From aa53cb76cc7e0c2862f7f2ff914fbcd2e1e2e13c Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Tue, 15 Sep 2020 16:49:29 +0200 Subject: [PATCH 1/3] Rebase to 1.9.2 Resolves: rhbz#1859577 - added logsrvd subpackage - added openssl-devel buildrequires Resolves: rhbz#1860653 - fixed sudo runstatedir path - it was generated as /sudo instead of /run/sudo Resolves: rhbz#1868215 - added /var/lib/snapd/snap/bin to secure_path variable Resolves: rhbz#1691996 Signed-off-by: Radovan Sroka --- .gitignore | 1 + configure-runstatedir.patch | 43 ++++++++++++++++++++++++++++++++++ sources | 2 +- sudo.spec | 46 +++++++++++++++++++++++++++++-------- sudoers | 2 +- 5 files changed, 83 insertions(+), 11 deletions(-) create mode 100644 configure-runstatedir.patch diff --git a/.gitignore b/.gitignore index e7db9cd..4c5f1eb 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ /sudo-1.9.0b1.tar.gz /sudo-1.9.0b4.tar.gz /sudo-1.9.1.tar.gz +/sudo-1.9.2.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch new file mode 100644 index 0000000..980e767 --- /dev/null +++ b/configure-runstatedir.patch @@ -0,0 +1,43 @@ +From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 +From: Evan Anderson +Date: Sun, 6 Sep 2020 14:30:54 -0500 +Subject: [PATCH] configure: Fix runstatedir handling for distros that do not + support it + +runstatedir was added in yet-to-be released autoconf 2.70. Some distros +are shipping this addition in their autoconf packages, but others, such as Fedora, +are not. This causes the rundir variable to be set incorrectly if the configure script +is regenerated with an unpatched autoconf since the runstatedir variable set is deleted +after regeneration. This change works around that problem by checking that runstatedir +is non-empty before potentially using it to set the rundir variable +--- + configure | 2 +- + m4/sudo.m4 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 0f6ceb16c..2e0838e01 100755 +--- a/configure ++++ b/configure +@@ -26718,7 +26718,7 @@ EOF + $as_echo_n "checking for sudo run dir location... " >&6; } + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified +diff --git a/m4/sudo.m4 b/m4/sudo.m4 +index a5a972b3c..b3a40b208 100644 +--- a/m4/sudo.m4 ++++ b/m4/sudo.m4 +@@ -120,7 +120,7 @@ dnl + AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) + if test -n "$with_rundir"; then + rundir="$with_rundir" +-elif test "$runstatedir" != '${localstatedir}/run'; then ++elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then + rundir="$runstatedir/sudo" + else + # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index 35fc51b..5185f4c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.1.tar.gz) = 7994c7d8f020188eda51787bb5f6fe7668518cc89b711e7840470db7e5bac1219490ffccc73854fecb14ceb3ffaf0fc605f3438c87b83f27921ea3626365105c +SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 diff --git a/sudo.spec b/sudo.spec index 7381722..050f34a 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.1 -Release: 3%{?dist} +Version: 1.9.2 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz @@ -24,6 +24,7 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch +Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -44,10 +45,22 @@ Requires: %{name} = %{version}-%{release} The %{name}-devel package contains header files developing sudo plugins that use %{name}. + +%package logsrvd +Summary: High-performance log server for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: openssl-devel + + +%description logsrvd +%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. +It can be used to implement centralized logging of sudo logs. + %prep %setup -q %patch1 -p1 -b .strip +%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -67,6 +80,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-openssl \ --disable-root-mailer \ --with-logging=syslog \ --with-logfac=authpriv \ @@ -154,7 +168,6 @@ EOF %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf %attr(0640,root,root) %config(noreplace) /etc/sudo.conf -%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf %dir /var/db/sudo %dir /var/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo @@ -163,8 +176,6 @@ EOF %attr(0755,root,root) %{_sbindir}/visudo %{_bindir}/cvtsudoers %dir %{_libexecdir}/sudo -%attr(0755,root,root) %{_sbindir}/sudo_logsrvd -%attr(0755,root,root) %{_sbindir}/sudo_sendlog %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so @@ -184,11 +195,7 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man5/sudo_logsrv.proto.5.gz -%{_mandir}/man5/sudo_logsrvd.conf.5.gz -%{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_plugin_python.8.gz -%{_mandir}/man8/sudo_sendlog.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -200,7 +207,28 @@ EOF %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* +%files logsrvd +%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf +%attr(0755,root,root) %{_sbindir}/sudo_logsrvd +%attr(0755,root,root) %{_sbindir}/sudo_sendlog +%{_mandir}/man5/sudo_logsrv.proto.5.gz +%{_mandir}/man5/sudo_logsrvd.conf.5.gz +%{_mandir}/man8/sudo_logsrvd.8.gz +%{_mandir}/man8/sudo_sendlog.8.gz + %changelog +* Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 +- rebase to 1.9.2 +Resolves: rhbz#1859577 +- added logsrvd subpackage +- added openssl-devel buildrequires +Resolves: rhbz#1860653 +- fixed sudo runstatedir path +- it was generated as /sudo instead of /run/sudo +Resolves: rhbz#1868215 +- added /var/lib/snapd/snap/bin to secure_path variable +Resolves: rhbz#1691996 + * Sat Aug 01 2020 Fedora Release Engineering - 1.9.1-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sudoers b/sudoers index 29775ad..5f621a8 100644 --- a/sudoers +++ b/sudoers @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple From 66b08616fcc02ebabc94ad27819932a1ff5a070d Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Mon, 5 Oct 2020 13:34:24 +0200 Subject: [PATCH 2/3] Rebase to 1.9.5p1 Resolves: rhbz#1902758 - updated sudo url - enabled python module as a subpackage Resolves: rhbz#1909299 - fixed double free in sss_to_sudoers Resolves: rhbz#1885874 - fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit Resolves: rhbz#1915055 - fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit Resolves: rhbz#1915054 Signed-off-by: Radovan Sroka --- .gitignore | 2 ++ configure-runstatedir.patch | 43 ------------------------------------- sources | 2 +- sudo.spec | 37 +++++++++++++++++++++++++------ 4 files changed, 34 insertions(+), 50 deletions(-) delete mode 100644 configure-runstatedir.patch diff --git a/.gitignore b/.gitignore index 4c5f1eb..9ea49f6 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,5 @@ /sudo-1.9.0b4.tar.gz /sudo-1.9.1.tar.gz /sudo-1.9.2.tar.gz +/sudo-1.9.3p1.tar.gz +/sudo-1.9.5p1.tar.gz diff --git a/configure-runstatedir.patch b/configure-runstatedir.patch deleted file mode 100644 index 980e767..0000000 --- a/configure-runstatedir.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0d7a041f18c5016abb78b74f3cfa505797e704ee Mon Sep 17 00:00:00 2001 -From: Evan Anderson -Date: Sun, 6 Sep 2020 14:30:54 -0500 -Subject: [PATCH] configure: Fix runstatedir handling for distros that do not - support it - -runstatedir was added in yet-to-be released autoconf 2.70. Some distros -are shipping this addition in their autoconf packages, but others, such as Fedora, -are not. This causes the rundir variable to be set incorrectly if the configure script -is regenerated with an unpatched autoconf since the runstatedir variable set is deleted -after regeneration. This change works around that problem by checking that runstatedir -is non-empty before potentially using it to set the rundir variable ---- - configure | 2 +- - m4/sudo.m4 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure b/configure -index 0f6ceb16c..2e0838e01 100755 ---- a/configure -+++ b/configure -@@ -26718,7 +26718,7 @@ EOF - $as_echo_n "checking for sudo run dir location... " >&6; } - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified -diff --git a/m4/sudo.m4 b/m4/sudo.m4 -index a5a972b3c..b3a40b208 100644 ---- a/m4/sudo.m4 -+++ b/m4/sudo.m4 -@@ -120,7 +120,7 @@ dnl - AC_DEFUN([SUDO_RUNDIR], [AC_MSG_CHECKING(for sudo run dir location) - if test -n "$with_rundir"; then - rundir="$with_rundir" --elif test "$runstatedir" != '${localstatedir}/run'; then -+elif test -n "$runstatedir" && test "$runstatedir" != '${localstatedir}/run'; then - rundir="$runstatedir/sudo" - else - # No --with-rundir or --runstatedir specified diff --git a/sources b/sources index 5185f4c..9d9c821 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.2.tar.gz) = 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21 +SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 diff --git a/sudo.spec b/sudo.spec index 050f34a..16d3c05 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,13 +1,14 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.2 +Version: 1.9.5p1 Release: 1%{?dist} License: ISC -URL: http://www.courtesan.com/sudo/ -Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz +URL: https://www.sudo.ws +Source0: %{url}/dist/%{name}-%{version}.tar.gz Source1: sudoers Requires: pam Recommends: vim-minimal +Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} Requires(post): coreutils BuildRequires: pam-devel @@ -24,7 +25,6 @@ BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch -Patch2: configure-runstatedir.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -56,11 +56,19 @@ BuildRequires: openssl-devel %{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo. It can be used to implement centralized logging of sudo logs. +%package python-plugin +Summary: Python plugin for %{name} +Requires: %{name} = %{version}-%{release} +BuildRequires: python3-devel + + +%description python-plugin +%{name}-python-plugin allows using sudo plugins written in Python. + %prep %setup -q %patch1 -p1 -b .strip -%patch2 -p1 -b .runstatedir %build # Remove bundled copy of zlib @@ -93,6 +101,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ + --enable-python \ --with-linux-audit \ --with-sssd # --without-kerb5 \ @@ -195,7 +204,6 @@ EOF %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz -%{_mandir}/man8/sudo_plugin_python.8.gz %dir %{_pkgdocdir}/ %{_pkgdocdir}/* %{!?_licensedir:%global license %%doc} @@ -216,7 +224,24 @@ EOF %{_mandir}/man8/sudo_logsrvd.8.gz %{_mandir}/man8/sudo_sendlog.8.gz +%files python-plugin +%{_mandir}/man8/sudo_plugin_python.8.gz +%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so + %changelog +* Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 +- rebase to 1.9.5p1 +- updated sudo url +Resolves: rhbz#1902758 +- enabled python plugin as a subpackage +Resolves: rhbz#1909299 +- fixed double free in sss_to_sudoers +Resolves: rhbz#1885874 +- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit +Resolves: rhbz#1915055 +- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit +Resolves: rhbz#1915054 + * Tue Sep 15 2020 Radovan Sroka - 1.9.2-1 - rebase to 1.9.2 Resolves: rhbz#1859577 From 0c3fcadfc8fdde14555f53b79884bdc8c767ed4c Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 26 Jan 2021 14:00:13 -0500 Subject: [PATCH 3/3] Rebase to 1.9.5p2 Resolves: rhbz#1920611 - CVE-2021-3156 sudo: Heap buffer overflow in argument parsing Resolves: rhbz#1920618 --- .gitignore | 1 + sources | 2 +- sudo.spec | 8 +++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 9ea49f6..eb540df 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ /sudo-1.9.2.tar.gz /sudo-1.9.3p1.tar.gz /sudo-1.9.5p1.tar.gz +/sudo-1.9.5p2.tar.gz diff --git a/sources b/sources index 9d9c821..e39bcb4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878 +SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27 diff --git a/sudo.spec b/sudo.spec index 16d3c05..6945c73 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.5p1 +Version: 1.9.5p2 Release: 1%{?dist} License: ISC URL: https://www.sudo.ws @@ -229,6 +229,12 @@ EOF %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so %changelog +* Tue Jan 26 2021 Matthew Miller - 1.9.5p2-1 +- rebase to 1.9.5p2 +Resolves: rhbz#1920611 +- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing +Resolves: rhbz#1920618 + * Mon Jan 18 2021 Radovan Sroka - 1.9.5p1-1 - rebase to 1.9.5p1 - updated sudo url