sudo: updated to 1.9.6p1
Major changes between version 1.9.6p1 and 1.9.6: Fixed a regression introduced in sudo 1.9.6 that resulted in an error message instead of a usage message when sudo is run with no arguments. Major changes between version 1.9.6 and 1.9.5p2: Fixed a sudo_sendlog compilation problem with the AIX xlC compiler. Fixed a regression introduced in sudo 1.9.4 where the --disable-root-mailer configure option had no effect. Added a --disable-leaks configure option that avoids some memory leaks on exit that would otherwise occur. This is intended to be used with development tools that measure memory leaks. It is not safe to use in production at this time. Plugged some memory leaks identified by oss-fuzz and ASAN. Fixed the handling of sudoOptions for an LDAP sudoRole that contains multiple sudoCommands. Previously, some of the options would only be applied to the first sudoCommand. Fixed a potential out of bounds read in the parsing of NOTBEFORE and NOTAFTER sudoers command options (and their LDAP equivalents). The parser used for reading I/O log JSON files is now more resilient when processing invalid JSON. Fixed typos that prevented make uninstall from working. Fixed a regression introduced in sudo 1.9.4 where the last line in a sudoers file might not have a terminating NUL character added if no newline was present. Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new --enable-fuzzer configure option can be combined with the --enable-sanitizer option to build sudo with fuzzing support. Multiple fuzz targets are available for fuzzing different parts of sudo. Fuzzers are built and tested via make fuzz or as part of make check (even when sudo is not built with fuzzing support). Fuzzing support currently requires the LLVM clang compiler (not gcc). Fixed the --enable-static-sudoers configure option. Fixed a potential out of bounds read sudo when is run by a user with more groups than the value of max_groups in sudo.conf. Added an admin_flag sudoers option to make the use of the ~/.sudo_as_admin_successful file configurable on systems where sudo is build with the --enable-admin-flag configure option. This mostly affects Ubuntu and its derivatives. The max_groups setting in sudo.conf is now limited to 1024. This setting is obsolete and should no longer be needed. Fixed a bug in the tilde expansion of CHROOT=dir and CWD=dir sudoers command options. A path ~/foo was expanded to /home/userfoo instead of /home/user/foo. This also affects the runchroot and runcwd Defaults settings. Fixed a bug on systems without a native getdelim(3) function where very long lines could cause parsing of the sudoers file to end prematurely. Fixed a potential integer overflow when converting the timestamp_timeout and passwd_timeout sudoers settings to a timespec struct. The default for the group_source setting in sudo.conf is now dynamic on macOS. Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Fixed a potential use-after-free in the PAM conversation function. Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.
This commit is contained in:
adam
parent
d4985aa020
commit
4e5d688a7c
5 changed files with 39 additions and 86 deletions
|
|
@ -1,7 +1,6 @@
|
|||
# $NetBSD: Makefile,v 1.183 2021/01/30 11:06:45 spz Exp $
|
||||
# $NetBSD: Makefile,v 1.184 2021/03/18 08:57:48 adam Exp $
|
||||
|
||||
DISTNAME= sudo-1.9.5p2
|
||||
PKGREVISION= 1
|
||||
DISTNAME= sudo-1.9.6p1
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= https://www.sudo.ws/dist/
|
||||
MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
$NetBSD: distinfo,v 1.114 2021/01/30 11:06:45 spz Exp $
|
||||
$NetBSD: distinfo,v 1.115 2021/03/18 08:57:48 adam Exp $
|
||||
|
||||
SHA1 (sudo-1.9.5p2.tar.gz) = 08bde247a1e08bc881eec43e09733f7ca06408f5
|
||||
RMD160 (sudo-1.9.5p2.tar.gz) = 5952aafd4e777196eb8af81c4cdc420e3d688684
|
||||
SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27
|
||||
Size (sudo-1.9.5p2.tar.gz) = 4012277 bytes
|
||||
SHA1 (sudo-1.9.6p1.tar.gz) = c83e90c50f79004922a6fc5229601fe121d52f50
|
||||
RMD160 (sudo-1.9.6p1.tar.gz) = 638da407f15c36debf6bce797f7a6f10caf6c0df
|
||||
SHA512 (sudo-1.9.6p1.tar.gz) = 632dfe72f04ce9a7a5a7236fcd5c09ce4535e695ced49d24dd848e3a7b1bea7380df44188b9e475af4271069539b5a5816948a98fbb0649ebebaba8b4c4b7745
|
||||
Size (sudo-1.9.6p1.tar.gz) = 4119888 bytes
|
||||
SHA1 (patch-Makefile.in) = e8813e1aa208d9ef6304038328504a5402341560
|
||||
SHA1 (patch-configure) = 0dd4c9bc64fb0ecaf496874eb8d0b649330db1f2
|
||||
SHA1 (patch-configure) = 162f6f3ac244f2ea0c3cc06884079fbceff276ca
|
||||
SHA1 (patch-examples_Makefile.in) = a20967ecd88eb5e4a8b47e6a3b80bc18be713409
|
||||
SHA1 (patch-logsrvd_Makefile.in) = c460b868e09560a80f632d1332fc7d7c3d1822cf
|
||||
SHA1 (patch-plugins_sudoers_Makefile.in) = efc0fb726c23dcb2d6a006524fd561800d6d7924
|
||||
SHA1 (patch-logsrvd_Makefile.in) = b3672406368384dfbfe7ef3e6fcd141d43cbc026
|
||||
SHA1 (patch-plugins_sudoers_Makefile.in) = d2981bb9841f6bb4b1c80f5c2f2727fbf9579501
|
||||
SHA1 (patch-src_Makefile.in) = 8959049bc428f592f84de1cad1a898c07c6e6b39
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
$NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
||||
$NetBSD: patch-configure,v 1.6 2021/03/18 08:57:48 adam Exp $
|
||||
|
||||
* Add "--with-nbsdops" option, NetBSD standard options.
|
||||
* Link with util(3) in the case of DragonFly, too.
|
||||
|
|
@ -7,9 +7,9 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
|||
functions (HAVE_KRB5_*).
|
||||
* Remove setting sysconfdir to "/etc".
|
||||
|
||||
--- configure.orig 2021-01-23 16:45:11.000000000 +0100
|
||||
+++ configure 2021-01-30 12:31:20.802349535 +0100
|
||||
@@ -892,6 +892,7 @@ with_libpath
|
||||
--- configure.orig 2021-03-15 16:50:00.000000000 +0000
|
||||
+++ configure
|
||||
@@ -920,6 +920,7 @@ with_libpath
|
||||
with_libraries
|
||||
with_efence
|
||||
with_csops
|
||||
|
|
@ -17,7 +17,7 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
|||
with_passwd
|
||||
with_skey
|
||||
with_opie
|
||||
@@ -1621,7 +1622,7 @@ Fine tuning of the installation director
|
||||
@@ -1652,7 +1653,7 @@ Fine tuning of the installation director
|
||||
--bindir=DIR user executables [EPREFIX/bin]
|
||||
--sbindir=DIR system admin executables [EPREFIX/sbin]
|
||||
--libexecdir=DIR program executables [EPREFIX/libexec]
|
||||
|
|
@ -26,7 +26,7 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
|||
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
|
||||
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
|
||||
--runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
|
||||
@@ -1737,6 +1738,7 @@ Optional Packages:
|
||||
@@ -1776,6 +1777,7 @@ Optional Packages:
|
||||
--with-libraries additional libraries to link with
|
||||
--with-efence link with -lefence for malloc() debugging
|
||||
--with-csops add CSOps standard options
|
||||
|
|
@ -34,7 +34,7 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
|||
--without-passwd don't use passwd/shadow file for authentication
|
||||
--with-skey[=DIR] enable S/Key support
|
||||
--with-opie[=DIR] enable OPIE support
|
||||
@@ -4863,6 +4865,23 @@ fi
|
||||
@@ -5203,6 +5205,23 @@ fi
|
||||
|
||||
|
||||
|
||||
|
|
@ -56,9 +56,9 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
|||
+
|
||||
+
|
||||
# Check whether --with-passwd was given.
|
||||
if test "${with_passwd+set}" = set; then :
|
||||
withval=$with_passwd; case $with_passwd in
|
||||
@@ -15765,7 +15784,7 @@ fi
|
||||
if test ${with_passwd+y}
|
||||
then :
|
||||
@@ -16699,7 +16718,7 @@ fi
|
||||
: ${mansectsu='1m'}
|
||||
: ${mansectform='4'}
|
||||
;;
|
||||
|
|
@ -67,71 +67,25 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
|
|||
shadow_funcs="getspnam"
|
||||
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
|
||||
# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
|
||||
@@ -18026,7 +18045,7 @@ if test "x$ac_cv_header_login_cap_h" = x
|
||||
_ACEOF
|
||||
@@ -18732,7 +18751,7 @@ then :
|
||||
printf "%s\n" "#define HAVE_LOGIN_CAP_H 1" >>confdefs.h
|
||||
LOGINCAP_USAGE='[-c class] '; LCMAN=1
|
||||
case "$OS" in
|
||||
- freebsd|netbsd)
|
||||
+ dragonfly*|freebsd|netbsd*)
|
||||
- freebsd*|netbsd*)
|
||||
+ dragonfly*|freebsd*|netbsd*)
|
||||
SUDO_LIBS="${SUDO_LIBS} -lutil"
|
||||
SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
|
||||
;;
|
||||
@@ -23965,10 +23984,9 @@ if test ${with_pam-"no"} != "no"; then
|
||||
# Check for pam_start() in libpam first, then for pam_appl.h.
|
||||
#
|
||||
found_pam_lib=no
|
||||
- as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
|
||||
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
|
||||
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
|
||||
$as_echo_n "checking for pam_start in -lpam... " >&6; }
|
||||
-if eval \${$as_ac_Lib+:} false; then :
|
||||
+if ${ac_cv_lib_pam_pam_start+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
ac_check_lib_save_LIBS=$LIBS
|
||||
@@ -23992,18 +24010,17 @@ return pam_start ();
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_link "$LINENO"; then :
|
||||
- eval "$as_ac_Lib=yes"
|
||||
+ ac_cv_lib_pam_pam_start=yes
|
||||
else
|
||||
- eval "$as_ac_Lib=no"
|
||||
+ ac_cv_lib_pam_pam_start=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext \
|
||||
conftest$ac_exeext conftest.$ac_ext
|
||||
LIBS=$ac_check_lib_save_LIBS
|
||||
fi
|
||||
-eval ac_res=\$$as_ac_Lib
|
||||
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
|
||||
-$as_echo "$ac_res" >&6; }
|
||||
-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
|
||||
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5
|
||||
+$as_echo "$ac_cv_lib_pam_pam_start" >&6; }
|
||||
+if test "x$ac_cv_lib_pam_pam_start" = xyes; then :
|
||||
found_pam_lib=yes
|
||||
fi
|
||||
|
||||
@@ -24738,6 +24755,8 @@ fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
@@ -25528,6 +25547,8 @@ fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
|
||||
AUTH_OBJS="$AUTH_OBJS kerb5.lo"
|
||||
fi
|
||||
+fi
|
||||
+if test ${with_kerb5-'no'} != "no"; then
|
||||
_LIBS="$LIBS"
|
||||
LIBS="${LIBS} ${SUDOERS_LIBS}"
|
||||
for ac_func in krb5_verify_user krb5_init_secure_context
|
||||
@@ -27120,7 +27139,7 @@ fi
|
||||
fi
|
||||
|
||||
case "$OS" in
|
||||
- netbsd)
|
||||
+ netbsd*)
|
||||
;;
|
||||
*)
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--enable-new-dtags" >&5
|
||||
@@ -28297,7 +28316,6 @@ test "$docdir" = '${datarootdir}/doc/${P
|
||||
ac_fn_c_check_func "$LINENO" "krb5_verify_user" "ac_cv_func_krb5_verify_user"
|
||||
@@ -29695,7 +29716,6 @@ test "$docdir" = '${datarootdir}/doc/${P
|
||||
test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
|
||||
test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
|
||||
test "$runstatedir" = '${localstatedir}/run' && runstatedir='$(localstatedir)/run'
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
$NetBSD: patch-logsrvd_Makefile.in,v 1.1 2021/01/18 14:32:24 taca Exp $
|
||||
$NetBSD: patch-logsrvd_Makefile.in,v 1.2 2021/03/18 08:57:48 adam Exp $
|
||||
|
||||
Fix build error.
|
||||
|
||||
--- logsrvd/Makefile.in.orig 2021-01-09 20:12:16.000000000 +0000
|
||||
--- logsrvd/Makefile.in.orig 2021-03-13 15:47:23.000000000 +0000
|
||||
+++ logsrvd/Makefile.in
|
||||
@@ -46,7 +46,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
|
||||
@@ -45,7 +45,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
|
||||
# Libraries
|
||||
LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la \
|
||||
$(top_builddir)/lib/eventlog/libsudo_eventlog.la \
|
||||
$(top_builddir)/lib/logsrv/liblogsrv.la
|
||||
-LIBS = $(LT_LIBS) @LIBTLS@
|
||||
+LIBS = $(LT_LIBS) @LIBTLS@ @LIBS@
|
||||
|
|
|
|||
|
|
@ -1,26 +1,26 @@
|
|||
$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.4 2021/01/18 14:32:24 taca Exp $
|
||||
$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.5 2021/03/18 08:57:48 adam Exp $
|
||||
|
||||
* Do not install the sudoers file.
|
||||
* link with @LIBS@ for PKG_OPTIONS nls enabled case.
|
||||
|
||||
--- plugins/sudoers/Makefile.in.orig 2021-01-09 20:12:16.000000000 +0000
|
||||
--- plugins/sudoers/Makefile.in.orig 2021-03-13 15:47:23.000000000 +0000
|
||||
+++ plugins/sudoers/Makefile.in
|
||||
@@ -62,10 +62,10 @@ LIBUTIL = $(top_builddir)/lib/util/libsu
|
||||
@@ -63,10 +63,10 @@ LIBUTIL = $(top_builddir)/lib/util/libsu
|
||||
LIBS = $(LIBUTIL)
|
||||
NET_LIBS = @NET_LIBS@
|
||||
SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBEVENTLOG) $(LIBLOGSRV)
|
||||
-REPLAY_LIBS = @REPLAY_LIBS@ $(LIBEVENTLOG) $(LIBIOLOG)
|
||||
SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBLOGSRV)
|
||||
-REPLAY_LIBS = @REPLAY_LIBS@ $(LIBIOLOG)
|
||||
-VISUDO_LIBS = $(NET_LIBS)
|
||||
-CVTSUDOERS_LIBS = $(NET_LIBS)
|
||||
-TESTSUDOERS_LIBS = $(NET_LIBS)
|
||||
+REPLAY_LIBS = @REPLAY_LIBS@ $(LIBEVENTLOG) $(LIBIOLOG) @LIBS@
|
||||
+REPLAY_LIBS = @REPLAY_LIBS@ $(LIBIOLOG) @LIBS@
|
||||
+VISUDO_LIBS = $(NET_LIBS) @LIBS@
|
||||
+CVTSUDOERS_LIBS = $(NET_LIBS) @LIBS@
|
||||
+TESTSUDOERS_LIBS = $(NET_LIBS) @LIBS@
|
||||
|
||||
# C preprocessor defines
|
||||
CPPDEFS = -DLIBDIR=\"$(libdir)\" -DLOCALEDIR=\"$(localedir)\" \
|
||||
@@ -390,7 +390,7 @@ pre-install:
|
||||
@@ -483,7 +483,7 @@ pre-install:
|
||||
fi; \
|
||||
fi
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue