From 462f43c97aa9bd80e22243a82d454b8ad949c6fd Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Wed, 24 Jan 2024 10:59:51 +0100 Subject: [PATCH 01/14] Rabase to 1.9.15p5 - sudo-1_9_15p5 is available Resolves: rhbz#2248505 - TRIAGE CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables Resolves: rhbz#2255569 Signed-off-by: Radovan Sroka --- .gitignore | 2 ++ sources | 2 +- sudo-1.6.7p5-strip.patch | 11 ----------- sudo.spec | 4 ++-- 4 files changed, 5 insertions(+), 14 deletions(-) delete mode 100644 sudo-1.6.7p5-strip.patch diff --git a/.gitignore b/.gitignore index 01b9ff5..842ab45 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ /sudo-1.9.12p2.tar.gz /sudo-1.9.13p2.tar.gz /sudo-1.9.14p3.tar.gz +/sudo-1.9.15p4.tar.gz +/sudo-1.9.15p5.tar.gz diff --git a/sources b/sources index fc05228..a9b6cfd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.14p3.tar.gz) = d4af836e3316c35d8b81a2c869ca199e8f2d5cb26dbd98b8ad031f29be62b154452afdf5a506ddabad21b80e5988a49f1f7c8f1ec44718ffcbd7e89ccbdef612 +SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a diff --git a/sudo-1.6.7p5-strip.patch b/sudo-1.6.7p5-strip.patch deleted file mode 100644 index f690659..0000000 --- a/sudo-1.6.7p5-strip.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- sudo-1.6.7p5/scripts/install-sh.strip 2005-07-21 14:28:25.000000000 +0200 -+++ sudo-1.6.7p5/scripts/install-sh 2005-07-21 14:29:18.000000000 +0200 -@@ -138,7 +138,7 @@ - fi - ;; - X-s) -- STRIPIT=true -+ #STRIPIT=true - ;; - X--) - shift diff --git a/sudo.spec b/sudo.spec index 3237084..e755179 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,9 @@ # comment out if no extra version -%global extraver p3 +%global extraver p5 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.14 +Version: 1.9.15 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version From df275faeadacae6c625a5ec30f448b01a698ddea Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 8 Feb 2024 16:46:56 -0500 Subject: [PATCH 02/14] Avoid sendmail build dependency sudo should be compatible with any MTA, any of which in Fedora provide /usr/sbin/sendmail, and is used at build time only to determine its location. Instead of generalizing the build requirement (e.g. for RHEL 10 which includes only postfix), we can just tell sudo its location during configure, in which case it is not needed at all to build. However, doing so uncovered that systemd's presence was being relied upon without being specified. This too can be avoided by using the macros to define the proper tmpfiles location during configure. --- sudo.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index e755179..e2c4ba9 100644 --- a/sudo.spec +++ b/sudo.spec @@ -26,7 +26,7 @@ BuildRequires: bison BuildRequires: libtool BuildRequires: audit-libs-devel libcap-devel BuildRequires: libselinux-devel -BuildRequires: sendmail +BuildRequires: systemd-rpm-macros BuildRequires: gettext BuildRequires: zlib-devel @@ -89,6 +89,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_pkgdocdir} \ + --enable-tmpfiles.d=%{_tmpfilesdir} \ --enable-openssl \ --disable-root-mailer \ --disable-intercept \ @@ -102,6 +103,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-tty-tickets \ --with-ldap \ --with-selinux \ + --with-sendmail=/usr/sbin/sendmail \ --with-passprompt="[sudo] password for %p: " \ --enable-python \ --enable-zlib=system \ From 545c191f72083b8ef9b7ce26706e8a17ca537d20 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 2 May 2024 23:09:47 -0700 Subject: [PATCH 03/14] Backport upstream fix for tests with Python 3.13+ --- ...traces-use-in-addition-to-when-under.patch | 41 +++++++++++++++++++ sudo.spec | 6 +++ 2 files changed, 47 insertions(+) create mode 100644 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch diff --git a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch new file mode 100644 index 0000000..2c9ce75 --- /dev/null +++ b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch @@ -0,0 +1,41 @@ +From 89918caf5a349cac4e2a56ba503d7476c6f16067 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 2 May 2024 20:02:43 -0600 +Subject: [PATCH] Python 3.12 backtraces use '~' in addition to '^' when + underlining. GitHub issue #374 + +--- + plugins/python/regress/testhelpers.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/plugins/python/regress/testhelpers.c b/plugins/python/regress/testhelpers.c +index ee55fb901..0f28d01e9 100644 +--- a/plugins/python/regress/testhelpers.c ++++ b/plugins/python/regress/testhelpers.c +@@ -27,19 +27,19 @@ struct TestData data; + + /* + * Starting with Python 3.11, backtraces may contain a line with +- * '^' characters to bring attention to the important part of the +- * line. ++ * '~' and '^' characters to bring attention to the important part ++ * of the line. + */ + static void + remove_underline(char *output) + { + char *cp, *ep; + +- // Remove lines that only consist of '^' and white space. ++ // Remove lines that only consist of '~', '^' and white space. + cp = output; + ep = output + strlen(output); + for (;;) { +- size_t len = strspn(cp, "^ \t"); ++ size_t len = strspn(cp, "~^ \t"); + if (len > 0 && cp[len] == '\n') { + /* Prune out lines that are "underlining". */ + memmove(cp, cp + len + 1, (size_t)(ep - cp)); +-- +2.44.0 + diff --git a/sudo.spec b/sudo.spec index e2c4ba9..6f483cb 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,6 +17,12 @@ Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} +# https://github.com/sudo-project/sudo/commit/89918caf5a349cac4e2a56ba503d7476c6f16067 +# https://github.com/sudo-project/sudo/issues/374 +# https://bugzilla.redhat.com/show_bug.cgi?id=2245820 +# Fix tests with Python 3.13+ +Patch: 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch + BuildRequires: make BuildRequires: pam-devel BuildRequires: groff From 47db28a6937258900d879ee298e681ff7708d750 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 09:11:33 +0200 Subject: [PATCH 04/14] Rebuilt for Python 3.13 From f5682491133aea55fb176ca8c381afd8bb1dc411 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:36:47 +0000 Subject: [PATCH 05/14] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From ac16a17374c5799d7f570330d5e9c72291bb8466 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:50:30 +0000 Subject: [PATCH 06/14] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From e2e397029e0d35046a4cf891e075d24c7540da4f Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 26 Feb 2025 12:59:14 -0500 Subject: [PATCH 07/14] Fix build with GCC 15 GCC 15 defaults to C23, which changes the interpretation of function declarations without parameters to be `void` rather than of an unknown number and type (as in K&R). The sudoers plugin relies on the older behaviour for its hook functions. --- sudo.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 6f483cb..4175d8c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -88,7 +88,7 @@ F_PIE=-fPIE F_PIE=-fpie %endif -export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %configure \ --prefix=%{_prefix} \ From 770b8e2647c61512b8508c61bb3a55318f31d9b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 24 Sep 2024 16:46:11 +0200 Subject: [PATCH 08/14] Move yum/dnf protection removal config file under /usr https://github.com/uapi-group/specifications/issues/76 Actually, add a new file under /usr, but keep the old file in /etc because it's still needed for dnf. The new file in the new location is useful because it means that we get the correct behaviour even when /etc is emptied (on systems with new dnf version). dnf5 reads the new location: https://github.com/rpm-software-management/dnf5/issues/1107 https://github.com/rpm-software-management/dnf5/pull/1110 --- sudo.spec | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/sudo.spec b/sudo.spec index 6f483cb..63fb36f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -131,12 +131,15 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers -#add sudo to protected packages -install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/ -touch sudo.conf -echo sudo > sudo.conf -install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/ -rm -f sudo.conf +# Add sudo to protected packages. Old location for yum/dnf. +mkdir -p $RPM_BUILD_ROOT/etc/dnf/protected.d/ +echo "sudo" >$RPM_BUILD_ROOT/etc/dnf/protected.d/sudo.conf +# Add sudo to protected packages. New location for dnf5. +mkdir -p $RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/ +cat >$RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/protect-sudo.conf < Date: Mon, 2 Jun 2025 20:53:02 +0200 Subject: [PATCH 09/14] Rebuilt for Python 3.14 From 9641cbaa6b0934d03f4e0398261eef8509f282dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 5 Jul 2025 11:46:27 +0200 Subject: [PATCH 10/14] Rebase to sudo 1.9.17p1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - sudo-1_9_16p2 is available Resolves: rhbz#2309626 - sudo: LPE via host option Resolves: CVE-2025-32462 - Properly apply system buildflags - Use new build macros, drop unneeded %%defattr Signed-off-by: Björn Esser --- .gitignore | 1 + ...traces-use-in-addition-to-when-under.patch | 41 ------------------- sources | 2 +- sudo.spec | 26 +++--------- 4 files changed, 7 insertions(+), 63 deletions(-) delete mode 100644 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch diff --git a/.gitignore b/.gitignore index 842ab45..e4940ce 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ /sudo-1.9.14p3.tar.gz /sudo-1.9.15p4.tar.gz /sudo-1.9.15p5.tar.gz +/sudo-1.9.17p1.tar.gz diff --git a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch deleted file mode 100644 index 2c9ce75..0000000 --- a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 89918caf5a349cac4e2a56ba503d7476c6f16067 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 2 May 2024 20:02:43 -0600 -Subject: [PATCH] Python 3.12 backtraces use '~' in addition to '^' when - underlining. GitHub issue #374 - ---- - plugins/python/regress/testhelpers.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/plugins/python/regress/testhelpers.c b/plugins/python/regress/testhelpers.c -index ee55fb901..0f28d01e9 100644 ---- a/plugins/python/regress/testhelpers.c -+++ b/plugins/python/regress/testhelpers.c -@@ -27,19 +27,19 @@ struct TestData data; - - /* - * Starting with Python 3.11, backtraces may contain a line with -- * '^' characters to bring attention to the important part of the -- * line. -+ * '~' and '^' characters to bring attention to the important part -+ * of the line. - */ - static void - remove_underline(char *output) - { - char *cp, *ep; - -- // Remove lines that only consist of '^' and white space. -+ // Remove lines that only consist of '~', '^' and white space. - cp = output; - ep = output + strlen(output); - for (;;) { -- size_t len = strspn(cp, "^ \t"); -+ size_t len = strspn(cp, "~^ \t"); - if (len > 0 && cp[len] == '\n') { - /* Prune out lines that are "underlining". */ - memmove(cp, cp + len + 1, (size_t)(ep - cp)); --- -2.44.0 - diff --git a/sources b/sources index a9b6cfd..86f8d45 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a +SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc diff --git a/sudo.spec b/sudo.spec index 4175d8c..73b3930 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,9 @@ # comment out if no extra version -%global extraver p5 +%global extraver p1 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.15 +Version: 1.9.17 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version @@ -17,12 +17,6 @@ Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} -# https://github.com/sudo-project/sudo/commit/89918caf5a349cac4e2a56ba503d7476c6f16067 -# https://github.com/sudo-project/sudo/issues/374 -# https://bugzilla.redhat.com/show_bug.cgi?id=2245820 -# Fix tests with Python 3.13+ -Patch: 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch - BuildRequires: make BuildRequires: pam-devel BuildRequires: groff @@ -82,14 +76,6 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ -%ifarch s390 s390x sparc64 -F_PIE=-fPIE -%else -F_PIE=-fpie -%endif - -export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" - %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ @@ -117,14 +103,13 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl, --with-sssd # --without-kerb5 \ # --without-kerb4 -make +%make_build %check -make check +%make_build check %install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` +%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo @@ -180,7 +165,6 @@ EOF %files -f sudo_all.lang -%defattr(-,root,root) %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo From 04179b541723d5914c5ce01021dd7a2a7a68eaf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 5 Jul 2025 12:22:08 +0200 Subject: [PATCH 11/14] Re-apply changes from commit e2e397029e0d35046a4cf891e075d24c7540da4f MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- sudo.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sudo.spec b/sudo.spec index 73b3930..9e72bb5 100644 --- a/sudo.spec +++ b/sudo.spec @@ -76,6 +76,8 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ +export CFLAGS="$RPM_OPT_FLAGS -std=gnu17" + %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ From 1899e2aa8d10783369a1d840c2fc30cf86a6e782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 7 Jul 2025 13:10:49 +0200 Subject: [PATCH 12/14] Drop '-std=gnu17' from CFLAGS, as C23 builds fine now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was introduced in commit e2e397029e0d35046a4cf891e075d24c7540da4f for an older version of sudo that was FTBFS for GCC 15 defaulting to C23. Signed-off-by: Björn Esser --- sudo.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/sudo.spec b/sudo.spec index 9e72bb5..73b3930 100644 --- a/sudo.spec +++ b/sudo.spec @@ -76,8 +76,6 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ -export CFLAGS="$RPM_OPT_FLAGS -std=gnu17" - %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ From 81e84c1f0692ac90603c7cbeaeeb2b891a852e45 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:50:05 +0000 Subject: [PATCH 13/14] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 2ead99a2b1915e06b2918b5547d0587fbe678e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Tue, 21 Oct 2025 10:16:55 +0200 Subject: [PATCH 14/14] Rebase to 1.9.17p2 - sudo-1.9.17p2 is available Resolves: rhbz#2383665 --- .gitignore | 1 + sources | 2 +- sudo.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index e4940ce..b0986fa 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ /sudo-1.9.15p4.tar.gz /sudo-1.9.15p5.tar.gz /sudo-1.9.17p1.tar.gz +/sudo-1.9.17p2.tar.gz diff --git a/sources b/sources index 86f8d45..54e59ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc +SHA512 (sudo-1.9.17p2.tar.gz) = c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93 diff --git a/sudo.spec b/sudo.spec index e321ec4..be44d00 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,5 +1,5 @@ # comment out if no extra version -%global extraver p1 +%global extraver p2 Summary: Allows restricted root access for specified users Name: sudo