From fdc59a3ba20911b797b5b623af17febb87d70481 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 6 Jun 2022 12:54:31 -0400 Subject: [PATCH 1/3] Rebase to sudo 1.9.12p2 - sudo-1.9.12p2 is available Resolves: rhbz#2137775 - sudo: arbitrary file write with privileges of the RunAs user CVE-2023-22809 Resolves: rhbz#2162042 - recommend system-default-editor instead of nano specifically Signed-off-by: Radovan Sroka --- .gitignore | 2 ++ sources | 2 +- sudo.spec | 20 +++++++++----------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 95a08a0..3d050b5 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,5 @@ /sudo-1.9.5p1.tar.gz /sudo-1.9.5p2.tar.gz /sudo-1.9.8p2.tar.gz +/sudo-1.9.11p3.tar.gz +/sudo-1.9.12p2.tar.gz diff --git a/sources b/sources index 0004df8..f68ca42 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.8p2.tar.gz) = 899b252e8c219226f658dff3dd34c97b07d42004998b45175b4c0c4de42a6bf9f909598e99b4056fa1171e63378e203854b0f8608b0f5c1b00e9d3677818f6d3 +SHA512 (sudo-1.9.12p2.tar.gz) = 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45 diff --git a/sudo.spec b/sudo.spec index ba67a9b..f0f1e53 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,21 +1,20 @@ - # comment out if no extra version %global extraver p2 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.8 +Version: 1.9.12 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version # use nothing special when normal version -Release: %autorelease -e %{?extraver} -b 3 +Release: %autorelease -e %{?extraver} License: ISC URL: https://www.sudo.ws Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz Source1: sudoers Requires: pam -Recommends: nano +Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} BuildRequires: make @@ -90,7 +89,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ - --enable-openssl \ + --enable-openssl \ --disable-root-mailer \ --disable-intercept \ --with-logging=syslog \ @@ -104,8 +103,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ - --enable-python \ - --enable-zlib=system \ + --enable-python \ + --enable-zlib=system \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -194,7 +193,6 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so -%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? @@ -211,13 +209,13 @@ EOF %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} -%license doc/LICENSE +%license LICENSE.md %exclude %{_pkgdocdir}/ChangeLog %files devel %doc plugins/sample/sample_plugin.c %{_includedir}/sudo_plugin.h -%{_mandir}/man8/sudo_plugin.8* +%{_mandir}/man5/sudo_plugin.5* %files logsrvd %attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf @@ -229,7 +227,7 @@ EOF %{_mandir}/man8/sudo_sendlog.8.gz %files python-plugin -%{_mandir}/man8/sudo_plugin_python.8.gz +%{_mandir}/man5/sudo_plugin_python.5.gz %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog From 6a693bfe23e749910a3bee1d43da3ba1f8662b86 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 19 Jan 2023 14:47:41 +0100 Subject: [PATCH 2/3] Rebase to sudo 1.9.12p2 - sudo-1.9.12p2 is available Resolves: rhbz#2137775 - sudo: arbitrary file write with privileges of the RunAs user CVE-2023-22809 Resolves: rhbz#2162041 - recommend system-default-editor instead of nano specifically Signed-off-by: Radovan Sroka From e1d77d5df63c766258c605abe2d1e6e958af61a6 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 1 Mar 2023 17:42:19 +0100 Subject: [PATCH 3/3] Rebase to sudo 1.9.13p2 - sudo-1.9.13p2 is available Resolves: rhbz#2169840 - sudo: double free with per-command chroot sudoers rules Resolves: CVE-2023-27320 Signed-off-by: Radovan Sroka --- .gitignore | 1 + sources | 2 +- sudo.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 3d050b5..224d9ce 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /sudo-1.9.8p2.tar.gz /sudo-1.9.11p3.tar.gz /sudo-1.9.12p2.tar.gz +/sudo-1.9.13p2.tar.gz diff --git a/sources b/sources index f68ca42..d221fe6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.12p2.tar.gz) = 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45 +SHA512 (sudo-1.9.13p2.tar.gz) = b3015a114fd518afd644c9934f2461046f1116506723217603af1a952bdb436689761b4d009dfe32b725bad2e0ebcaf19db72febfaa63895ba004256fea12bef diff --git a/sudo.spec b/sudo.spec index f0f1e53..7a10271 100644 --- a/sudo.spec +++ b/sudo.spec @@ -3,7 +3,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.12 +Version: 1.9.13 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version