true;
++ if (plugin->u.io->log_stderr)
++ interpose[STDERR_FILENO] = true;
++ }
++
+ /*
+ * Setup stdin/stdout/stderr for child, to be duped after forking.
+ * In background mode there is no stdin.
+@@ -763,35 +775,64 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
+ }
+
+ /*
+- * If either stdin, stdout or stderr is not a tty we use a pipe
+- * to interpose ourselves instead of duping the pty fd.
++ * If stdin, stdout or stderr is not a tty and logging is enabled,
++ * use a pipe to interpose ourselves instead of using the pty fd.
+ */
+- memset(io_pipe, 0, sizeof(io_pipe));
+ if (io_fds[SFD_STDIN] == -1 || !isatty(STDIN_FILENO)) {
+- sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe");
+- pipeline = true;
+- if (pipe(io_pipe[STDIN_FILENO]) != 0)
+- sudo_fatal(U_("unable to create pipe"));
+- io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1],
+- log_stdin, &iobufs);
+- io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0];
+- }
+- if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) {
+- sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe");
+- pipeline = true;
+- if (pipe(io_pipe[STDOUT_FILENO]) != 0)
+- sudo_fatal(U_("unable to create pipe"));
+- io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO,
+- log_stdout, &iobufs);
+- io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1];
+- }
+- if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) {
+- sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, creating a pipe");
+- if (pipe(io_pipe[STDERR_FILENO]) != 0)
+- sudo_fatal(U_("unable to create pipe"));
+- io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO,
+- log_stderr, &iobufs);
+- io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1];
++ if (!interpose[STDIN_FILENO]) {
++ /* Not logging stdin, do not interpose. */
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdin not a tty, not logging");
++ io_fds[SFD_STDIN] = dup(STDIN_FILENO);
++ if (io_fds[SFD_STDIN] == -1)
++ sudo_fatal("dup");
++ } else {
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdin not a tty, creating a pipe");
++ pipeline = true;
++ if (pipe(io_pipe[STDIN_FILENO]) != 0)
++ sudo_fatal(U_("unable to create pipe"));
++ io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1],
++ log_stdin, &iobufs);
++ io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0];
++ }
++ }
++ if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) {
++ if (!interpose[STDOUT_FILENO]) {
++ /* Not logging stdout, do not interpose. */
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdout not a tty, not logging");
++ io_fds[SFD_STDOUT] = dup(STDOUT_FILENO);
++ if (io_fds[SFD_STDOUT] == -1)
++ sudo_fatal("dup");
++ } else {
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdout not a tty, creating a pipe");
++ pipeline = true;
++ if (pipe(io_pipe[STDOUT_FILENO]) != 0)
++ sudo_fatal(U_("unable to create pipe"));
++ io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO,
++ log_stdout, &iobufs);
++ io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1];
++ }
++ }
++ if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) {
++ if (!interpose[STDERR_FILENO]) {
++ /* Not logging stderr, do not interpose. */
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stderr not a tty, not logging");
++ io_fds[SFD_STDERR] = dup(STDERR_FILENO);
++ if (io_fds[SFD_STDERR] == -1)
++ sudo_fatal("dup");
++ } else {
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stderr not a tty, creating a pipe");
++ if (pipe(io_pipe[STDERR_FILENO]) != 0)
++ sudo_fatal(U_("unable to create pipe"));
++ io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO,
++ log_stderr, &iobufs);
++ io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1];
++ }
+ }
+
+ /* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */
+@@ -1549,10 +1590,24 @@ exec_pty(struct command_details *details,
+ setpgid(0, self);
+
+ /* Wire up standard fds, note that stdout/stderr may be pipes. */
+- if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1 ||
+- dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1 ||
+- dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
+- sudo_fatal("dup2");
++ if (io_fds[SFD_STDIN] != STDIN_FILENO) {
++ if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1)
++ sudo_fatal("dup2");
++ if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
++ close(io_fds[SFD_STDIN]);
++ }
++ if (io_fds[SFD_STDOUT] != STDOUT_FILENO) {
++ if (dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1)
++ sudo_fatal("dup2");
++ if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE])
++ close(io_fds[SFD_STDOUT]);
++ }
++ if (io_fds[SFD_STDERR] != STDERR_FILENO) {
++ if (dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
++ sudo_fatal("dup2");
++ if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE])
++ close(io_fds[SFD_STDERR]);
++ }
+
+ /* Wait for parent to grant us the tty if we are foreground. */
+ if (foreground && !ISSET(details->flags, CD_EXEC_BG)) {
+@@ -1561,15 +1616,9 @@ exec_pty(struct command_details *details,
+ nanosleep(&ts, NULL);
+ }
+
+- /* We have guaranteed that the slave fd is > 2 */
++ /* Done with the pty slave, don't leak it. */
+ if (io_fds[SFD_SLAVE] != -1)
+ close(io_fds[SFD_SLAVE]);
+- if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
+- close(io_fds[SFD_STDIN]);
+- if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE])
+- close(io_fds[SFD_STDOUT]);
+- if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE])
+- close(io_fds[SFD_STDERR]);
+
+ /* Execute command; only returns on error. */
+ exec_cmnd(details, cstat, errfd);
diff --git a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch
new file mode 100644
index 0000000..acb4daa
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch
@@ -0,0 +1,206 @@
+diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat
+--- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200
++++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200
+@@ -1088,13 +1088,19 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+- For more information, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section.
+- This flag is _�o_�f_�f by default.
++ Anything sent to the standard input will be consumed,
++ regardless of whether or not the command run via s�su�ud�do�o
++ is actually reading the standard input. This may have
++ unexpected results when using s�su�ud�do�o in a shell script
++ that expects to process the standard input. For more
++ information about I/O logging, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S
++ section. This flag is _�o_�f_�f by default.
+
+ log_output If set, s�su�ud�do�o will run the command in a pseudo-tty and
+ log all output that is sent to the screen, similar to
+- the script(1) command. For more information, see the
+- _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section. This flag is _�o_�f_�f by default.
++ the script(1) command. For more information about I/O
++ logging, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section. This flag is
++ _�o_�f_�f by default.
+
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
+@@ -1396,13 +1402,18 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ not needed, this option can be disabled to reduce the
+ load on the LDAP server. This flag is _�o_�n by default.
+
+- use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
+- if no I/O logging is being gone. A malicious program
+- run under s�su�ud�do�o could conceivably fork a background
+- process that retains to the user's terminal device
+- after the main program has finished executing. Use of
+- this option will make that impossible. This flag is
+- _�o_�f_�f by default.
++ use_pty If set, and s�su�ud�do�o is running in a terminal, the command
++ will be run in a pseudo-pty (even if no I/O logging is
++ being done). If the s�su�ud�do�o process is not attached to a
++ terminal, _�u_�s_�e_�__�p_�t_�y has no effect.
++
++ A malicious program run under s�su�ud�do�o may be capable of
++ injecting injecting commands into the user's terminal
++ or running a background process that retains access to
++ the user's terminal device even after the main program
++ has finished executing. By running the command in a
++ separate pseudo-pty, this attack is no longer possible.
++ This flag is _�o_�f_�f by default.
+
+ utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
+ updating the utmp (or utmpx) file. By default, s�su�ud�do�o
+@@ -2135,11 +2146,11 @@ L�LO�OG�G F�FO�OR�RM�MA�AT�T
+
+ I�I/�/O�O L�LO�OG�G F�FI�IL�LE�ES�S
+ When I/O logging is enabled, s�su�ud�do�o will run the command in a pseudo-tty
+- and log all user input and/or output. I/O is logged to the directory
+- specified by the _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
+- unique session ID that is included in the s�su�ud�do�o log line, prefixed with
+- ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option may be used to control the format of
+- the session ID.
++ and log all user input and/or output, depending on which options are
++ are enabled. I/O is logged to the directory specified by the _�i_�o_�l_�o_�g_�__�d_�i_�r
++ option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a unique session ID that is
++ included in the s�su�ud�do�o log line, prefixed with "TSID=". The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
++ option may be used to control the format of the session ID.
+
+ Each I/O log is stored in a separate directory that contains the
+ following files:
+diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in
+--- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200
++++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200
+@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and
+ If the standard input is not connected to the user's tty, due to
+ I/O redirection or because the command is part of a pipeline, that
+ input is also captured and stored in a separate log file.
+-For more information, see the
++Anything sent to the standard input will be consumed, regardless of
++whether or not the command run via
++\fBsudo\fR
++is actually reading the standard input.
++This may have unexpected results when using
++\fBsudo\fR
++in a shell script that expects to process the standard input.
++For more information about I/O logging, see the
+ \fII/O LOG FILES\fR
+ section.
+ This flag is
+@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and
+ to the screen, similar to the
+ script(1)
+ command.
+-For more information, see the
++For more information about I/O logging, see the
+ \fII/O LOG FILES\fR
+ section.
+ This flag is
+@@ -2934,14 +2941,24 @@ This flag is
+ by default.
+ .TP 18n
+ use_pty
+-If set,
++If set, and
+ \fBsudo\fR
+-will run the command in a pseudo-pty even if no I/O logging is being gone.
++is running in a terminal, the command will be run in a pseudo-pty
++(even if no I/O logging is being done).
++If the
++\fBsudo\fR
++process is not attached to a terminal,
++\fIuse_pty\fR
++has no effect.
++.sp
+ A malicious program run under
+ \fBsudo\fR
+-could conceivably fork a background process that retains to the user's
+-terminal device after the main program has finished executing.
+-Use of this option will make that impossible.
++may be capable of injecting injecting commands into the user's
++terminal or running a background process that retains access to the
++user's terminal device even after the main program has finished
++executing.
++By running the command in a separate pseudo-pty, this attack is
++no longer possible.
+ This flag is
+ \fIoff\fR
+ by default.
+@@ -4281,7 +4298,8 @@ word wrap will be disabled.
+ .SH "I/O LOG FILES"
+ When I/O logging is enabled,
+ \fBsudo\fR
+-will run the command in a pseudo-tty and log all user input and/or output.
++will run the command in a pseudo-tty and log all user input and/or output,
++depending on which options are enabled.
+ I/O is logged to the directory specified by the
+ \fIiolog_dir\fR
+ option
+diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in
+--- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200
++++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200
+@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and
+ If the standard input is not connected to the user's tty, due to
+ I/O redirection or because the command is part of a pipeline, that
+ input is also captured and stored in a separate log file.
+-For more information, see the
++Anything sent to the standard input will be consumed, regardless of
++whether or not the command run via
++.Nm sudo
++is actually reading the standard input.
++This may have unexpected results when using
++.Nm sudo
++in a shell script that expects to process the standard input.
++For more information about I/O logging, see the
+ .Sx "I/O LOG FILES"
+ section.
+ This flag is
+@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and
+ to the screen, similar to the
+ .Xr script 1
+ command.
+-For more information, see the
++For more information about I/O logging, see the
+ .Sx "I/O LOG FILES"
+ section.
+ This flag is
+@@ -2752,14 +2759,24 @@ This flag is
+ .Em on
+ by default.
+ .It use_pty
+-If set,
++If set, and
+ .Nm sudo
+-will run the command in a pseudo-pty even if no I/O logging is being gone.
++is running in a terminal, the command will be run in a pseudo-pty
++(even if no I/O logging is being done).
++If the
++.Nm sudo
++process is not attached to a terminal,
++.Em use_pty
++has no effect.
++.Pp
+ A malicious program run under
+ .Nm sudo
+-could conceivably fork a background process that retains to the user's
+-terminal device after the main program has finished executing.
+-Use of this option will make that impossible.
++may be capable of injecting injecting commands into the user's
++terminal or running a background process that retains access to the
++user's terminal device even after the main program has finished
++executing.
++By running the command in a separate pseudo-pty, this attack is
++no longer possible.
+ This flag is
+ .Em off
+ by default.
+@@ -3976,7 +3993,8 @@ word wrap will be disabled.
+ .Sh I/O LOG FILES
+ When I/O logging is enabled,
+ .Nm sudo
+-will run the command in a pseudo-tty and log all user input and/or output.
++will run the command in a pseudo-tty and log all user input and/or output,
++depending on which options are enabled.
+ I/O is logged to the directory specified by the
+ .Em iolog_dir
+ option
diff --git a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch
new file mode 100644
index 0000000..d53eb4c
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch
@@ -0,0 +1,44 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1511893724 25200
+# Node ID 14dacdea331942a38d443a75d1b08f67eafaa5eb
+# Parent b456101fe5091540e9f6429db7568fa32b6d4da8
+Avoid a double free when ipa_hostname is set in sssd.conf and it
+is an unqualified host name. From Daniel Kopecek.
+
+Also move the "unable to allocate memory" warning into get_ipa_hostname()
+itself to make it easier to see where the allocation failed in the
+debug log.
+
+diff -r b456101fe509 -r 14dacdea3319 plugins/sudoers/sssd.c
+--- a/plugins/sudoers/sssd.c Tue Nov 28 09:48:43 2017 -0700
++++ b/plugins/sudoers/sssd.c Tue Nov 28 11:28:44 2017 -0700
+@@ -349,6 +349,8 @@
+ *lhostp = lhost;
+ ret = true;
+ } else {
++ sudo_warnx(U_("%s: %s"), __func__,
++ U_("unable to allocate memory"));
+ free(shost);
+ free(lhost);
+ ret = -1;
+@@ -456,7 +458,6 @@
+ */
+ if (strcmp(user_runhost, user_host) == 0) {
+ if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
+- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ free(handle);
+ debug_return_int(ENOMEM);
+ }
+@@ -478,7 +479,8 @@
+ handle = nss->handle;
+ sudo_dso_unload(handle->ssslib);
+ free(handle->ipa_host);
+- free(handle->ipa_shost);
++ if (handle->ipa_host != handle->ipa_shost)
++ free(handle->ipa_shost);
+ free(handle);
+ nss->handle = NULL;
+ }
+
diff --git a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch
new file mode 100644
index 0000000..62d0cf2
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch
@@ -0,0 +1,113 @@
+From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@courtesan.com>
+Date: Wed, 15 Nov 2017 12:27:39 -0700
+Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep
+ checking even after we get a match since the value of doauth may depend on
+ evaluating all the results. From Radovan Sroka of RedHat.
+
+In list (-l) or verify (-v) mode, if we have a match but authentication
+is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
+set to "all" and there are multiple sudoers sources a password will
+be required unless none of the entries in all sources require
+authentication. From Radovan Sroka of RedHat
+
+Avoid calling cmnd_matches() in list/verify mode if we already have
+a match.
+---
+ plugins/sudoers/ldap.c | 5 ++++-
+ plugins/sudoers/parse.c | 10 +++++++---
+ plugins/sudoers/sssd.c | 5 ++++-
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
+index 46309cba..c5c18360 100644
+--- a/plugins/sudoers/ldap.c
++++ b/plugins/sudoers/ldap.c
+@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ (pwcheck == all && doauth != true)) {
+ doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");
+ }
++ if (matched == true)
++ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ sudo_ldap_check_command(ld, entry, NULL) == true) {
+ matched = true;
+- break;
+ }
+ }
+ if (matched == true || user_uid == 0) {
+@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ case any:
+ if (doauth == false)
+ SET(ret, FLAG_NOPASSWD);
++ else
++ CLR(ret, FLAG_NOPASSWD);
+ break;
+ default:
+ break;
+diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
+index 749a3eb2..a12e88c5 100644
+--- a/plugins/sudoers/parse.c
++++ b/plugins/sudoers/parse.c
+@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
+ if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
+ continue;
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
++ if ((pwcheck == any && cs->tags.nopasswd == true) ||
++ (pwcheck == all && cs->tags.nopasswd != true))
++ nopass = cs->tags.nopasswd;
++ if (match == ALLOW)
++ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ cmnd_matches(cs->cmnd) == ALLOW)
+ match = ALLOW;
+- if ((pwcheck == any && cs->tags.nopasswd == true) ||
+- (pwcheck == all && cs->tags.nopasswd != true))
+- nopass = cs->tags.nopasswd;
+ }
+ }
+ }
+@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
+ SET(validated, FLAG_CHECK_USER);
+ else if (nopass == true)
+ SET(validated, FLAG_NOPASSWD);
++ else
++ CLR(validated, FLAG_NOPASSWD);
+ debug_return_int(validated);
+ }
+
+diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
+index 65b4d875..09ca9fee 100644
+--- a/plugins/sudoers/sssd.c
++++ b/plugins/sudoers/sssd.c
+@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ (pwcheck == all && doauth != true)) {
+ doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");
+ }
++ if (matched == true)
++ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ sudo_sss_check_command(handle, rule, NULL) == true) {
+ matched = true;
+- break;
+ }
+ }
+ }
+@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ case any:
+ if (doauth == false)
+ SET(ret, FLAG_NOPASSWD);
++ else
++ CLR(ret, FLAG_NOPASSWD);
+ break;
+ default:
+ break;
+--
+2.14.3
+
diff --git a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch
new file mode 100644
index 0000000..8da9603
--- /dev/null
+++ b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch
@@ -0,0 +1,19 @@
+diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
+index f21a99ee..83202e28 100644
+--- a/plugins/sudoers/ldap.c
++++ b/plugins/sudoers/ldap.c
+@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void)
+ ldap_conf.timed ? timebuffer : "",
+ (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
+ } else {
+- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
+- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
++ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
+ ldap_conf.search_filter ? ldap_conf.search_filter : "",
+ query_netgroups ? "+" : "%:",
+- ldap_conf.timed ? timebuffer : "",
+- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
++ ldap_conf.timed ? timebuffer : "");
+ }
+ if (len == -1)
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index c3a1a52..01af92f 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.8.19p2
-Release: 11%{?dist}
+Release: 13%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -63,6 +63,18 @@ Patch16: sudo-1.8.19p2-lecture-boolean.patch
Patch17: sudo-1.8.19p2-get_process_ttyname.patch
# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch
+# 1485397 - sudo breaking who ldap and local users after upgrade
+Patch19: sudo-1.8.21-ldap-pass2-filter.patch
+# 1458696 - successful sudo -l returns non-zero if asking for other user
+Patch20: sudo-1.8.19p2-display-privs.patch
+# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input
+Patch21: sudo-1.8.19p2-iologtruncate.patch
+# 1490358 - Update use_pty and IO logging man page
+Patch22: sudo-1.8.19p2-manpage-use_pty.patch
+# 1505409 - Regression in "sudo -l" when using IPA / sssd
+Patch23: sudo-1.8.19p2-sudo-l-sssd.patch
+# 1518104 - sudo crashed: double free or corruption (fasttop)
+Patch24: sudo-1.8.19p2-sssd-double-free.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -105,6 +117,12 @@ plugins that use %{name}.
%patch16 -p1 -b .lecture
%patch17 -p1 -b .get_process_ttyname
%patch18 -p1 -b .CVE-2017-1000368
+%patch19 -p1 -b .ldap-pass2-filter
+%patch20 -p1 -b .display-privs
+%patch21 -p1 -b .iologtruncate
+%patch22 -p1 -b .manpage
+%patch23 -p1 -b .sudo-l
+%patch24 -p1 -b .double-free
%build
autoreconf -I m4 -fv --install
@@ -239,9 +257,32 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
-* Fri Aug 18 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-11
+* Thu Nov 30 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-13
+- RHEL 7.5 erratum
+- Fixed sudo -l checking results whether user should be authenticated
+- Enabled LDAP filter patch
+- Fixed double free in sssd
+
+ Resolves: rhbz#1505409
+ Resolves: rhbz#1511850
+ Resolves: rhbz#1518104
+
+* Mon Oct 02 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-12
+- RHEL 7.5 erratum
+- Fixed exit codes for `sudo -l -U <user>`
+- Fixed truncated output when log_output is enabled
+- Updated use_pty and IO logging manpage
+
+ Resolves: rhbz#1458696
+ Resolves: rhbz#1454571
+ Resolves: rhbz#1490358
+
+- Fixed second pass LDAP filter expression in the sudoers ldap backend
+ - inclomplete patch for rhbz#1485397
+
+* Mon Aug 14 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-11
- Moved libsudo_util.so from the -devel sub-package to main package
- Resolves: rhbz#1482929
+ Resolves: rhbz#1481225
* Wed Jun 07 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-10
- RHEL 7.4 erratum