From 545c191f72083b8ef9b7ce26706e8a17ca537d20 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 2 May 2024 23:09:47 -0700 Subject: [PATCH 01/12] Backport upstream fix for tests with Python 3.13+ --- ...traces-use-in-addition-to-when-under.patch | 41 +++++++++++++++++++ sudo.spec | 6 +++ 2 files changed, 47 insertions(+) create mode 100644 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch diff --git a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch new file mode 100644 index 0000000..2c9ce75 --- /dev/null +++ b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch @@ -0,0 +1,41 @@ +From 89918caf5a349cac4e2a56ba503d7476c6f16067 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 2 May 2024 20:02:43 -0600 +Subject: [PATCH] Python 3.12 backtraces use '~' in addition to '^' when + underlining. GitHub issue #374 + +--- + plugins/python/regress/testhelpers.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/plugins/python/regress/testhelpers.c b/plugins/python/regress/testhelpers.c +index ee55fb901..0f28d01e9 100644 +--- a/plugins/python/regress/testhelpers.c ++++ b/plugins/python/regress/testhelpers.c +@@ -27,19 +27,19 @@ struct TestData data; + + /* + * Starting with Python 3.11, backtraces may contain a line with +- * '^' characters to bring attention to the important part of the +- * line. ++ * '~' and '^' characters to bring attention to the important part ++ * of the line. + */ + static void + remove_underline(char *output) + { + char *cp, *ep; + +- // Remove lines that only consist of '^' and white space. ++ // Remove lines that only consist of '~', '^' and white space. + cp = output; + ep = output + strlen(output); + for (;;) { +- size_t len = strspn(cp, "^ \t"); ++ size_t len = strspn(cp, "~^ \t"); + if (len > 0 && cp[len] == '\n') { + /* Prune out lines that are "underlining". */ + memmove(cp, cp + len + 1, (size_t)(ep - cp)); +-- +2.44.0 + diff --git a/sudo.spec b/sudo.spec index e2c4ba9..6f483cb 100644 --- a/sudo.spec +++ b/sudo.spec @@ -17,6 +17,12 @@ Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} +# https://github.com/sudo-project/sudo/commit/89918caf5a349cac4e2a56ba503d7476c6f16067 +# https://github.com/sudo-project/sudo/issues/374 +# https://bugzilla.redhat.com/show_bug.cgi?id=2245820 +# Fix tests with Python 3.13+ +Patch: 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch + BuildRequires: make BuildRequires: pam-devel BuildRequires: groff From 47db28a6937258900d879ee298e681ff7708d750 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 09:11:33 +0200 Subject: [PATCH 02/12] Rebuilt for Python 3.13 From f5682491133aea55fb176ca8c381afd8bb1dc411 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 06:36:47 +0000 Subject: [PATCH 03/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From ac16a17374c5799d7f570330d5e9c72291bb8466 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 11:50:30 +0000 Subject: [PATCH 04/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From e2e397029e0d35046a4cf891e075d24c7540da4f Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Wed, 26 Feb 2025 12:59:14 -0500 Subject: [PATCH 05/12] Fix build with GCC 15 GCC 15 defaults to C23, which changes the interpretation of function declarations without parameters to be `void` rather than of an unknown number and type (as in K&R). The sudoers plugin relies on the older behaviour for its hook functions. --- sudo.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sudo.spec b/sudo.spec index 6f483cb..4175d8c 100644 --- a/sudo.spec +++ b/sudo.spec @@ -88,7 +88,7 @@ F_PIE=-fPIE F_PIE=-fpie %endif -export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" +export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" %configure \ --prefix=%{_prefix} \ From 770b8e2647c61512b8508c61bb3a55318f31d9b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 24 Sep 2024 16:46:11 +0200 Subject: [PATCH 06/12] Move yum/dnf protection removal config file under /usr https://github.com/uapi-group/specifications/issues/76 Actually, add a new file under /usr, but keep the old file in /etc because it's still needed for dnf. The new file in the new location is useful because it means that we get the correct behaviour even when /etc is emptied (on systems with new dnf version). dnf5 reads the new location: https://github.com/rpm-software-management/dnf5/issues/1107 https://github.com/rpm-software-management/dnf5/pull/1110 --- sudo.spec | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/sudo.spec b/sudo.spec index 6f483cb..63fb36f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -131,12 +131,15 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers -#add sudo to protected packages -install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/ -touch sudo.conf -echo sudo > sudo.conf -install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/ -rm -f sudo.conf +# Add sudo to protected packages. Old location for yum/dnf. +mkdir -p $RPM_BUILD_ROOT/etc/dnf/protected.d/ +echo "sudo" >$RPM_BUILD_ROOT/etc/dnf/protected.d/sudo.conf +# Add sudo to protected packages. New location for dnf5. +mkdir -p $RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/ +cat >$RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/protect-sudo.conf < Date: Mon, 2 Jun 2025 20:53:02 +0200 Subject: [PATCH 07/12] Rebuilt for Python 3.14 From 9641cbaa6b0934d03f4e0398261eef8509f282dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 5 Jul 2025 11:46:27 +0200 Subject: [PATCH 08/12] Rebase to sudo 1.9.17p1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - sudo-1_9_16p2 is available Resolves: rhbz#2309626 - sudo: LPE via host option Resolves: CVE-2025-32462 - Properly apply system buildflags - Use new build macros, drop unneeded %%defattr Signed-off-by: Björn Esser --- .gitignore | 1 + ...traces-use-in-addition-to-when-under.patch | 41 ------------------- sources | 2 +- sudo.spec | 26 +++--------- 4 files changed, 7 insertions(+), 63 deletions(-) delete mode 100644 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch diff --git a/.gitignore b/.gitignore index 842ab45..e4940ce 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,4 @@ /sudo-1.9.14p3.tar.gz /sudo-1.9.15p4.tar.gz /sudo-1.9.15p5.tar.gz +/sudo-1.9.17p1.tar.gz diff --git a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch b/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch deleted file mode 100644 index 2c9ce75..0000000 --- a/0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 89918caf5a349cac4e2a56ba503d7476c6f16067 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Thu, 2 May 2024 20:02:43 -0600 -Subject: [PATCH] Python 3.12 backtraces use '~' in addition to '^' when - underlining. GitHub issue #374 - ---- - plugins/python/regress/testhelpers.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/plugins/python/regress/testhelpers.c b/plugins/python/regress/testhelpers.c -index ee55fb901..0f28d01e9 100644 ---- a/plugins/python/regress/testhelpers.c -+++ b/plugins/python/regress/testhelpers.c -@@ -27,19 +27,19 @@ struct TestData data; - - /* - * Starting with Python 3.11, backtraces may contain a line with -- * '^' characters to bring attention to the important part of the -- * line. -+ * '~' and '^' characters to bring attention to the important part -+ * of the line. - */ - static void - remove_underline(char *output) - { - char *cp, *ep; - -- // Remove lines that only consist of '^' and white space. -+ // Remove lines that only consist of '~', '^' and white space. - cp = output; - ep = output + strlen(output); - for (;;) { -- size_t len = strspn(cp, "^ \t"); -+ size_t len = strspn(cp, "~^ \t"); - if (len > 0 && cp[len] == '\n') { - /* Prune out lines that are "underlining". */ - memmove(cp, cp + len + 1, (size_t)(ep - cp)); --- -2.44.0 - diff --git a/sources b/sources index a9b6cfd..86f8d45 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.15p5.tar.gz) = ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a +SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc diff --git a/sudo.spec b/sudo.spec index 4175d8c..73b3930 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,9 @@ # comment out if no extra version -%global extraver p5 +%global extraver p1 Summary: Allows restricted root access for specified users Name: sudo -Version: 1.9.15 +Version: 1.9.17 # remove -b 3 after rebase !!! # use "-p -e % {?extraver}" when beta # use "-e % {?extraver}"" when patch version @@ -17,12 +17,6 @@ Requires: pam Recommends: system-default-editor Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release} -# https://github.com/sudo-project/sudo/commit/89918caf5a349cac4e2a56ba503d7476c6f16067 -# https://github.com/sudo-project/sudo/issues/374 -# https://bugzilla.redhat.com/show_bug.cgi?id=2245820 -# Fix tests with Python 3.13+ -Patch: 0001-Python-3.12-backtraces-use-in-addition-to-when-under.patch - BuildRequires: make BuildRequires: pam-devel BuildRequires: groff @@ -82,14 +76,6 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ -%ifarch s390 s390x sparc64 -F_PIE=-fPIE -%else -F_PIE=-fpie -%endif - -export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" - %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ @@ -117,14 +103,13 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE -std=gnu17" LDFLAGS="-pie -Wl,-z,relro -Wl, --with-sssd # --without-kerb5 \ # --without-kerb4 -make +%make_build %check -make check +%make_build check %install -rm -rf $RPM_BUILD_ROOT -make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` +%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo @@ -180,7 +165,6 @@ EOF %files -f sudo_all.lang -%defattr(-,root,root) %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo From 04179b541723d5914c5ce01021dd7a2a7a68eaf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sat, 5 Jul 2025 12:22:08 +0200 Subject: [PATCH 09/12] Re-apply changes from commit e2e397029e0d35046a4cf891e075d24c7540da4f MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Björn Esser --- sudo.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sudo.spec b/sudo.spec index 73b3930..9e72bb5 100644 --- a/sudo.spec +++ b/sudo.spec @@ -76,6 +76,8 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ +export CFLAGS="$RPM_OPT_FLAGS -std=gnu17" + %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ From 1899e2aa8d10783369a1d840c2fc30cf86a6e782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Mon, 7 Jul 2025 13:10:49 +0200 Subject: [PATCH 10/12] Drop '-std=gnu17' from CFLAGS, as C23 builds fine now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was introduced in commit e2e397029e0d35046a4cf891e075d24c7540da4f for an older version of sudo that was FTBFS for GCC 15 defaulting to C23. Signed-off-by: Björn Esser --- sudo.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/sudo.spec b/sudo.spec index 9e72bb5..73b3930 100644 --- a/sudo.spec +++ b/sudo.spec @@ -76,8 +76,6 @@ BuildRequires: python3-devel # Remove bundled copy of zlib rm -rf zlib/ -export CFLAGS="$RPM_OPT_FLAGS -std=gnu17" - %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ From 81e84c1f0692ac90603c7cbeaeeb2b891a852e45 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:50:05 +0000 Subject: [PATCH 11/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 2ead99a2b1915e06b2918b5547d0587fbe678e0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= Date: Tue, 21 Oct 2025 10:16:55 +0200 Subject: [PATCH 12/12] Rebase to 1.9.17p2 - sudo-1.9.17p2 is available Resolves: rhbz#2383665 --- .gitignore | 1 + sources | 2 +- sudo.spec | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index e4940ce..b0986fa 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ /sudo-1.9.15p4.tar.gz /sudo-1.9.15p5.tar.gz /sudo-1.9.17p1.tar.gz +/sudo-1.9.17p2.tar.gz diff --git a/sources b/sources index 86f8d45..54e59ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc +SHA512 (sudo-1.9.17p2.tar.gz) = c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93 diff --git a/sudo.spec b/sudo.spec index e321ec4..be44d00 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,5 +1,5 @@ # comment out if no extra version -%global extraver p1 +%global extraver p2 Summary: Allows restricted root access for specified users Name: sudo