Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2013-07-03 10:27:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2013-06-29 14:51:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes 2013-07-03 10:27:45.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Jul 2 16:30:19 UTC 2013 - [email protected] + +- restore accidentally dropped suse-specific patches + +------------------------------------------------------------------- @@ -5 +10,21 @@ - * especially all local patches are obsoleted by upstream fixes + * remove CVE-2013-1775 + * remove CVE-2013-1776 + * The non-Unix group plugin is now supported when sudoers data is stored in LDAP. + * User messages are now always displayed in the user's locale, even when the + same message is being logged or mailed in a different locale. + * Log files created by sudo now explicitly have the group set to group ID 0 + rather than relying on BSD group semantics (which may not be the default). + * A new exec_background sudoers option can be used to initially run the + command without read access to the terminal when running a command in a + pseudo-tty. + * Sudo now produces better error messages when there is an error in the sudo.conf file. + * Two new settings have been added to sudo.conf to give the admin better control of + how group database queries are performed. + * There is now a standalone sudo.conf manual page. + * New support for specifying a SHA-2 digest along with the command in sudoers. + Supported hash types are sha224, sha256, sha384 and sha512. See the description + of Digest_Spec in the sudoers manual or the description of sudoCommand in the + sudoers.ldap manual for details. + * Fixed potential false positives in visudo's alias cycle detection. + * Sudo now only builds Position Independent Executables (PIE) by default on Linux + systems and verifies that a trivial test program builds and runs. New: ---- sudo-sudoers.patch sudoers2ldif-env.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.CgEB9C/_old 2013-07-03 10:27:46.000000000 +0200 +++ /var/tmp/diff_new_pack.CgEB9C/_new 2013-07-03 10:27:46.000000000 +0200 @@ -26,6 +26,9 @@ Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz Source1: sudo.pamd Source2: README.SUSE +Patch0: sudoers2ldif-env.patch +# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config +Patch1: sudo-sudoers.patch BuildRequires: audit-devel BuildRequires: groff BuildRequires: libselinux-devel @@ -53,6 +56,8 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %ifarch s390 s390x %sparc ++++++ sudo-sudoers.patch ++++++ Index: sudo-1.8.0/plugins/sudoers/sudoers.in =================================================================== --- sudo-1.8.0.orig/plugins/sudoers/sudoers.in +++ sudo-1.8.0/plugins/sudoers/sudoers.in @@ -31,37 +31,36 @@ ## ## Defaults specification ## -## You may wish to keep some of the following environment variables -## when running commands via sudo. -## -## Locale settings -# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" -## -## Run X applications through sudo; HOME is used to find the -## .Xauthority file. Note that other programs use HOME to find -## configuration files and this may lead to privilege escalation! -# Defaults env_keep += "HOME" -## -## X11 resource path settings -# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" -## -## Desktop path settings -# Defaults env_keep += "QTDIR KDEDIR" -## -## Allow sudo-run commands to inherit the callers' ConsoleKit session -# Defaults env_keep += "XDG_SESSION_COOKIE" -## -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change + +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + ## ## Runas alias specification ## @@ -77,14 +76,6 @@ root ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user -# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - ## Read drop-in files from @sysconfdir@/sudoers.d ## (the '#' here does not indicate a comment) #includedir @sysconfdir@/sudoers.d ++++++ sudoers2ldif-env.patch ++++++ Index: sudo-1.8.7/plugins/sudoers/sudoers2ldif =================================================================== --- sudo-1.8.7.orig/plugins/sudoers/sudoers2ldif +++ sudo-1.8.7/plugins/sudoers/sudoers2ldif @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl # # Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller <[email protected]> # -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
