Hello community,
here is the log from the commit of package sudo for openSUSE:Factory checked in
at 2013-03-01 20:45:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
and /work/SRC/openSUSE:Factory/.sudo.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo", Maintainer is "vci...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2012-12-05
14:09:25.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes 2013-03-01
20:45:09.000000000 +0100
@@ -1,0 +2,9 @@
+Fri Mar 1 11:12:28 UTC 2013 - vci...@suse.com
+
+- added two security fixes:
+ * CVE-2013-1775 (bnc#806919)
+ + sudo-1.8.6p3-CVE-2013-1775.patch
+ * CVE-2013-1776 (bnc#806921)
+ + sudo-1.8.6p3-CVE-2013-1776.patch
+
+-------------------------------------------------------------------
New:
----
sudo-1.8.6p3-CVE-2013-1775.patch
sudo-1.8.6p3-CVE-2013-1776.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.7XucCn/_old 2013-03-01 20:45:26.000000000 +0100
+++ /var/tmp/diff_new_pack.7XucCn/_new 2013-03-01 20:45:26.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package sudo
#
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,8 @@
Source2: README.SUSE
Patch0: sudoers2ldif-env.patch
Patch1: sudo-sudoers.patch
+Patch2: sudo-1.8.6p3-CVE-2013-1775.patch
+Patch3: sudo-1.8.6p3-CVE-2013-1776.patch
BuildRequires: audit-devel
BuildRequires: groff
BuildRequires: libselinux-devel
@@ -57,6 +59,8 @@
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
%ifarch s390 s390x %sparc
++++++ sudo-1.8.6p3-CVE-2013-1775.patch ++++++
63210a2b8f2f199b521f6c8213bb29775c09375c
plugins/sudoers/check.c | 53 +++++++++++++++++++++++++----------------------
1 file changed, 28 insertions(+), 25 deletions(-)
Index: sudo-1.8.6p3/plugins/sudoers/check.c
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/check.c 2012-09-18 15:56:29.000000000
+0200
+++ sudo-1.8.6p3/plugins/sudoers/check.c 2013-03-01 12:10:34.285863069
+0100
@@ -627,31 +627,34 @@ timestamp_status(char *timestampdir, cha
*/
if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
mtim_get(&sb, &mtime);
- /* Negative timeouts only expire manually (sudo -k). */
- if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
- status = TS_CURRENT;
- else {
- now = time(NULL);
- if (def_timestamp_timeout &&
- now - mtime.tv_sec < 60 * def_timestamp_timeout) {
- /*
- * Check for bogus time on the stampfile. The clock may
- * have been set back or someone could be trying to spoof us.
- */
- if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
- time_t tv_sec = (time_t)mtime.tv_sec;
- log_error(0,
- _("timestamp too far in the future: %20.20s"),
- 4 + ctime(&tv_sec));
- if (timestampfile)
- (void) unlink(timestampfile);
- else
- (void) rmdir(timestampdir);
- status = TS_MISSING;
- } else if (get_boottime(&boottime) && timevalcmp(&mtime,
&boottime, <)) {
- status = TS_OLD;
- } else {
- status = TS_CURRENT;
+ if (timevalisset(&mtime)) {
+ /* Negative timeouts only expire manually (sudo -k). */
+ if (def_timestamp_timeout < 0) {
+ status = TS_CURRENT;
+ } else {
+ now = time(NULL);
+ if (def_timestamp_timeout &&
+ now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+ /*
+ * Check for bogus time on the stampfile. The clock may
+ * have been set back or user could be trying to spoof us.
+ */
+ if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+ time_t tv_sec = (time_t)mtime.tv_sec;
+ log_error(0,
+ _("timestamp too far in the future: %20.20s"),
+ 4 + ctime(&tv_sec));
+ if (timestampfile)
+ (void) unlink(timestampfile);
+ else
+ (void) rmdir(timestampdir);
+ status = TS_MISSING;
+ } else if (get_boottime(&boottime) &&
+ timevalcmp(&mtime, &boottime, <)) {
+ status = TS_OLD;
+ } else {
+ status = TS_CURRENT;
+ }
}
}
}
++++++ sudo-1.8.6p3-CVE-2013-1776.patch ++++++
2b18d55589975e70dd98f24bca5b0aaabc56a9b5
plugins/sudoers/check.c | 4 +++-
plugins/sudoers/sudoers.c | 4 ++++
plugins/sudoers/sudoers.h | 3 ++-
3 files changed, 9 insertions(+), 2 deletions(-)
Index: sudo-1.8.6p3/plugins/sudoers/check.c
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/check.c 2013-03-01 12:10:18.668403327
+0100
+++ sudo-1.8.6p3/plugins/sudoers/check.c 2013-03-01 12:10:18.684403798
+0100
@@ -82,6 +82,7 @@ static struct tty_info {
dev_t rdev; /* tty device ID */
ino_t ino; /* tty inode number */
struct timeval ctime; /* tty inode change time */
+ pid_t sid; /* ID of session with controlling tty */
} tty_info;
static int build_timestamp(char **, char **);
@@ -138,13 +139,14 @@ check_user(int validated, int mode)
if (ISSET(mode, MODE_IGNORE_TICKET))
SET(validated, FLAG_CHECK_USER);
- /* Stash the tty's ctime for tty ticket comparison. */
+ /* Stash the tty's device, session ID and ctime for ticket comparison. */
if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
tty_info.dev = sb.st_dev;
tty_info.ino = sb.st_ino;
tty_info.rdev = sb.st_rdev;
if (tty_is_devpts(user_ttypath))
ctim_get(&sb, &tty_info.ctime);
+ tty_info.sid = user_sid;
}
if (build_timestamp(×tampdir, ×tampfile) == -1) {
Index: sudo-1.8.6p3/plugins/sudoers/sudoers.c
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.c 2012-09-18 15:56:30.000000000
+0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c 2013-03-01 12:10:18.685403827
+0100
@@ -1410,6 +1410,10 @@ deserialize_info(char * const args[], ch
sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
continue;
}
+ if (MATCHES(*cur, "sid=")) {
+ sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
+ continue;
+ }
}
if (user_cwd == NULL)
user_cwd = "unknown";
Index: sudo-1.8.6p3/plugins/sudoers/sudoers.h
===================================================================
--- sudo-1.8.6p3.orig/plugins/sudoers/sudoers.h 2012-09-18 15:57:43.000000000
+0200
+++ sudo-1.8.6p3/plugins/sudoers/sudoers.h 2013-03-01 12:10:18.685403827
+0100
@@ -95,6 +95,7 @@ struct sudo_user {
int flags;
uid_t uid;
uid_t gid;
+ pid_t sid;
};
/*
@@ -171,8 +172,8 @@ struct sudo_user {
#define user_name (sudo_user.name)
#define user_uid (sudo_user.uid)
#define user_gid (sudo_user.gid)
+#define user_sid (sudo_user.sid)
#define user_passwd (sudo_user.pw->pw_passwd)
-#define user_uuid (sudo_user.uuid)
#define user_dir (sudo_user.pw->pw_dir)
#define user_gids (sudo_user.gids)
#define user_ngids (sudo_user.ngids)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
