Bug#731583: sudo FQDN issue: upstream fixed it
On 2014-12-21 20:49, Michael Gilbert wrote: > On Sun, Dec 14, 2014 at 11:02 AM, Christian Kastner wrote: >> I just noticed that I never uploaded the debdiffs to the BTS, so here >> they are for 1.8.11p2 in unstable and 1.8.10p3 in testing. > > I reviewed and sponsored your upload to unstable. Let me know how the > unblock negotiation goes with the release team now that they have a > package in unstable to review. > > If they reject that, please let me know, and I will look at sponsoring the > tpu. I actually already had asked the RT, although when following up on this, I forgot to CC this bug. You can find my RT plea here: https://bugs.debian.org/773319 I'll report back once I have received an answer. Thanks! Christian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#731583: sudo FQDN issue: upstream fixed it
On Sun, Dec 14, 2014 at 11:02 AM, Christian Kastner wrote: > On 2014-11-16 15:07, Christian Kastner wrote: >> I only now realized that the version of sudo in testing is still at >> 1.8.10p3-1. The diff to 1.8.11p2-1 is not trivial. However, given that >> 1.8.11p1-1 was uploaded on Oct 20th, and the 1.8.11p2-1 upload on Oct >> 30th (which reset the 10-day clock) only contained a single bug fix, the >> RT might be lenient regarding an unblock. > > I just noticed that I never uploaded the debdiffs to the BTS, so here > they are for 1.8.11p2 in unstable and 1.8.10p3 in testing. Hi, I reviewed and sponsored your upload to unstable. Let me know how the unblock negotiation goes with the release team now that they have a package in unstable to review. If they reject that, please let me know, and I will look at sponsoring the tpu. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#731583: sudo FQDN issue: upstream fixed it
On 2014-11-16 15:07, Christian Kastner wrote: > I only now realized that the version of sudo in testing is still at > 1.8.10p3-1. The diff to 1.8.11p2-1 is not trivial. However, given that > 1.8.11p1-1 was uploaded on Oct 20th, and the 1.8.11p2-1 upload on Oct > 30th (which reset the 10-day clock) only contained a single bug fix, the > RT might be lenient regarding an unblock. I just noticed that I never uploaded the debdiffs to the BTS, so here they are for 1.8.11p2 in unstable and 1.8.10p3 in testing. Bdale, I plan to contact the RT soon regarding the possibility of allowing 1.8.11p2 to migrate. If you have any objections to my proposal from Dec 05, please let me know. Regards, Christian diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog --- sudo-1.8.10p3/debian/changelog 2014-09-14 18:26:06.0 +0200 +++ sudo-1.8.10p3/debian/changelog 2014-12-05 15:12:47.0 +0100 @@ -1,3 +1,11 @@ +sudo (1.8.10p3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Backports upstream's fix for host specifications using a FQDN. These were +no longer working since 1.8.8. Closes: #731583 + + -- Christian Kastner Fri, 05 Dec 2014 15:10:30 +0100 + sudo (1.8.10p3-1) unstable; urgency=low * new upstream release diff -Nru sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff --- sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff 1970-01-01 01:00:00.0 +0100 +++ sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff 2014-12-05 15:20:43.0 +0100 @@ -0,0 +1,92 @@ +From: Christian Kastner +Date: Fri, 05 Dec 2014 14:58:50 +0100 +Subject: Fix for broken FQDN host specifications + +A bug was introduced in sudo 1.8.8 which broke host specifications using a +FQDN, eg Host_Alias = host.example.com. Upstream has fixed this in 1.8.12. + +This patch contains the fix backported to 1.8.10p3. + +Origin: http://www.sudo.ws/repos/sudo/rev/4f75b01d4884 +Bug: http://www.sudo.ws/bugs/show_bug.cgi?id=678 +Bug-Debian: https://bugs.debian.org/731583 +Last-Update: 2014-05-12 + +Index: sudo-1.8.10p3/plugins/sudoers/sudoers.c +=== +--- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.c sudo-1.8.10p3/plugins/sudoers/sudoers.c +@@ -799,32 +799,69 @@ set_loginclass(struct passwd *pw) + #endif + + /* +- * Look up the fully qualified domain name and set user_host and user_shost. ++ * Look up the fully qualified domain name of user_host and user_runhost. ++ * Sets user_host, user_shost, user_runhost and user_srunhost. + * Use AI_FQDN if available since "canonical" is not always the same as fqdn. + */ + static void + set_fqdn(void) + { + struct addrinfo *res0, hint; ++bool remote; + char *p; + debug_decl(set_fqdn, SUDO_DEBUG_PLUGIN) + ++/* If the -h flag was given we need to resolve both host and runhost. */ ++remote = strcmp(user_runhost, user_host) != 0; ++ + memset(&hint, 0, sizeof(hint)); + hint.ai_family = PF_UNSPEC; + hint.ai_flags = AI_FQDN; ++ ++/* First resolve user_host, sets user_host and user_shost. */ + if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) { + log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); + } else { + if (user_shost != user_host) + efree(user_shost); + efree(user_host); +- user_host = estrdup(res0->ai_canonname); ++ user_host = user_shost = estrdup(res0->ai_canonname); + freeaddrinfo(res0); + if ((p = strchr(user_host, '.')) != NULL) + user_shost = estrndup(user_host, (size_t)(p - user_host)); +- else +- user_shost = user_host; + } ++ ++/* Next resolve user_runhost, sets user_runhost and user_srunhost. */ ++if (remote) { ++ if (getaddrinfo(user_runhost, NULL, &hint, &res0) != 0) { ++ log_warning(MSG_ONLY, ++ N_("unable to resolve host %s"), user_runhost); ++ } else { ++ if (user_srunhost != user_runhost) ++ efree(user_srunhost); ++ efree(user_runhost); ++ user_runhost = user_srunhost = estrdup(res0->ai_canonname); ++ freeaddrinfo(res0); ++ if ((p = strchr(user_runhost, '.'))) { ++ user_srunhost = ++ estrndup(user_runhost, (size_t)(p - user_runhost)); ++ } ++ } ++} else { ++ /* Not remote, just use user_host. */ ++ if (user_srunhost != user_runhost) ++ efree(user_srunhost); ++ efree(user_runhost); ++ user_runhost = user_srunhost = estrdup(user_host); ++ if ((p = strchr(user_runhost, '.'))) { ++ user_srunhost = ++ estrndup(user_runhost, (size_t)(p - user_runhost)); ++ } ++} ++ ++sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, ++ "host %s, shost %s, runhost %s, srunhost %s", ++
Bug#731583: sudo FQDN issue: upstream fixed it
On 2014-11-16 14:33, martin f krafft wrote: > also sprach intrigeri [2014-11-16 13:58 +0200]: >> If Bdale can't take care of it shortly, does anyone affected (who can >> actually test that the resulting package fixes the problem for them) >> want to NMU? I think DELAYED/2 or /5 would be appropriate. > > I am travelling this week without either a usable laptop, internet > connection, or time slots. If Christian has time before the weekend… I'm not a DD yet so I can't upload, but I forgot to mention that I successfully tested the resulting package prior to submitting the patch. I only now realized that the version of sudo in testing is still at 1.8.10p3-1. The diff to 1.8.11p2-1 is not trivial. However, given that 1.8.11p1-1 was uploaded on Oct 20th, and the 1.8.11p2-1 upload on Oct 30th (which reset the 10-day clock) only contained a single bug fix, the RT might be lenient regarding an unblock. If the RT should insist on a fix targeting 1.8.10p2-1, please find attached the patch, backported to that version. The resulting package tested successfully on my jessie system. Regards, Christian Index: sudo-1.8.10p3/plugins/sudoers/sudoers.c === --- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.c +++ sudo-1.8.10p3/plugins/sudoers/sudoers.c @@ -799,32 +799,69 @@ set_loginclass(struct passwd *pw) #endif /* - * Look up the fully qualified domain name and set user_host and user_shost. + * Look up the fully qualified domain name of user_host and user_runhost. + * Sets user_host, user_shost, user_runhost and user_srunhost. * Use AI_FQDN if available since "canonical" is not always the same as fqdn. */ static void set_fqdn(void) { struct addrinfo *res0, hint; +bool remote; char *p; debug_decl(set_fqdn, SUDO_DEBUG_PLUGIN) +/* If the -h flag was given we need to resolve both host and runhost. */ +remote = strcmp(user_runhost, user_host) != 0; + memset(&hint, 0, sizeof(hint)); hint.ai_family = PF_UNSPEC; hint.ai_flags = AI_FQDN; + +/* First resolve user_host, sets user_host and user_shost. */ if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) { log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host); } else { if (user_shost != user_host) efree(user_shost); efree(user_host); - user_host = estrdup(res0->ai_canonname); + user_host = user_shost = estrdup(res0->ai_canonname); freeaddrinfo(res0); if ((p = strchr(user_host, '.')) != NULL) user_shost = estrndup(user_host, (size_t)(p - user_host)); - else - user_shost = user_host; } + +/* Next resolve user_runhost, sets user_runhost and user_srunhost. */ +if (remote) { + if (getaddrinfo(user_runhost, NULL, &hint, &res0) != 0) { + log_warning(MSG_ONLY, + N_("unable to resolve host %s"), user_runhost); + } else { + if (user_srunhost != user_runhost) + efree(user_srunhost); + efree(user_runhost); + user_runhost = user_srunhost = estrdup(res0->ai_canonname); + freeaddrinfo(res0); + if ((p = strchr(user_runhost, '.'))) { + user_srunhost = + estrndup(user_runhost, (size_t)(p - user_runhost)); + } + } +} else { + /* Not remote, just use user_host. */ + if (user_srunhost != user_runhost) + efree(user_srunhost); + efree(user_runhost); + user_runhost = user_srunhost = estrdup(user_host); + if ((p = strchr(user_runhost, '.'))) { + user_srunhost = + estrndup(user_runhost, (size_t)(p - user_runhost)); + } +} + +sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "host %s, shost %s, runhost %s, srunhost %s", + user_host, user_shost, user_runhost, user_srunhost); debug_return; }
Bug#731583: sudo FQDN issue: upstream fixed it
also sprach intrigeri [2014-11-16 13:58 +0200]: > If Bdale can't take care of it shortly, does anyone affected (who can > actually test that the resulting package fixes the problem for them) > want to NMU? I think DELAYED/2 or /5 would be appropriate. I am travelling this week without either a usable laptop, internet connection, or time slots. If Christian has time before the weekend… -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems "prisons are built with stones of law, brothels with bricks of religion." -- william blake digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Bug#731583: sudo FQDN issue: upstream fixed it
Hi, martin f krafft wrote (13 Nov 2014 13:04:01 GMT) : > also sprach Christian Kastner [2014-11-13 03:09 +0100]: >> Now *that's* a cool upstream -- fixed the bug not even 3 hours after I >> reported it. >> >> Please find attached upstream's patch from upstream's Bugzilla, >> refreshed to apply against 1.8.11p2-1. > Fantastic. This should be easy to backport/integrate. I confirm that the attached patch applies cleanly on top of 1.8.11p2-1, and the result builds just fine. If Bdale can't take care of it shortly, does anyone affected (who can actually test that the resulting package fixes the problem for them) want to NMU? I think DELAYED/2 or /5 would be appropriate. Cheers, -- intrigeri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#731583: sudo FQDN issue: upstream fixed it
also sprach Christian Kastner [2014-11-13 03:09 +0100]: > Now *that's* a cool upstream -- fixed the bug not even 3 hours after I > reported it. > > Please find attached upstream's patch from upstream's Bugzilla, > refreshed to apply against 1.8.11p2-1. Fantastic. This should be easy to backport/integrate. -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Bug#731583: sudo FQDN issue: upstream fixed it
Control: tag -1 confirmed fixed-upstream patch Now *that's* a cool upstream -- fixed the bug not even 3 hours after I reported it. Please find attached upstream's patch from upstream's Bugzilla, refreshed to apply against 1.8.11p2-1. Christian Index: sudo-1.8.11p2/plugins/sudoers/sudoers.c === --- sudo-1.8.11p2.orig/plugins/sudoers/sudoers.c +++ sudo-1.8.11p2/plugins/sudoers/sudoers.c @@ -864,19 +864,26 @@ set_loginclass(struct passwd *pw) #endif /* - * Look up the fully qualified domain name and set user_host and user_shost. + * Look up the fully qualified domain name of user_host and user_runhost. + * Sets user_host, user_shost, user_runhost and user_srunhost. * Use AI_FQDN if available since "canonical" is not always the same as fqdn. */ static void set_fqdn(void) { struct addrinfo *res0, hint; +bool remote; char *p; debug_decl(set_fqdn, SUDO_DEBUG_PLUGIN) +/* If the -h flag was given we need to resolve both host and runhost. */ +remote = strcmp(user_runhost, user_host) != 0; + memset(&hint, 0, sizeof(hint)); hint.ai_family = PF_UNSPEC; hint.ai_flags = AI_FQDN; + +/* First resolve user_host, sets user_host and user_shost. */ if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) { log_warningx(SLOG_SEND_MAIL|SLOG_RAW_MSG, N_("unable to resolve host %s"), user_host); @@ -884,13 +891,43 @@ set_fqdn(void) if (user_shost != user_host) sudo_efree(user_shost); sudo_efree(user_host); - user_host = sudo_estrdup(res0->ai_canonname); + user_host = user_shost = sudo_estrdup(res0->ai_canonname); freeaddrinfo(res0); if ((p = strchr(user_host, '.')) != NULL) user_shost = sudo_estrndup(user_host, (size_t)(p - user_host)); - else - user_shost = user_host; } + +/* Next resolve user_runhost, sets user_runhost and user_srunhost. */ +if (remote) { + if (getaddrinfo(user_runhost, NULL, &hint, &res0) != 0) { + log_warningx(SLOG_SEND_MAIL|SLOG_RAW_MSG, + N_("unable to resolve host %s"), user_runhost); + } else { + if (user_srunhost != user_runhost) + sudo_efree(user_srunhost); + sudo_efree(user_runhost); + user_runhost = user_srunhost = sudo_estrdup(res0->ai_canonname); + freeaddrinfo(res0); + if ((p = strchr(user_runhost, '.'))) { + user_srunhost = + sudo_estrndup(user_runhost, (size_t)(p - user_runhost)); + } + } +} else { + /* Not remote, just use user_host. */ + if (user_srunhost != user_runhost) + sudo_efree(user_srunhost); + sudo_efree(user_runhost); + user_runhost = user_srunhost = sudo_estrdup(user_host); + if ((p = strchr(user_runhost, '.'))) { + user_srunhost = + sudo_estrndup(user_runhost, (size_t)(p - user_runhost)); + } +} + +sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "host %s, shost %s, runhost %s, srunhost %s", + user_host, user_shost, user_runhost, user_srunhost); debug_return; }