From 5cca8afb1870c3b0a7a384963f1be94bd9dd1c5c Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Fri, 26 Aug 2016 14:05:06 +0200
Subject: [PATCH 1/6] update to 1.8.18

- dropped sudo-1.8.14p1-ldapconfpatch.patch
  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html

- added --disable-root-mailer as configure option
  Resolves: rhbz#1324091
---
 .gitignore                        |  4 +++
 sources                           |  2 +-
 sudo-1.8.14p1-ldapconfpatch.patch | 55 -------------------------------
 sudo.spec                         | 13 +++++---
 4 files changed, 14 insertions(+), 60 deletions(-)
 delete mode 100644 sudo-1.8.14p1-ldapconfpatch.patch

diff --git a/.gitignore b/.gitignore
index 04f884a..20ced3c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,6 @@
 /sudo-1.8.16.tar.gz
 /sudo-1.8.17p1.tar.gz
+/sudo-1.8.18b2.tar.gz
+/sudo-1.8.18rc2.tar.gz
+/sudo-1.8.18rc4.tar.gz
+/sudo-1.8.18.tar.gz
diff --git a/sources b/sources
index 9534406..9410aa8 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-50a840a688ceb6fa3ab24fc0adf4fa23  sudo-1.8.17p1.tar.gz
+c1201904fd9144ea5e7cd9496fcbbc64  sudo-1.8.18.tar.gz
diff --git a/sudo-1.8.14p1-ldapconfpatch.patch b/sudo-1.8.14p1-ldapconfpatch.patch
deleted file mode 100644
index f42d487..0000000
--- a/sudo-1.8.14p1-ldapconfpatch.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-diff -up sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.14b3/plugins/sudoers/ldap.c
---- sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch	2015-07-07 18:51:11.000000000 +0200
-+++ sudo-1.8.14b3/plugins/sudoers/ldap.c	2015-07-09 11:03:25.686645581 +0200
-@@ -1922,6 +1922,33 @@ sudo_check_krb5_ccname(const char *ccnam
- }
- #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
- 
-+/*
-+ * Read a line of input, remove whole line comments and strip off leading
-+ * and trailing spaces.  Returns static storage that is reused.
-+ */
-+static char *
-+sudo_ldap_parseln(fp)
-+    FILE *fp;
-+{
-+    size_t len;
-+    char *cp = NULL;
-+    static char buf[LINE_MAX];
-+
-+    if (fgets(buf, sizeof(buf), fp) != NULL) {
-+	/* Remove comments */
-+	if (*buf == '#')
-+	    *buf = '\0';
-+
-+	/* Trim leading and trailing whitespace/newline */
-+	len = strlen(buf);
-+	while (len > 0 && isspace((unsigned char)buf[len - 1]))
-+	    buf[--len] = '\0';
-+	for (cp = buf; isblank(*cp); cp++)
-+	    continue;
-+    }
-+    return(cp);
-+}
-+
- static bool
- sudo_ldap_read_config(void)
- {
-@@ -1955,7 +1982,7 @@ sudo_ldap_read_config(void)
-     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
- 	debug_return_bool(false);
- 
--    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
-+    while ((line = sudo_ldap_parseln(fp)) != NULL) {
- 	if (*line == '\0')
- 	    continue;		/* skip empty line */
- 
-@@ -1975,7 +2002,7 @@ sudo_ldap_read_config(void)
- 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
- 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
-     }
--    free(line);
-+
-     fclose(fp);
- 
-     if (!ldap_conf.host) {
diff --git a/sudo.spec b/sudo.spec
index b0a0802..d7d709f 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.17p1
+Version: 1.8.18
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
@@ -26,8 +26,6 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# Patch to read ldap.conf more closely to nss_ldap
-Patch2: sudo-1.8.14p1-ldapconfpatch.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -53,7 +51,6 @@ plugins that use %{name}.
 %setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .ldapconfpatch
 
 %build
 # Remove bundled copy of zlib
@@ -73,6 +70,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
         --docdir=%{_pkgdocdir} \
+        --disable-root-mailer \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
@@ -194,6 +192,13 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
+- update to 1.8.18
+- dropped sudo-1.8.14p1-ldapconfpatch.patch
+  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html
+- added --disable-root-mailer as configure option
+  Resolves: rhbz#1324091
+
 * Fri Jun 24 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1
 - update to 1.8.17p1
 - install the /var/db/sudo/lectured

From dcf541d6dd97b2f00161d3978f8f3484192c9166 Mon Sep 17 00:00:00 2001
From: Daniel Kopecek <mildew@fedoraproject.org>
Date: Tue, 8 Nov 2016 14:21:34 +0100
Subject: [PATCH 2/6] update to 1.8.18p1

- fixes CVE-2016-7076
---
 .gitignore | 1 +
 sources    | 2 +-
 sudo.spec  | 6 +++++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 20ced3c..c098183 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 /sudo-1.8.18rc2.tar.gz
 /sudo-1.8.18rc4.tar.gz
 /sudo-1.8.18.tar.gz
+/sudo-1.8.18p1.tar.gz
diff --git a/sources b/sources
index 9410aa8..4136fe2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-c1201904fd9144ea5e7cd9496fcbbc64  sudo-1.8.18.tar.gz
+28f5214d5bcb5af5710decb95184a0a6  sudo-1.8.18p1.tar.gz
diff --git a/sudo.spec b/sudo.spec
index d7d709f..58b2422 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.18
+Version: 1.8.18p1
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
@@ -192,6 +192,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.18p1-1
+- update to 1.8.18p1
+- fixes CVE-2016-7076
+
 * Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
 - update to 1.8.18
 - dropped sudo-1.8.14p1-ldapconfpatch.patch

From 90a132a69bbecb62bfc9a8cd8726eaf9a833f457 Mon Sep 17 00:00:00 2001
From: Jiri Vymazal <jvymazal@redhat.com>
Date: Mon, 3 Apr 2017 15:31:38 +0200
Subject: [PATCH 3/6] * Mon Apr 03 2017 Jiri Vymazal <jvymazal@redhat.com>
 1.8.19p2-1 - update to 1.8.19p2 - updated URL and source0 as upstream changed
 domain

---
 .gitignore |  1 +
 sources    |  2 +-
 sudo.spec  | 10 +++++++---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index c098183..4940882 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@
 /sudo-1.8.18rc4.tar.gz
 /sudo-1.8.18.tar.gz
 /sudo-1.8.18p1.tar.gz
+/sudo-1.8.19p2.tar.gz
diff --git a/sources b/sources
index 4136fe2..a3d7225 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-28f5214d5bcb5af5710decb95184a0a6  sudo-1.8.18p1.tar.gz
+SHA512 (sudo-1.8.19p2.tar.gz) = 21c83403e7ff219a273b2c4873be0d858997558ca150bc8239379a9dfcc587fdd7c0c49cdf4cdc27dfd6dd45f9f089fa034b58bfcee07dceb4a481542251b3fc
diff --git a/sudo.spec b/sudo.spec
index 58b2422..c403688 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,11 +1,11 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.18p1
+Version: 1.8.19p2
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
-URL: http://www.courtesan.com/sudo/
-Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
+URL: https://www.sudo.ws/
+Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
 Source1: sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: /etc/pam.d/system-auth
@@ -192,6 +192,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Mon Apr 03 2017 Jiri Vymazal <jvymazal@redhat.com> 1.8.19p2-1
+- update to 1.8.19p2
+- updated URL and source0 as upstream changed domain
+
 * Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.18p1-1
 - update to 1.8.18p1
 - fixes CVE-2016-7076

From 98199dc3ed2513972e25d448fb23cefe7b3636f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
Date: Wed, 31 May 2017 09:13:04 +0200
Subject: [PATCH 4/6] update to 1.8.20p1 fixes CVE-2017-1000367   Resolves:
 rhbz#1456884

---
 .gitignore |  1 +
 sources    |  2 +-
 sudo.spec  | 10 +++++++++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 4940882..bd48951 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@
 /sudo-1.8.18.tar.gz
 /sudo-1.8.18p1.tar.gz
 /sudo-1.8.19p2.tar.gz
+/sudo-1.8.20p1.tar.gz
diff --git a/sources b/sources
index a3d7225..4921bf3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sudo-1.8.19p2.tar.gz) = 21c83403e7ff219a273b2c4873be0d858997558ca150bc8239379a9dfcc587fdd7c0c49cdf4cdc27dfd6dd45f9f089fa034b58bfcee07dceb4a481542251b3fc
+SHA512 (sudo-1.8.20p1.tar.gz) = b7d4c07a550da917029e31d15e734d9462f3565ee43eb5f6fd19463b54a2fa3f444381f0999d6d1ba643b65832056dd9177dad4452fa9f87f2542c223b13f258
diff --git a/sudo.spec b/sudo.spec
index c403688..e801f91 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.19p2
+Version: 1.8.20p1
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
@@ -115,6 +115,9 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
 #Remove all .la files
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
+# Remove sudoers.dist
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist
+
 %find_lang sudo
 %find_lang sudoers
 
@@ -192,6 +195,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1
+- update to 1.8.20p1
+- fixes CVE-2017-1000367
+  Resolves: rhbz#1456884
+
 * Mon Apr 03 2017 Jiri Vymazal <jvymazal@redhat.com> 1.8.19p2-1
 - update to 1.8.19p2
 - updated URL and source0 as upstream changed domain

From 039140a51d1c324cea6554fe385a6ab4325f3893 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
Date: Thu, 1 Jun 2017 13:07:20 +0200
Subject: [PATCH 5/6] update to 1.8.20p2 added sudo to dnf/yum protected
 packages

---
 .gitignore |  1 +
 sources    |  2 +-
 sudo.spec  | 13 ++++++++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index bd48951..8d7884e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@
 /sudo-1.8.18p1.tar.gz
 /sudo-1.8.19p2.tar.gz
 /sudo-1.8.20p1.tar.gz
+/sudo-1.8.20p2.tar.gz
diff --git a/sources b/sources
index 4921bf3..21e6b4a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sudo-1.8.20p1.tar.gz) = b7d4c07a550da917029e31d15e734d9462f3565ee43eb5f6fd19463b54a2fa3f444381f0999d6d1ba643b65832056dd9177dad4452fa9f87f2542c223b13f258
+SHA512 (sudo-1.8.20p2.tar.gz) = 8bf67e687f7a84605fdef8d547b5cd661141b6c8fd25820c33c7e37e97ca7f21f564c3bae691f8a8cd08df7d80338e36a8f06bb5086cc104509d71d6ab1bceda
diff --git a/sudo.spec b/sudo.spec
index e801f91..9970283 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.20p1
+Version: 1.8.20p2
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
@@ -100,6 +100,12 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
+#add sudo to protected packages
+install -p -d -m 755 $RPM_BUILD_ROOT/etc/yum/protected.d/
+touch sudo.conf
+echo sudo > sudo.conf
+install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/yum/protected.d/
+rm -f sudo.conf
 
 chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
 
@@ -155,6 +161,7 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
+%attr(0644,root,root) /etc/yum/protected.d/sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
@@ -195,6 +202,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1
+- update to 1.8.20p2
+- added sudo to dnf/yum protected packages
+
 * Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1
 - update to 1.8.20p1
 - fixes CVE-2017-1000367

From 5c63394874fc5db867989734f8550e4eb3269e23 Mon Sep 17 00:00:00 2001
From: Marek Tamaskovic <tamaskovic.marek@gmail.com>
Date: Fri, 29 Sep 2017 15:43:08 +0200
Subject: [PATCH 6/6] Update to sudo-1.8.21p2

---
 .gitignore | 1 +
 sources    | 2 +-
 sudo.spec  | 8 ++++++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8d7884e..ad1c23e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@
 /sudo-1.8.19p2.tar.gz
 /sudo-1.8.20p1.tar.gz
 /sudo-1.8.20p2.tar.gz
+/sudo-1.8.21p2.tar.gz
diff --git a/sources b/sources
index 21e6b4a..a15d86f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sudo-1.8.20p2.tar.gz) = 8bf67e687f7a84605fdef8d547b5cd661141b6c8fd25820c33c7e37e97ca7f21f564c3bae691f8a8cd08df7d80338e36a8f06bb5086cc104509d71d6ab1bceda
+SHA512 (sudo-1.8.21p2.tar.gz) = f04bbff54ad74ba73c078e15c75d2f41332d4912078ed66157ba7346b7fff914bd0747460cb4cd0c472af2d3b344fa72f5c62c95169df68a9cac74d7245c720c
diff --git a/sudo.spec b/sudo.spec
index 9970283..782455d 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.20p2
+Version: 1.8.21p2
 Release: 1%{?dist}
 License: ISC
 Group: Applications/System
@@ -176,6 +176,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
 %{_libexecdir}/sudo/libsudo_util.so.?
+%{_libexecdir}/sudo/libsudo_util.so
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man5/sudo.conf.5*
@@ -199,9 +200,12 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
-%{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1
+- update to 1.8.21p2
+- Moved libsudo_util.so from the -devel sub-package to main package (1481225)
+
 * Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1
 - update to 1.8.20p2
 - added sudo to dnf/yum protected packages