commit sudo.1396 for openSUSE:12.1:Update

Wed, 20 Mar 2013 02:45:48 -0700 

Hello community,

here is the log from the commit of package sudo.1396 for openSUSE:12.1:Update 
checked in at 2013-03-20 10:45:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/sudo.1396 (Old)
 and      /work/SRC/openSUSE:12.1:Update/.sudo.1396.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "sudo.1396", Maintainer is ""

Changes:
--------
New Changes file:

--- /dev/null   2013-02-26 18:15:11.936010755 +0100
+++ /work/SRC/openSUSE:12.1:Update/.sudo.1396.new/sudo.changes  2013-03-20 
10:45:40.000000000 +0100
@@ -0,0 +1,894 @@
+-------------------------------------------------------------------
+Fri Mar  1 11:12:28 UTC 2013 - vci...@suse.com
+
+- added two security fixes:
+  * CVE-2013-1775 (bnc#806919)
+    + sudo-1.8.6p3-CVE-2013-1775.patch
+  * CVE-2013-1776 (bnc#806921)
+    + sudo-1.8.6p3-CVE-2013-1776.patch
+
+-------------------------------------------------------------------
+Fri Jun  1 14:37:24 UTC 2012 - vci...@suse.com
+
+- set global ldap option before ldap init (bnc#760697)
+
+-------------------------------------------------------------------
+Fri May 18 15:05:38 UTC 2012 - vci...@suse.com
+
+- open and close PAM session in the same process (bnc#751453)
+
+-------------------------------------------------------------------
+Wed May 16 09:27:44 UTC 2012 - vci...@suse.com
+
+- fix for CVE-2012-2337 (bnc#762327)
+
+-------------------------------------------------------------------
+Mon Jan 30 11:43:47 UTC 2012 - vci...@suse.com
+
+- fix for CVE-2012-0809 (bnc#743300)
+
+-------------------------------------------------------------------
+Mon Jan  2 16:23:49 UTC 2012 - vci...@suse.cz
+
+- escape values passed to ldap_search (bnc#724490)
+
+-------------------------------------------------------------------
+Thu Oct 13 00:59:49 UTC 2011 - prus...@opensuse.org
+
+- updated to sudo-1.8.2
+  * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
+    language support (NLS). This can be disabled by passing configure
+    the --disable-nls option.  Sudo will use gettext(), if available,
+    to display translated messages.  All translations are coordinated
+    via The Translation Project, http://translationproject.org/.
+  * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
+    RTLD_LOCAL.  This fixes missing symbol problems in PAM modules
+    on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
+  * I/O logging is now supported for commands run in background mode
+    (using sudo's -b flag).
+  * Group ownership of the sudoers file is now only enforced when
+    the file mode on sudoers allows group readability or writability.
+  * Visudo now checks the contents of an alias and warns about cycles
+    when the alias is expanded.
+  * If the user specifes a group via sudo's -g option that matches
+    the target user's group in the password database, it is now
+    allowed even if no groups are present in the Runas_Spec.
+  * The sudo Makefiles now have more complete dependencies which are
+    automatically generated instead of being maintained manually.
+  * The "use_pty" sudoers option is now correctly passed back to the
+    sudo front end.  This was missing in previous versions of sudo
+    1.8 which prevented "use_pty" from being honored.
+  * "sudo -i command" now works correctly with the bash version
+    2.0 and higher.  Previously, the .bash_profile would not be
+    sourced prior to running the command unless bash was built with
+    NON_INTERACTIVE_LOGIN_SHELLS defined.
+  * When matching groups in the sudoers file, sudo will now match
+    based on the name of the group instead of the group ID. This can
+    substantially reduce the number of group lookups for sudoers
+    files that contain a large number of groups.
+  * Multi-factor authentication is now supported on AIX.
+  * Added support for non-RFC 4517 compliant LDAP servers that require
+    that seconds be present in a timestamp, such as Tivoli Directory Server.
+  * If the group vector is to be preserved, the PATH search for the
+    command is now done with the user's original group vector.
+  * For LDAP-based sudoers, the "runas_default" sudoOption now works
+    properly in a sudoRole that contains a sudoCommand.
+  * Spaces in command line arguments for "sudo -s" and "sudo -i" are
+    now escaped with a backslash when checking the security policy.
+- added missing include (grp-include.patch)
+
+-------------------------------------------------------------------
+Fri May 20 12:10:45 UTC 2011 - pu...@novell.com
+
+- update to sudo-1.8.1p2 
+  - Two-character CIDR-style IPv4 netmasks are now matched
+    correctly in the sudoers file.
+  - A non-existent includedir is now treated the same as an empty
+    directory and not reported as an error.
+  - Removed extraneous parens in LDAP filter when
+    sudoers_search_filter is enabled that can cause an LDAP search
+    error.
+  - A new LDAP setting, sudoers_search_filter, has been added to
+    ldap.conf.  This setting can be used to restrict the set of
+    records returned by the LDAP query.  Based on changes from
+    Matthew Thomas.
+  - White space is now permitted within a User_List when used in
+    conjunction with a per-user Defaults definition.
+  - A group ID (%#gid) may now be specified in a User_List or
+    Runas_List.  Likewise, for non-Unix groups the syntax is
+    %:#gid.
+  - Support for double-quoted words in the sudoers file has been
+    fixed.  The change in 1.7.5 for escaping the double quote
+    character caused the double quoting to only be available at the
+    beginning of an entry.
+  - The fix for resuming a suspended shell in 1.7.5 caused problems
+    with resuming non-shells on Linux.  Sudo will now save the
+    process group ID of the program it is running on suspend and
+    restore it when resuming, which fixes both problems.
+  - A bug that could result in corrupted output in "sudo -l" has
+    been fixed.
+  - Sudo will now create an entry in the utmp (or utmpx) file when
+    allocating a pseudo-tty (e.g. when logging I/O).  The
+    "set_utmp" and "utmp_runas" sudoers file options can be used to
+    control this.  Other policy plugins may use the "set_utmp" and
+    "utmp_user" entries in the command_info list.
+  - The sudoreplay utility now supports arbitrary session IDs.
+    Previously, it would only work with the base-36 session IDs
+    that the sudoers plugin uses by default.
+  - Sudo now passes "run_shell=true" to the policy plugin in the
+    settings list when sudo's -s command line option is specified.
+    The sudoers policy plugin uses this to implement the "set_home"
+    sudoers option which was missing from sudo 1.8.0.
+  - The "noexec" functionality has been moved out of the sudoers
+    policy plugin and into the sudo front-end, which matches the
+    behavior documented in the plugin writer's guide.  As a result,
+    the path to the noexec file is now specified in the sudo.conf
+    file instead of the sudoers file.
+  - The exit values for "sudo -l", "sudo -v" and "sudo -l command"
+    have been fixed in the sudoers policy plugin.
+  - Sudo now parses command line arguments before loading any
+    plugins.  This allows "sudo -V" or "sudo -h" to work even if
+    there is a problem with sudo.conf
+- drop sudo-dont-ignore-LDFLAGS.patch (merged upstream)
+
+-------------------------------------------------------------------
+Thu Mar 17 10:24:49 UTC 2011 - pu...@novell.com
+
+- update to sudo-1.8.0
+  * Sudo has been refactored to use a modular framework that can
+    support third-party policy and I/O logging plugins.
+  * Defaults settings that are tied to a user, host or command may
+    now include the negation operator. For example:
+         Defaults:!millert lecture
+    will match any user but millert.
+  * The default PATH environment variable, used when no PATH
+    variable exists, now includes /usr/sbin and /sbin.
+  * Support for logging I/O for the command being run.
+  * Sudo will now use the Linux audit system.
+  + See /usr/share/doc/packages/sudo/NEWS for full list
+- new configure script flags: enable-warnings, with-linux-audit, 
+  docdir, with-sendmail
+- BuildRequires += audit-devel
+- BuildRequires -= postfix
+- PreReq += permissions
+- add sudo-dont-ignore-LDFLAGS.patch
+- drop sudo-1.7.1-defaults.diff (insults disabled in sudoers)
+- drop sudo-1.7.1-__P.diff (no more __P in sudo sources)
+- drop sudo-1.7.1-strip.diff (sudo no longer strips binaries)
+- drop sudo-CVE-2011-0010.patch (in upstream)
+- drop sudo-1.7.1-secure_path.diff (sudo now adds /sbin and
+  /usr/sbin to $PATH if it is empty)
+- drop sudo-1.7.1-pam_rhost.diff (fixed in upstream)
+- sudo-1.7.1-sudoers.diff renamed to sudo-sudoers.patch
+- sudo-1.7.1-env.diff renamed to sudoers2ldif-env.patch
+- do not package *.pod files
+- use %verifyscript
+- timestamp directory moved from /var/run/sudo to /var/lib/sudo
+- better commented default /etc/sudoers
+- packaged /etc/sudoers.d directory
+- new sudo-devel subpackage
+- cleaned specfile
+
+-------------------------------------------------------------------
+Thu Jan 27 09:18:05 UTC 2011 - cpra...@novell.com
+
+- added openldap schema file (bnc#667558) 
+
+-------------------------------------------------------------------
+Thu Jan 13 10:11:35 UTC 2011 - pu...@novell.com
+
+- add sudo-CVE-2011-0010.patch (bnc#663881) 
+
+-------------------------------------------------------------------
+Mon Jun 28 06:38:35 UTC 2010 - jeng...@medozas.de
+
+- use %_smp_mflags
+
+-------------------------------------------------------------------
+Tue Jun 15 21:23:02 UTC 2010 - pascal.ble...@opensuse.org
+
+- update to 1.7.2p7:
+  * portability fixes
+
+- changes from 1.7.2p6:
+  * Handle duplicate variables in the environment
+  * visudo: fix a crash when checking a sudoers file that has aliases
+    that reference themselves
+  * aliases: fix use after free in error message when a duplicate
++++ 697 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.1:Update/.sudo.1396.new/sudo.changes

New:
----
  README.SUSE
  sudo-1.8.2-CVE-2012-0809.patch
  sudo-1.8.2-CVE-2012-2337.patch
  sudo-1.8.2-ldap_search_escape.patch
  sudo-1.8.2-pam_session.patch
  sudo-1.8.2-set_ldap_options.patch
  sudo-1.8.2.tar.gz
  sudo-1.8.6p3-CVE-2013-1775.patch
  sudo-1.8.6p3-CVE-2013-1776.patch
  sudo-grp-include.patch
  sudo-sudoers.patch
  sudo.changes
  sudo.pamd
  sudo.spec
  sudoers2ldif-env.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sudo.spec ++++++
#
# spec file for package sudo
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Name:           sudo
Version:        1.8.2
Release:        0
Summary:        Execute some commands as root
License:        BSD-3-Clause
Group:          System/Base
Url:            http://www.sudo.ws/
Source0:        http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
Source1:        sudo.pamd
Source2:        README.SUSE
Patch0:         sudoers2ldif-env.patch
Patch1:         sudo-sudoers.patch
Patch2:         sudo-grp-include.patch
Patch3:         sudo-1.8.2-ldap_search_escape.patch
Patch4:         sudo-1.8.2-CVE-2012-0809.patch
# PATCH-FIX-UPSTREAM CVE-2012-2337 (bnc#762327)
Patch5:         sudo-1.8.2-CVE-2012-2337.patch
# PATCH-FIX-UPSTREAM run pam_session_* in the same thread (bnc#751453)
Patch6:         sudo-1.8.2-pam_session.patch
# PATCH-FIX-UPSTREAM set global ldap option before ldap init (bnc#760697)
Patch7:         sudo-1.8.2-set_ldap_options.patch
Patch8:         sudo-1.8.6p3-CVE-2013-1775.patch
Patch9:         sudo-1.8.6p3-CVE-2013-1776.patch
BuildRequires:  audit-devel
BuildRequires:  libselinux-devel
BuildRequires:  openldap2-devel
BuildRequires:  pam-devel
PreReq:         coreutils
PreReq:         permissions
BuildRoot:      %{_tmppath}/%{name}-%{version}-build

%description
Sudo is a command that allows users to execute some commands as root.
The /etc/sudoers file (edited with 'visudo') specifies which users have
access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on
things. Sudo asks for the password for initializing a check period of a
given time N (where N is defined at installation and is set to 5
minutes by default).

%package devel
Summary:        Header files needed for sudo plugin development
Group:          Development/Libraries/C and C++

%description devel
These header files are needed for building of sudo plugins.

%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p0
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1

%build
%ifarch s390 s390x %sparc
F_PIE=-fPIE
%else
F_PIE=-fpie
%endif
export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
export LDFLAGS="-pie"
%configure \
    --libexecdir=%{_libexecdir}/sudo \
    --docdir=%{_docdir}/%{name} \
    --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
    --with-pam \
    --with-ldap \
    --with-selinux \
    --with-linux-audit \
    --with-logfac=auth \
    --with-insults \
    --with-all-insults \
    --with-ignore-dot \
    --with-tty-tickets \
    --enable-shell-sets-home \
    --enable-warnings \
    --with-sendmail=%{_sbindir}/sendmail \
    --with-sudoers-mode=0440 \
    --with-env-editor \
    --without-secure-path \
    --with-passprompt='%%p\x27s password:'
make %{?_smp_mflags}

%install
%make_install
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sudo
mv %{buildroot}%{_docdir}/%{name}/sudoers2ldif %{buildroot}%{_sbindir}
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 doc/schema.OpenLDAP 
%{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema
install -m 644 %{SOURCE2} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
rm -f %{buildroot}%{_libexecdir}/%{name}/sudoers.la
%find_lang %{name}
%find_lang sudoers
cat sudoers.lang >> %{name}.lang

%post
chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130
%run_permissions
%else
%set_permissions /usr/bin/sudo
%endif

%verifyscript
%verify_permissions -e /usr/bin/sudo

%clean
rm -rf %{buildroot}

%files -f %{name}.lang
%defattr(-,root,root)
%doc %{_docdir}/%{name}
%doc %{_mandir}/man?/*
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
%dir %{_sysconfdir}/sudoers.d
%config %{_sysconfdir}/pam.d/sudo
%attr(4755,root,root) %{_bindir}/sudo
%dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/schema
%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
%{_bindir}/sudoedit
%{_bindir}/sudoreplay
%{_sbindir}/visudo
%attr(0755,root,root) %{_sbindir}/sudoers2ldif
%{_libexecdir}/sudo
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/sudo

%files devel
%defattr(-,root,root)
%{_includedir}/sudo_plugin.h

%changelog
++++++ README.SUSE ++++++
In the default (ie unconfigured) configuration sudo asks for root password.
This allows to use an ordinary user account for administration of a freshly
installed system. When configuring sudo, please make sure to delete the two
following lines:

Defaults targetpw    # ask for the password of the target user i.e. root
%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
++++++ sudo-1.8.2-CVE-2012-0809.patch ++++++
Index: sudo-1.8.2/src/sudo.c
===================================================================
--- sudo-1.8.2.orig/src/sudo.c  2011-07-29 16:50:45.000000000 +0200
+++ sudo-1.8.2/src/sudo.c       2012-01-25 12:07:07.609611322 +0100
@@ -1206,15 +1206,15 @@
 sudo_debug(int level, const char *fmt, ...)
 {
     va_list ap;
-    char *fmt2;
+    char *buf;
 
     if (level > debug_level)
        return;
 
-    /* Backet fmt with program name and a newline to make it a single write */
-    easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
+    /* Bracket fmt with program name and a newline to make it a single write */
     va_start(ap, fmt);
-    vfprintf(stderr, fmt2, ap);
+    evasprintf(&buf, fmt, ap);
     va_end(ap);
-    efree(fmt2);
+    fprintf(stderr, "%s: %s\n", getprogname(), buf);
+    efree(buf);
 }
++++++ sudo-1.8.2-CVE-2012-2337.patch ++++++
Index: plugins/sudoers/match.c
===================================================================
--- plugins/sudoers/match.c.orig        2011-05-23 20:06:14.000000000 +0200
+++ plugins/sudoers/match.c     2012-05-16 11:40:46.995676836 +0200
@@ -620,7 +620,7 @@ addr_matches_if(char *n)
     for (ifp = interfaces; ifp != NULL; ifp = ifp->next) {
        if (ifp->family != family)
            continue;
-       switch(family) {
+       switch (family) {
            case AF_INET:
                if (ifp->addr.ip4.s_addr == addr.ip4.s_addr ||
                    (ifp->addr.ip4.s_addr & ifp->netmask.ip4.s_addr)
@@ -638,6 +638,7 @@ addr_matches_if(char *n)
                }
                if (j == sizeof(addr.ip6.s6_addr))
                    return TRUE;
+                break;
 #endif
        }
     }
@@ -700,6 +701,7 @@ addr_matches_if_netmask(char *n, char *m
            case AF_INET:
                if ((ifp->addr.ip4.s_addr & mask.ip4.s_addr) == addr.ip4.s_addr)
                    return TRUE;
+                break;
 #ifdef HAVE_IN6_ADDR
            case AF_INET6:
                for (j = 0; j < sizeof(addr.ip6.s6_addr); j++) {
@@ -708,6 +710,7 @@ addr_matches_if_netmask(char *n, char *m
                }
                if (j == sizeof(addr.ip6.s6_addr))
                    return TRUE;
+                break;
 #endif /* HAVE_IN6_ADDR */
        }
     }
++++++ sudo-1.8.2-ldap_search_escape.patch ++++++
--- sudo-1.8.3p1/plugins/sudoers/ldap.c.orig    Fri Oct 21 09:01:25 2011
+++ sudo-1.8.3p1/plugins/sudoers/ldap.c Wed Dec  7 15:07:56 2011
@@ -972,6 +972,99 @@
 }
 
 /*
+ * Determine length of query value after escaping characters
+ * as per RFC 4515.
+ */
+static size_t
+sudo_ldap_value_len(const char *value)
+{
+    const char *s;
+    size_t len = 0;
+
+    for (s = value; *s != '\0'; s++) {
+       switch (*s) {
+       case '\\':
+       case '(':
+       case ')':
+       case '*':
+           len += 2;
+           break;
+       }
+    }
+    len += (size_t)(s - value);
+    return len;
+}
+
+/*
+ * Like strlcat() but escapes characters as per RFC 4515.
+ */
+static size_t
+sudo_ldap_value_cat(char *dst, const char *src, size_t size)
+{
+    char *d = dst;
+    const char *s = src;
+    size_t n = size;
+    size_t dlen;
+
+    /* Find the end of dst and adjust bytes left but don't go past end */
+    while (n-- != 0 && *d != '\0')
+       d++;
+    dlen = d - dst;
+    n = size - dlen;
+
+    if (n == 0)
+       return dlen + strlen(s);
+    while (*s != '\0') {
+       switch (*s) {
+       case '\\':
+           if (n < 3)
+               goto done;
+           *d++ = '\\';
+           *d++ = '5';
+           *d++ = 'c';
+           n -= 3;
+           break;
+       case '(':
+           if (n < 3)
+               goto done;
+           *d++ = '\\';
+           *d++ = '2';
+           *d++ = '8';
+           n -= 3;
+           break;
+       case ')':
+           if (n < 3)
+               goto done;
+           *d++ = '\\';
+           *d++ = '2';
+           *d++ = '9';
+           n -= 3;
+           break;
+       case '*':
+           if (n < 3)
+               goto done;
+           *d++ = '\\';
+           *d++ = '2';
+           *d++ = 'a';
+           n -= 3;
+           break;
+       default:
+           if (n < 1)
+               goto done;
+           *d++ = *s;
+           n--;
+           break;
+       }
+       s++;
+    }
+done:
+    *d = '\0';
+    while (*s != '\0')
+       s++;
+    return dlen + (s - src);   /* count does not include NUL */
+}
+
+/*
  * Builds up a filter to check against LDAP.
  */
 static char *
@@ -988,17 +1081,17 @@
        sz += strlen(ldap_conf.search_filter) + 3;
 
     /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
-    sz += 29 + strlen(pw->pw_name);
+    sz += 29 + sudo_ldap_value_len(pw->pw_name);
 
     /* Add space for primary and supplementary groups */
     if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
-       sz += 12 + strlen(grp->gr_name);
+       sz += 12 + sudo_ldap_value_len(grp->gr_name);
     }
     if ((grlist = get_group_list(pw)) != NULL) {
        for (i = 0; i < grlist->ngroups; i++) {
            if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
                continue;
-           sz += 12 + strlen(grlist->groups[i]);
+           sz += 12 + sudo_ldap_value_len(grlist->groups[i]);
        }
     }
 
@@ -1020,13 +1113,13 @@
 
     /* Global OR + sudoUser=user_name filter */
     (void) strlcat(buf, "(|(sudoUser=", sz);
-    (void) strlcat(buf, pw->pw_name, sz);
+    (void) sudo_ldap_value_cat(buf, pw->pw_name, sz);
     (void) strlcat(buf, ")", sz);
 
     /* Append primary group */
     if (grp != NULL) {
        (void) strlcat(buf, "(sudoUser=%", sz);
-       (void) strlcat(buf, grp->gr_name, sz);
+       (void) sudo_ldap_value_cat(buf, grp->gr_name, sz);
        (void) strlcat(buf, ")", sz);
     }
 
@@ -1036,7 +1129,7 @@
            if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
                continue;
            (void) strlcat(buf, "(sudoUser=%", sz);
-           (void) strlcat(buf, grlist->groups[i], sz);
+           (void) sudo_ldap_value_cat(buf, grlist->groups[i], sz);
            (void) strlcat(buf, ")", sz);
        }
     }

++++++ sudo-1.8.2-pam_session.patch ++++++
Index: sudo-1.8.2/doc/sudo_plugin.cat
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.cat 2011-08-17 15:54:18.000000000 +0200
+++ sudo-1.8.2/doc/sudo_plugin.cat      2012-06-01 16:01:07.704685471 +0200
@@ -585,11 +585,12 @@ DDEESSCCRRIIPPTTIIOONN
        init_session
             int (*init_session)(struct passwd *pwd);
 
-           The init_session function is called when ssuuddoo sets up the 
execution
-           environment for the command, immediately before the contents of the
-           _c_o_m_m_a_n_d___i_n_f_o list are applied (before the 
uid changes).  This can
-           be used to do session setup that is not supported by 
_c_o_m_m_a_n_d___i_n_f_o,
-           such as opening the PAM session.
+           The init_session function is called before ssuuddoo sets up the
+           execution environment for the command.  It is run in the parent
+           ssuuddoo process and before any uid or gid changes.  This can 
be used
+           to perform session setup that is not supported by 
_c_o_m_m_a_n_d___i_n_f_o,
+           such as opening the PAM session.  The close function can be used to
+           tear down the session that was opened by init_session.
 
            The _p_w_d argument points to a passwd struct for the user the 
command
            will be run as if the uid the command will run as was found in the
Index: sudo-1.8.2/doc/sudo_plugin.man.in
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.man.in      2011-08-17 15:54:18.000000000 
+0200
+++ sudo-1.8.2/doc/sudo_plugin.man.in   2012-06-01 16:01:07.705685470 +0200
@@ -756,11 +756,12 @@ support credential caching.
 \& int (*init_session)(struct passwd *pwd);
 .Ve
 .Sp
-The \f(CW\*(C`init_session\*(C'\fR function is called when \fBsudo\fR sets up 
the
-execution environment for the command, immediately before the
-contents of the \fIcommand_info\fR list are applied (before the uid
-changes).  This can be used to do session setup that is not supported
-by \fIcommand_info\fR, such as opening the \s-1PAM\s0 session.
+The \f(CW\*(C`init_session\*(C'\fR function is called before \fBsudo\fR sets 
up the
+execution environment for the command.  It is run in the parent
+\&\fBsudo\fR process and before any uid or gid changes.  This can be used
+to perform session setup that is not supported by \fIcommand_info\fR,
+such as opening the \s-1PAM\s0 session.  The \f(CW\*(C`close\*(C'\fR function 
can be
+used to tear down the session that was opened by 
\f(CW\*(C`init_session\*(C'\fR.
 .Sp
 The \fIpwd\fR argument points to a passwd struct for the user the
 command will be run as if the uid the command will run as was found
Index: sudo-1.8.2/doc/sudo_plugin.pod
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.pod 2011-03-18 15:25:11.000000000 +0100
+++ sudo-1.8.2/doc/sudo_plugin.pod      2012-06-01 16:01:07.705685470 +0200
@@ -698,11 +698,12 @@ support credential caching.
 
  int (*init_session)(struct passwd *pwd);
 
-The C<init_session> function is called when B<sudo> sets up the
-execution environment for the command, immediately before the
-contents of the I<command_info> list are applied (before the uid
-changes).  This can be used to do session setup that is not supported
-by I<command_info>, such as opening the PAM session.
+The C<init_session> function is called before B<sudo> sets up the
+execution environment for the command.  It is run in the parent
+B<sudo> process and before any uid or gid changes.  This can be used
+to perform session setup that is not supported by I<command_info>,
+such as opening the PAM session.  The C<close> function can be
+used to tear down the session that was opened by C<init_session>.
 
 The I<pwd> argument points to a passwd struct for the user the
 command will be run as if the uid the command will run as was found
Index: sudo-1.8.2/src/exec.c
===================================================================
--- sudo-1.8.2.orig/src/exec.c  2011-06-04 16:01:30.000000000 +0200
+++ sudo-1.8.2/src/exec.c       2012-06-01 16:01:07.706685469 +0200
@@ -57,6 +57,7 @@
 #include <fcntl.h>
 #include <signal.h>
 #include <termios.h>
+#include <pwd.h>
 
 #include "sudo.h"
 #include "sudo_exec.h"
@@ -119,6 +120,15 @@ static int fork_cmnd(struct command_deta
     sa.sa_handler = handler;
     sigaction(SIGCONT, &sa, NULL);
 
+    /*
+     * The policy plugin's session init must be run before we fork
+     * or certain pam modules won't be able to track their state.
+     */
+    struct passwd *pw;
+    pw = getpwuid(details->euid);
+    if (policy_init_session(details, pw) != TRUE)
+       errorx(1, _("policy plugin failed session initialization"));
+
     child = fork();
     switch (child) {
     case -1:
Index: sudo-1.8.2/src/exec_pty.c
===================================================================
--- sudo-1.8.2.orig/src/exec_pty.c      2011-06-04 16:01:30.000000000 +0200
+++ sudo-1.8.2/src/exec_pty.c   2012-06-01 16:01:07.706685469 +0200
@@ -56,6 +56,7 @@
 #include <fcntl.h>
 #include <signal.h>
 #include <termios.h>
+#include <pwd.h>
 
 #include "sudo.h"
 #include "sudo_exec.h"
@@ -567,6 +568,15 @@ fork_pty(struct command_details *details
        }
     }
 
+    /*
+     * The policy plugin's session init must be run before we fork
+     * or certain pam modules won't be able to track their state.
+     */
+    struct passwd *pw;
+    pw = getpwuid(details->euid);
+    if (policy_init_session(details, pw) != TRUE)
+       errorx(1, _("policy plugin failed session initialization"));
+
     child = fork();
     switch (child) {
     case -1:
Index: sudo-1.8.2/src/sudo.c
===================================================================
--- sudo-1.8.2.orig/src/sudo.c  2012-06-01 16:01:07.672685473 +0200
+++ sudo-1.8.2/src/sudo.c       2012-06-01 16:08:41.193655065 +0200
@@ -135,8 +135,6 @@ static int policy_list(struct plugin_con
     char * const argv[], int verbose, const char *list_user);
 static int policy_validate(struct plugin_container *plugin);
 static void policy_invalidate(struct plugin_container *plugin, int remove);
-static int policy_init_session(struct plugin_container *plugin,
-    struct passwd *pwd);
 
 /* I/O log plugin convenience functions. */
 static int iolog_open(struct plugin_container *plugin, char * const settings[],
@@ -903,13 +901,6 @@ exec_setup(struct command_details *detai
     aix_restoreauthdb();
 #endif
 
-    /*
-     * Call policy plugin's session init before other setup occurs.
-     * The session init code is expected to print an error as needed.
-     */
-    if (policy_init_session(&policy_plugin, pw) != TRUE)
-       goto done;
-
 #ifdef HAVE_SELINUX
     if (ISSET(details->flags, CD_RBAC_ENABLED)) {
        if (selinux_setup(details->selinux_role, details->selinux_type,
@@ -1155,11 +1146,12 @@ policy_invalidate(struct plugin_containe
     plugin->u.policy->invalidate(remove);
 }
 
-static int
-policy_init_session(struct plugin_container *plugin, struct passwd *pwd)
+int
+policy_init_session(struct command_details *details, struct passwd *pwd)
 {
-    if (plugin->u.policy->init_session)
-       return plugin->u.policy->init_session(pwd);
+    if (policy_plugin.u.policy->init_session)
+       return policy_plugin.u.policy->init_session(pwd);
+
     return TRUE;
 }
 
Index: sudo-1.8.2/src/sudo.h
===================================================================
--- sudo-1.8.2.orig/src/sudo.h  2011-07-21 15:55:54.000000000 +0200
+++ sudo-1.8.2/src/sudo.h       2012-06-01 16:07:41.289659082 +0200
@@ -201,6 +201,7 @@ void get_ttysize(int *rowp, int *colp);
 
 /* sudo.c */
 int exec_setup(struct command_details *details, const char *ptyname, int 
ptyfd);
+int policy_init_session(struct command_details *details, struct passwd *pwd);
 int run_command(struct command_details *details);
 void sudo_debug(int level, const char *format, ...) __printflike(2, 3);
 extern int debug_level;
++++++ sudo-1.8.2-set_ldap_options.patch ++++++
Index: sudo-1.8.2/plugins/sudoers/ldap.c
===================================================================
--- sudo-1.8.2.orig/plugins/sudoers/ldap.c      2012-06-01 17:09:03.560412194 
+0200
+++ sudo-1.8.2/plugins/sudoers/ldap.c   2012-06-01 17:11:53.041400831 +0200
@@ -1800,7 +1800,7 @@ sudo_ldap_sasl_interact(LDAP *ld, unsign
  * Set LDAP options based on the config table.
  */
 static int
-sudo_ldap_set_options(LDAP *ld)
+sudo_ldap_set_options(LDAP *ld, short global)
 {
     struct ldap_config_table *cur;
     int rc;
@@ -1820,6 +1820,13 @@ sudo_ldap_set_options(LDAP *ld)
        if (cur->opt_val == -1)
            continue;
 
+       /* skip connection-specific when setting global options */
+       if (global == TRUE && cur->connected)
+           continue;
+       /* skip global when setting connection-specific options */
+       if (global == FALSE && !cur->connected)
+           continue;
+
        conn = cur->connected ? ld : NULL;
        switch (cur->type) {
        case CONF_BOOL:
@@ -1849,6 +1856,33 @@ sudo_ldap_set_options(LDAP *ld)
            break;
        }
     }
+    return(0);
+}
+
+/*
+ * Set global LDAP options
+ */
+static int
+sudo_ldap_set_options_global(void)
+{
+    int rc;
+    rc = sudo_ldap_set_options(NULL, TRUE);
+    if (rc == -1)
+       return(-1);
+    return(0);
+}
+
+/*
+ * Set global LDAP options
+ */
+static int
+sudo_ldap_set_options_connection_specific(ld)
+    LDAP *ld;
+{
+    int rc;
+    rc = sudo_ldap_set_options(ld, FALSE);
+    if (rc == -1)
+       return(-1);
 
 #ifdef LDAP_OPT_TIMEOUT
     /* Convert timeout to a timeval */
@@ -2065,6 +2099,10 @@ sudo_ldap_open(struct sudo_nss *nss)
        setenv("LDAPNOINIT", "1", TRUE);
     }
 
+    /* Set global LDAP options */
+    if (sudo_ldap_set_options_global() < 0)
+       return -1;
+
     /* Connect to LDAP server */
 #ifdef HAVE_LDAP_INITIALIZE
     if (ldap_conf.uri != NULL) {
@@ -2083,8 +2121,8 @@ sudo_ldap_open(struct sudo_nss *nss)
     if (ldapnoinit)
        unsetenv("LDAPNOINIT");
 
-    /* Set LDAP options */
-    if (sudo_ldap_set_options(ld) < 0)
+    /* Set connection-specific LDAP options */
+    if (sudo_ldap_set_options_connection_specific(ld) < 0)
        return -1;
 
     if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
++++++ sudo-1.8.6p3-CVE-2013-1775.patch ++++++
63210a2b8f2f199b521f6c8213bb29775c09375c
 plugins/sudoers/check.c |   53 +++++++++++++++++++++++++----------------------
 1 file changed, 28 insertions(+), 25 deletions(-)

Index: sudo-1.8.2/plugins/sudoers/check.c
===================================================================
--- sudo-1.8.2.orig/plugins/sudoers/check.c     2011-07-28 16:59:58.000000000 
+0200
+++ sudo-1.8.2/plugins/sudoers/check.c  2013-03-01 13:26:07.392242292 +0100
@@ -589,31 +589,34 @@ timestamp_status(char *timestampdir, cha
      */
     if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
        mtim_get(&sb, &mtime);
-       /* Negative timeouts only expire manually (sudo -k). */
-       if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
-           status = TS_CURRENT;
-       else {
-           now = time(NULL);
-           if (def_timestamp_timeout &&
-               now - mtime.tv_sec < 60 * def_timestamp_timeout) {
-               /*
-                * Check for bogus time on the stampfile.  The clock may
-                * have been set back or someone could be trying to spoof us.
-                */
-               if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
-                   time_t tv_sec = (time_t)mtime.tv_sec;
-                   log_error(NO_EXIT,
-                       _("timestamp too far in the future: %20.20s"),
-                       4 + ctime(&tv_sec));
-                   if (timestampfile)
-                       (void) unlink(timestampfile);
-                   else
-                       (void) rmdir(timestampdir);
-                   status = TS_MISSING;
-               } else if (get_boottime(&boottime) && timevalcmp(&mtime, 
&boottime, <)) {
-                   status = TS_OLD;
-               } else {
-                   status = TS_CURRENT;
+       if (timevalisset(&mtime)) {
+           /* Negative timeouts only expire manually (sudo -k). */
+           if (def_timestamp_timeout < 0) {
+               status = TS_CURRENT;
+           } else {
+               now = time(NULL);
+               if (def_timestamp_timeout &&
+                   now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+                   /*
+                    * Check for bogus time on the stampfile.  The clock may
+                    * have been set back or user could be trying to spoof us.
+                    */
+                   if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+                       time_t tv_sec = (time_t)mtime.tv_sec;
+                       log_error(0,
+                           _("timestamp too far in the future: %20.20s"),
+                           4 + ctime(&tv_sec));
+                       if (timestampfile)
+                           (void) unlink(timestampfile);
+                       else
+                           (void) rmdir(timestampdir);
+                       status = TS_MISSING;
+                   } else if (get_boottime(&boottime) &&
+                       timevalcmp(&mtime, &boottime, <)) {
+                       status = TS_OLD;
+                   } else {
+                       status = TS_CURRENT;
+                   }
                }
            }
        }
++++++ sudo-1.8.6p3-CVE-2013-1776.patch ++++++
2b18d55589975e70dd98f24bca5b0aaabc56a9b5
 plugins/sudoers/check.c   |    4 +++-
 plugins/sudoers/sudoers.c |    4 ++++
 plugins/sudoers/sudoers.h |    3 ++-
 3 files changed, 9 insertions(+), 2 deletions(-)

Index: sudo-1.8.2/plugins/sudoers/check.c
===================================================================
--- sudo-1.8.2.orig/plugins/sudoers/check.c     2013-03-01 13:26:15.560485878 
+0100
+++ sudo-1.8.2/plugins/sudoers/check.c  2013-03-01 13:26:15.576486355 +0100
@@ -82,6 +82,7 @@ static struct tty_info {
     dev_t rdev;                        /* tty device ID */
     ino_t ino;                 /* tty inode number */
     struct timeval ctime;      /* tty inode change time */
+    pid_t sid;                 /* ID of session with controlling tty */
 } tty_info;
 
 static int   build_timestamp(char **, char **);
@@ -104,13 +105,14 @@ check_user(int validated, int mode)
     struct stat sb;
     int status, rval = TRUE;
 
-    /* Stash the tty's ctime for tty ticket comparison. */
+    /* Stash the tty's device, session ID and ctime for ticket comparison. */
     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
        tty_info.dev = sb.st_dev;
        tty_info.ino = sb.st_ino;
        tty_info.rdev = sb.st_rdev;
        if (tty_is_devpts(user_ttypath))
            ctim_get(&sb, &tty_info.ctime);
+       tty_info.sid = user_sid;
     }
 
     /* Always prompt for a password when -k was specified with the command. */
Index: sudo-1.8.2/plugins/sudoers/sudoers.c
===================================================================
--- sudo-1.8.2.orig/plugins/sudoers/sudoers.c   2011-08-14 00:37:06.000000000 
+0200
+++ sudo-1.8.2/plugins/sudoers/sudoers.c        2013-03-01 13:26:15.577486385 
+0100
@@ -1343,6 +1343,10 @@ deserialize_info(char * const settings[]
            sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
            continue;
        }
+       if (MATCHES(*cur, "sid=")) {
+           sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
+           continue;
+       }
     }
     if (user_cwd == NULL)
        user_cwd = "unknown";
Index: sudo-1.8.2/plugins/sudoers/sudoers.h
===================================================================
--- sudo-1.8.2.orig/plugins/sudoers/sudoers.h   2011-07-25 15:43:36.000000000 
+0200
+++ sudo-1.8.2/plugins/sudoers/sudoers.h        2013-03-01 13:26:15.577486385 
+0100
@@ -82,6 +82,7 @@ struct sudo_user {
     int   cols;
     uid_t uid;
     uid_t gid;
+    pid_t sid;
 };
 
 /*
@@ -157,8 +158,8 @@ struct sudo_user {
 #define user_name              (sudo_user.name)
 #define user_uid               (sudo_user.uid)
 #define user_gid               (sudo_user.gid)
+#define user_sid               (sudo_user.sid)
 #define user_passwd            (sudo_user.pw->pw_passwd)
-#define user_uuid              (sudo_user.uuid)
 #define user_dir               (sudo_user.pw->pw_dir)
 #define user_group_list                (sudo_user.group_list)
 #define user_tty               (sudo_user.tty)
++++++ sudo-grp-include.patch ++++++
Index: sudo-1.8.2/common/setgroups.c
===================================================================
--- sudo-1.8.2.orig/common/setgroups.c
+++ sudo-1.8.2/common/setgroups.c
@@ -33,6 +33,7 @@
 #endif /* HAVE_UNISTD_H */
 #include <errno.h>
 #include <limits.h>
+#include <grp.h>
 
 #include "missing.h"
 
++++++ sudo-sudoers.patch ++++++
Index: sudo-1.8.0/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in
+++ sudo-1.8.0/plugins/sudoers/sudoers.in
@@ -31,37 +31,36 @@
 ##
 ## Defaults specification
 ##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file.  Note that other programs use HOME to find   
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods.  Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment 
variables
+## Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION 
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE 
LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise  the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION 
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE 
LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE 
QT_IM_MODULE QT_IM_SWITCHER"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
 ##
 ## Uncomment to enable logging of a command's output, except for
 ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
 # Defaults log_output
 # Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
 # Defaults!/sbin/reboot !log_output
 
+## In the default (unconfigured) configuration, sudo asks for the root 
password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw   # ask for the password of the target user i.e. root
+ALL    ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults 
targetpw'!
+
 ##
 ## Runas alias specification
 ##
@@ -77,14 +76,6 @@ root ALL=(ALL) ALL
 ## Same thing without a password
 # %wheel ALL=(ALL) NOPASSWD: ALL
 
-## Uncomment to allow members of group sudo to execute any command
-# %sudo        ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw  # Ask for the password of the target user
-# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
-
 ## Read drop-in files from @sysconfdir@/sudoers.d
 ## (the '#' here does not indicate a comment)
 #includedir @sysconfdir@/sudoers.d
++++++ sudo.pamd ++++++
#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
# session  optional       pam_xauth.so
++++++ sudoers2ldif-env.patch ++++++
Index: sudo-1.8.0/plugins/sudoers/sudoers2ldif
===================================================================
--- sudo-1.8.0.orig/plugins/sudoers/sudoers2ldif
+++ sudo-1.8.0/plugins/sudoers/sudoers2ldif
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
 use strict;
 
 #
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to