pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/sudo sudo: updated to 1.9.6p1



details:   https://anonhg.NetBSD.org/pkgsrc/rev/3ce7fd79bc41
branches:  trunk
changeset: 448925:3ce7fd79bc41
user:      adam <adam%pkgsrc.org@localhost>
date:      Thu Mar 18 08:57:48 2021 +0000

description:
sudo: updated to 1.9.6p1

Major changes between version 1.9.6p1 and 1.9.6:

Fixed a regression introduced in sudo 1.9.6 that resulted in an error message instead of a usage message when sudo is run with no arguments.


Major changes between version 1.9.6 and 1.9.5p2:

Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
Fixed a regression introduced in sudo 1.9.4 where the --disable-root-mailer configure option had no effect.
Added a --disable-leaks configure option that avoids some memory leaks on exit that would otherwise occur. This is intended to be used with development tools that measure memory leaks. It is not safe 
to use in production at this time.
Plugged some memory leaks identified by oss-fuzz and ASAN.
Fixed the handling of sudoOptions for an LDAP sudoRole that contains multiple sudoCommands. Previously, some of the options would only be applied to the first sudoCommand.
Fixed a potential out of bounds read in the parsing of NOTBEFORE and NOTAFTER sudoers command options (and their LDAP equivalents).
The parser used for reading I/O log JSON files is now more resilient when processing invalid JSON.
Fixed typos that prevented make uninstall from working.
Fixed a regression introduced in sudo 1.9.4 where the last line in a sudoers file might not have a terminating NUL character added if no newline was present.
Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new --enable-fuzzer configure option can be combined with the --enable-sanitizer option to build sudo with fuzzing support. Multiple fuzz 
targets are available for fuzzing different parts of sudo. Fuzzers are built and tested via make fuzz or as part of make check (even when sudo is not built with fuzzing support). Fuzzing support 
currently requires the LLVM clang compiler (not gcc).
Fixed the --enable-static-sudoers configure option.
Fixed a potential out of bounds read sudo when is run by a user with more groups than the value of max_groups in sudo.conf.
Added an admin_flag sudoers option to make the use of the ~/.sudo_as_admin_successful file configurable on systems where sudo is build with the --enable-admin-flag configure option. This mostly 
affects Ubuntu and its derivatives.
The max_groups setting in sudo.conf is now limited to 1024. This setting is obsolete and should no longer be needed.
Fixed a bug in the tilde expansion of CHROOT=dir and CWD=dir sudoers command options. A path ~/foo was expanded to /home/userfoo instead of /home/user/foo. This also affects the runchroot and runcwd 
Defaults settings.
Fixed a bug on systems without a native getdelim(3) function where very long lines could cause parsing of the sudoers file to end prematurely.
Fixed a potential integer overflow when converting the timestamp_timeout and passwd_timeout sudoers settings to a timespec struct.
The default for the group_source setting in sudo.conf is now dynamic on macOS. Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when 
_DARWIN_UNLIMITED_GETGROUPS is defined.
Fixed a potential use-after-free in the PAM conversation function.
Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.

diffstat:

 security/sudo/Makefile                                  |   5 +-
 security/sudo/distinfo                                  |  16 +-
 security/sudo/patches/patch-configure                   |  82 +++-------------
 security/sudo/patches/patch-logsrvd_Makefile.in         |   8 +-
 security/sudo/patches/patch-plugins_sudoers_Makefile.in |  14 +-
 5 files changed, 39 insertions(+), 86 deletions(-)

diffs (236 lines):

diff -r e68ef07b61de -r 3ce7fd79bc41 security/sudo/Makefile
--- a/security/sudo/Makefile    Thu Mar 18 08:30:55 2021 +0000
+++ b/security/sudo/Makefile    Thu Mar 18 08:57:48 2021 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.183 2021/01/30 11:06:45 spz Exp $
+# $NetBSD: Makefile,v 1.184 2021/03/18 08:57:48 adam Exp $
 
-DISTNAME=      sudo-1.9.5p2
-PKGREVISION=   1
+DISTNAME=      sudo-1.9.6p1
 CATEGORIES=    security
 MASTER_SITES=  https://www.sudo.ws/dist/
 MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/
diff -r e68ef07b61de -r 3ce7fd79bc41 security/sudo/distinfo
--- a/security/sudo/distinfo    Thu Mar 18 08:30:55 2021 +0000
+++ b/security/sudo/distinfo    Thu Mar 18 08:57:48 2021 +0000
@@ -1,12 +1,12 @@
-$NetBSD: distinfo,v 1.114 2021/01/30 11:06:45 spz Exp $
+$NetBSD: distinfo,v 1.115 2021/03/18 08:57:48 adam Exp $
 
-SHA1 (sudo-1.9.5p2.tar.gz) = 08bde247a1e08bc881eec43e09733f7ca06408f5
-RMD160 (sudo-1.9.5p2.tar.gz) = 5952aafd4e777196eb8af81c4cdc420e3d688684
-SHA512 (sudo-1.9.5p2.tar.gz) = f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27
-Size (sudo-1.9.5p2.tar.gz) = 4012277 bytes
+SHA1 (sudo-1.9.6p1.tar.gz) = c83e90c50f79004922a6fc5229601fe121d52f50
+RMD160 (sudo-1.9.6p1.tar.gz) = 638da407f15c36debf6bce797f7a6f10caf6c0df
+SHA512 (sudo-1.9.6p1.tar.gz) = 632dfe72f04ce9a7a5a7236fcd5c09ce4535e695ced49d24dd848e3a7b1bea7380df44188b9e475af4271069539b5a5816948a98fbb0649ebebaba8b4c4b7745
+Size (sudo-1.9.6p1.tar.gz) = 4119888 bytes
 SHA1 (patch-Makefile.in) = e8813e1aa208d9ef6304038328504a5402341560
-SHA1 (patch-configure) = 0dd4c9bc64fb0ecaf496874eb8d0b649330db1f2
+SHA1 (patch-configure) = 162f6f3ac244f2ea0c3cc06884079fbceff276ca
 SHA1 (patch-examples_Makefile.in) = a20967ecd88eb5e4a8b47e6a3b80bc18be713409
-SHA1 (patch-logsrvd_Makefile.in) = c460b868e09560a80f632d1332fc7d7c3d1822cf
-SHA1 (patch-plugins_sudoers_Makefile.in) = efc0fb726c23dcb2d6a006524fd561800d6d7924
+SHA1 (patch-logsrvd_Makefile.in) = b3672406368384dfbfe7ef3e6fcd141d43cbc026
+SHA1 (patch-plugins_sudoers_Makefile.in) = d2981bb9841f6bb4b1c80f5c2f2727fbf9579501
 SHA1 (patch-src_Makefile.in) = 8959049bc428f592f84de1cad1a898c07c6e6b39
diff -r e68ef07b61de -r 3ce7fd79bc41 security/sudo/patches/patch-configure
--- a/security/sudo/patches/patch-configure     Thu Mar 18 08:30:55 2021 +0000
+++ b/security/sudo/patches/patch-configure     Thu Mar 18 08:57:48 2021 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $
+$NetBSD: patch-configure,v 1.6 2021/03/18 08:57:48 adam Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.orig     2021-01-23 16:45:11.000000000 +0100
-+++ configure  2021-01-30 12:31:20.802349535 +0100
-@@ -892,6 +892,7 @@ with_libpath
+--- configure.orig     2021-03-15 16:50:00.000000000 +0000
++++ configure
+@@ -920,6 +920,7 @@ with_libpath
  with_libraries
  with_efence
  with_csops
@@ -17,7 +17,7 @@
  with_passwd
  with_skey
  with_opie
-@@ -1621,7 +1622,7 @@ Fine tuning of the installation director
+@@ -1652,7 +1653,7 @@ Fine tuning of the installation director
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
@@ -26,7 +26,7 @@
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
-@@ -1737,6 +1738,7 @@ Optional Packages:
+@@ -1776,6 +1777,7 @@ Optional Packages:
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
@@ -34,7 +34,7 @@
    --without-passwd        don't use passwd/shadow file for authentication
    --with-skey[=DIR]       enable S/Key support
    --with-opie[=DIR]       enable OPIE support
-@@ -4863,6 +4865,23 @@ fi
+@@ -5203,6 +5205,23 @@ fi
  
  
  
@@ -56,9 +56,9 @@
 +
 +
  # Check whether --with-passwd was given.
- if test "${with_passwd+set}" = set; then :
-   withval=$with_passwd; case $with_passwd in
-@@ -15765,7 +15784,7 @@ fi
+ if test ${with_passwd+y}
+ then :
+@@ -16699,7 +16718,7 @@ fi
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
@@ -67,71 +67,25 @@
                shadow_funcs="getspnam"
                test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
                # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
-@@ -18026,7 +18045,7 @@ if test "x$ac_cv_header_login_cap_h" = x
- _ACEOF
+@@ -18732,7 +18751,7 @@ then :
+   printf "%s\n" "#define HAVE_LOGIN_CAP_H 1" >>confdefs.h
   LOGINCAP_USAGE='[-c class] '; LCMAN=1
        case "$OS" in
--          freebsd|netbsd)
-+          dragonfly*|freebsd|netbsd*)
+-          freebsd*|netbsd*)
++          dragonfly*|freebsd*|netbsd*)
                SUDO_LIBS="${SUDO_LIBS} -lutil"
                SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
                ;;
-@@ -23965,10 +23984,9 @@ if test ${with_pam-"no"} != "no"; then
-     # Check for pam_start() in libpam first, then for pam_appl.h.
-     #
-     found_pam_lib=no
--    as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
-+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
- $as_echo_n "checking for pam_start in -lpam... " >&6; }
--if eval \${$as_ac_Lib+:} false; then :
-+if ${ac_cv_lib_pam_pam_start+:} false; then :
-   $as_echo_n "(cached) " >&6
- else
-   ac_check_lib_save_LIBS=$LIBS
-@@ -23992,18 +24010,17 @@ return pam_start ();
- }
- _ACEOF
- if ac_fn_c_try_link "$LINENO"; then :
--  eval "$as_ac_Lib=yes"
-+  ac_cv_lib_pam_pam_start=yes
- else
--  eval "$as_ac_Lib=no"
-+  ac_cv_lib_pam_pam_start=no
- fi
- rm -f core conftest.err conftest.$ac_objext \
-     conftest$ac_exeext conftest.$ac_ext
- LIBS=$ac_check_lib_save_LIBS
- fi
--eval ac_res=\$$as_ac_Lib
--             { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
--$as_echo "$ac_res" >&6; }
--if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5
-+$as_echo "$ac_cv_lib_pam_pam_start" >&6; }
-+if test "x$ac_cv_lib_pam_pam_start" = xyes; then :
-   found_pam_lib=yes
- fi
- 
-@@ -24738,6 +24755,8 @@ fi
- rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+@@ -25528,6 +25547,8 @@ fi
+ rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
        AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
 +fi
 +if test ${with_kerb5-'no'} != "no"; then
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
-     for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -27120,7 +27139,7 @@ fi
- fi
- 
- case "$OS" in
--    netbsd)
-+    netbsd*)
-       ;;
-     *)
-       { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--enable-new-dtags" >&5
-@@ -28297,7 +28316,6 @@ test "$docdir" = '${datarootdir}/doc/${P
+     ac_fn_c_check_func "$LINENO" "krb5_verify_user" "ac_cv_func_krb5_verify_user"
+@@ -29695,7 +29716,6 @@ test "$docdir" = '${datarootdir}/doc/${P
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
  test "$runstatedir" = '${localstatedir}/run' && runstatedir='$(localstatedir)/run'
diff -r e68ef07b61de -r 3ce7fd79bc41 security/sudo/patches/patch-logsrvd_Makefile.in
--- a/security/sudo/patches/patch-logsrvd_Makefile.in   Thu Mar 18 08:30:55 2021 +0000
+++ b/security/sudo/patches/patch-logsrvd_Makefile.in   Thu Mar 18 08:57:48 2021 +0000
@@ -1,12 +1,12 @@
-$NetBSD: patch-logsrvd_Makefile.in,v 1.1 2021/01/18 14:32:24 taca Exp $
+$NetBSD: patch-logsrvd_Makefile.in,v 1.2 2021/03/18 08:57:48 adam Exp $
 
 Fix build error.
 
---- logsrvd/Makefile.in.orig   2021-01-09 20:12:16.000000000 +0000
+--- logsrvd/Makefile.in.orig   2021-03-13 15:47:23.000000000 +0000
 +++ logsrvd/Makefile.in
-@@ -46,7 +46,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
+@@ -45,7 +45,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@
+ # Libraries
  LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la \
-         $(top_builddir)/lib/eventlog/libsudo_eventlog.la \
          $(top_builddir)/lib/logsrv/liblogsrv.la
 -LIBS = $(LT_LIBS) @LIBTLS@
 +LIBS = $(LT_LIBS) @LIBTLS@ @LIBS@
diff -r e68ef07b61de -r 3ce7fd79bc41 security/sudo/patches/patch-plugins_sudoers_Makefile.in
--- a/security/sudo/patches/patch-plugins_sudoers_Makefile.in   Thu Mar 18 08:30:55 2021 +0000
+++ b/security/sudo/patches/patch-plugins_sudoers_Makefile.in   Thu Mar 18 08:57:48 2021 +0000
@@ -1,26 +1,26 @@
-$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.4 2021/01/18 14:32:24 taca Exp $
+$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.5 2021/03/18 08:57:48 adam Exp $
 
 * Do not install the sudoers file.
 * link with @LIBS@ for PKG_OPTIONS nls enabled case.
 
---- plugins/sudoers/Makefile.in.orig   2021-01-09 20:12:16.000000000 +0000
+--- plugins/sudoers/Makefile.in.orig   2021-03-13 15:47:23.000000000 +0000
 +++ plugins/sudoers/Makefile.in
-@@ -62,10 +62,10 @@ LIBUTIL = $(top_builddir)/lib/util/libsu
+@@ -63,10 +63,10 @@ LIBUTIL = $(top_builddir)/lib/util/libsu
  LIBS = $(LIBUTIL)
  NET_LIBS = @NET_LIBS@
- SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBEVENTLOG) $(LIBLOGSRV)
--REPLAY_LIBS = @REPLAY_LIBS@ $(LIBEVENTLOG) $(LIBIOLOG)
+ SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBLOGSRV)
+-REPLAY_LIBS = @REPLAY_LIBS@ $(LIBIOLOG)
 -VISUDO_LIBS = $(NET_LIBS)
 -CVTSUDOERS_LIBS = $(NET_LIBS)
 -TESTSUDOERS_LIBS = $(NET_LIBS)
-+REPLAY_LIBS = @REPLAY_LIBS@ $(LIBEVENTLOG) $(LIBIOLOG) @LIBS@
++REPLAY_LIBS = @REPLAY_LIBS@ $(LIBIOLOG) @LIBS@
 +VISUDO_LIBS = $(NET_LIBS) @LIBS@
 +CVTSUDOERS_LIBS = $(NET_LIBS) @LIBS@
 +TESTSUDOERS_LIBS = $(NET_LIBS) @LIBS@
  
  # C preprocessor defines
  CPPDEFS = -DLIBDIR=\"$(libdir)\" -DLOCALEDIR=\"$(localedir)\" \
-@@ -390,7 +390,7 @@ pre-install:
+@@ -483,7 +483,7 @@ pre-install:
            fi; \
        fi
  



Home | Main Index | Thread Index | Old Index