Rebase to 1.9.17p2

- sudo-1.9.17p2 is available Resolves: rhbz#2383665
Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
2025-10-21 10:16:55 +02:00 · 2025-07-25 18:50:05 +00:00 · 2025-07-17 18:36:52 +00:00 · 2025-07-07 13:15:19 +02:00 · 2025-07-05 12:22:08 +02:00 · 2025-07-05 12:13:06 +02:00
4 changed files with 26 additions and 34 deletions
--- a/.gitignore
+++ b/.gitignore
@ -31,3 +31,8 @@
 /sudo-1.9.11p3.tar.gz
 /sudo-1.9.12p2.tar.gz
 /sudo-1.9.13p2.tar.gz
+/sudo-1.9.14p3.tar.gz
+/sudo-1.9.15p4.tar.gz
+/sudo-1.9.15p5.tar.gz
+/sudo-1.9.17p1.tar.gz
+/sudo-1.9.17p2.tar.gz
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sudo-1.9.13p2.tar.gz) = b3015a114fd518afd644c9934f2461046f1116506723217603af1a952bdb436689761b4d009dfe32b725bad2e0ebcaf19db72febfaa63895ba004256fea12bef
+SHA512 (sudo-1.9.17p2.tar.gz) = c8abd6ca56e54a081c9ef1e9f6579d1db5b93ff857e60d1f58d1f425d7dc23c31c58d40b7819780688f66dfdf87a1f3bbe0a78387b007e2beb1b0e546203ea93
--- a/sudo-1.6.7p5-strip.patch
+++ b/sudo-1.6.7p5-strip.patch
@ -1,11 +0,0 @@
--- sudo-1.6.7p5/scripts/install-sh.strip	2005-07-21 14:28:25.000000000 +0200
-+++ sudo-1.6.7p5/scripts/install-sh	2005-07-21 14:29:18.000000000 +0200
-@@ -138,7 +138,7 @@
- 	fi
- 	;;
-     X-s)
-	STRIPIT=true
-+	#STRIPIT=true
- 	;;
-     X--)
- 	shift
--- a/sudo.spec
+++ b/sudo.spec
@ -3,7 +3,7 @@

 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.9.13
+Version: 1.9.17
 # remove -b 3 after rebase !!!
 # use "-p -e % {?extraver}" when beta
 # use "-e % {?extraver}"" when patch version
@ -26,7 +26,7 @@ BuildRequires: bison
 BuildRequires: libtool
 BuildRequires: audit-libs-devel libcap-devel
 BuildRequires: libselinux-devel
-BuildRequires: sendmail
+BuildRequires: systemd-rpm-macros
 BuildRequires: gettext
 BuildRequires: zlib-devel

@ -70,25 +70,18 @@ BuildRequires:  python3-devel
 %{name}-python-plugin allows using sudo plugins written in Python.

 %prep
-%setup -q -n %{name}-%{version}%{?extraver}
+%autosetup -p1 -n %{name}-%{version}%{?extraver}

 %build
 # Remove bundled copy of zlib
 rm -rf zlib/

-%ifarch s390 s390x sparc64
-F_PIE=-fPIE
-%else
-F_PIE=-fpie
-%endif
-
-export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
-
 %configure \
        --prefix=%{_prefix} \
        --sbindir=%{_sbindir} \
        --libdir=%{_libdir} \
        --docdir=%{_pkgdocdir} \
+        --enable-tmpfiles.d=%{_tmpfilesdir} \
        --enable-openssl \
        --disable-root-mailer \
        --disable-intercept \
@ -102,6 +95,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
        --with-tty-tickets \
        --with-ldap \
        --with-selinux \
+        --with-sendmail=/usr/sbin/sendmail \
        --with-passprompt="[sudo] password for %p: " \
        --enable-python \
        --enable-zlib=system \
@ -109,26 +103,28 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
        --with-sssd
 #       --without-kerb5 \
 #       --without-kerb4
-make
+%make_build

 %check
-make check
+%make_build check

 %install
-rm -rf $RPM_BUILD_ROOT
-make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
+%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

 chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
-#add sudo to protected packages
-install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
-touch sudo.conf
-echo sudo > sudo.conf
-install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
-rm -f sudo.conf
+# Add sudo to protected packages. Old location for yum/dnf.
+mkdir -p $RPM_BUILD_ROOT/etc/dnf/protected.d/
+echo "sudo" >$RPM_BUILD_ROOT/etc/dnf/protected.d/sudo.conf
+# Add sudo to protected packages. New location for dnf5.
+mkdir -p $RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/
+cat >$RPM_BUILD_ROOT/usr/share/dnf5/libdnf.conf.d/protect-sudo.conf <<EOF
+[main]
+protected_packages = sudo
+EOF

 chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files

@ -172,7 +168,6 @@ EOF


 %files -f sudo_all.lang
-%defattr(-,root,root)
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
 %attr(0750,root,root) %dir /etc/sudoers.d/
 %config(noreplace) /etc/pam.d/sudo
@ -180,6 +175,9 @@ EOF
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
 %attr(0640,root,root) %config(noreplace) /etc/sudo.conf
+%dir /usr/share/dnf5
+%dir /usr/share/dnf5/libdnf.conf.d
+/usr/share/dnf5/libdnf.conf.d/protect-sudo.conf
 %dir /var/db/sudo
 %dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
Author	SHA1	Message	Date
Alejandro López	2ead99a2b1	Rebase to 1.9.17p2 - sudo-1.9.17p2 is available Resolves: rhbz#2383665	2025-10-21 10:16:55 +02:00
Fedora Release Engineering	81e84c1f06	Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild	2025-07-25 18:50:05 +00:00
Radovan Sroka	f78ef048db	Merge #29 `Move yum/dnf protection removal config file under /usr`	2025-07-17 18:36:52 +00:00
Björn Esser	1899e2aa8d	Drop '-std=gnu17' from CFLAGS, as C23 builds fine now This was introduced in commit `e2e397029e` for an older version of sudo that was FTBFS for GCC 15 defaulting to C23. Signed-off-by: Björn Esser <besser82@fedoraproject.org>	2025-07-07 13:15:19 +02:00
Björn Esser	04179b5417	Re-apply changes from commit `e2e397029e` Signed-off-by: Björn Esser <besser82@fedoraproject.org>	2025-07-05 12:22:08 +02:00
Björn Esser	9641cbaa6b	Rebase to sudo 1.9.17p1 - sudo-1_9_16p2 is available Resolves: rhbz#2309626 - sudo: LPE via host option Resolves: CVE-2025-32462 - Properly apply system buildflags - Use new build macros, drop unneeded %%defattr Signed-off-by: Björn Esser <besser82@fedoraproject.org>	2025-07-05 12:13:06 +02:00
Python Maint	aa37372f8a	Rebuilt for Python 3.14	2025-06-02 20:53:02 +02:00
Zbigniew Jędrzejewski-Szmek	770b8e2647	Move yum/dnf protection removal config file under /usr https://github.com/uapi-group/specifications/issues/76 Actually, add a new file under /usr, but keep the old file in /etc because it's still needed for dnf. The new file in the new location is useful because it means that we get the correct behaviour even when /etc is emptied (on systems with new dnf version). dnf5 reads the new location: https://github.com/rpm-software-management/dnf5/issues/1107 https://github.com/rpm-software-management/dnf5/pull/1110	2025-03-12 07:34:49 +00:00
Yaakov Selkowitz	e2e397029e	Fix build with GCC 15 GCC 15 defaults to C23, which changes the interpretation of function declarations without parameters to be `void` rather than of an unknown number and type (as in K&R). The sudoers plugin relies on the older behaviour for its hook functions.	2025-02-26 12:59:14 -05:00
Fedora Release Engineering	ac16a17374	Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild	2025-01-19 11:50:30 +00:00
Fedora Release Engineering	f568249113	Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild	2024-07-20 06:36:47 +00:00
Python Maint	47db28a693	Rebuilt for Python 3.13	2024-06-07 09:11:33 +02:00
Adam Williamson	545c191f72	Backport upstream fix for tests with Python 3.13+	2024-05-02 23:09:47 -07:00
Yaakov Selkowitz	df275faead	Avoid sendmail build dependency sudo should be compatible with any MTA, any of which in Fedora provide /usr/sbin/sendmail, and is used at build time only to determine its location. Instead of generalizing the build requirement (e.g. for RHEL 10 which includes only postfix), we can just tell sudo its location during configure, in which case it is not needed at all to build. However, doing so uncovered that systemd's presence was being relied upon without being specified. This too can be avoided by using the macros to define the proper tmpfiles location during configure.	2024-02-08 16:46:56 -05:00
Radovan Sroka	462f43c97a	Rabase to 1.9.15p5 - sudo-1_9_15p5 is available Resolves: rhbz#2248505 - TRIAGE CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables Resolves: rhbz#2255569 Signed-off-by: Radovan Sroka <rsroka@redhat.com>	2024-01-24 11:05:13 +01:00
Yaakov Selkowitz	da01b87507	Rebase to 1.9.14p3 - sudo-1_9_14p2 is available Resolves: rhbz#2175672 - sudo fails to build with Python 3.12: FAILED: testcase check_example_group_plugin_is_able_to_debug() Resolves: rhbz#2186412 Signed-off-by: Yaakov Selkowitz <yselkowi@redhat.com>	2023-07-24 22:08:49 -04:00
Fedora Release Engineering	347c83287d	Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2023-07-22 02:42:07 +00:00
Leigh Scott	328503ded5	Rebuilt for Python 3.12	2023-07-06 14:20:50 +01:00
Radovan Sroka	06544f1ab2	- migrated to SPDX license Signed-off-by: Radovan Sroka <rsroka@redhat.com>	2023-06-20 15:00:57 +02:00
Python Maint	85dfa5defb	Rebuilt for Python 3.12	2023-06-13 20:59:29 +02:00
Florian Weimer	025901c345	Port configure script to C99 Related to: <https://fedoraproject.org/wiki/Changes/PortingToModernC> <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>	2023-04-26 12:08:16 +02:00
Radovan Sroka	8d3c03b4da	Rebase to sudo 1.9.13p2 - sudo-1.9.13p2 is available Resolves: rhbz#2169840 - sudo: double free with per-command chroot sudoers rules Resolves: CVE-2023-27320 Signed-off-by: Radovan Sroka <rsroka@redhat.com>	2023-03-01 17:45:33 +01:00
Radovan Sroka	61dacac7f9	Rebase to sudo 1.9.12p2 - sudo-1.9.12p2 is available Resolves: rhbz#2137775 - sudo: arbitrary file write with privileges of the RunAs user Resolves: CVE-2023-22809 Signed-off-by: Radovan Sroka <rsroka@redhat.com>	2023-01-19 14:19:32 +01:00