Pullup ticket #6133 - requested by taca

security/sudo: security fix

Revisions pulled up:
- security/sudo/Makefile                                        1.174-1.178
- security/sudo/distinfo                                        1.107-1.109
- security/sudo/patches/patch-Makefile.in                       1.2
- security/sudo/patches/patch-configure                         1.2
- security/sudo/patches/patch-include_sudo__compat.h            deleted
- security/sudo/patches/patch-include_sudo__event.h             deleted
- security/sudo/patches/patch-lib_util_sig2str.c                deleted
- security/sudo/patches/patch-lib_util_str2sig.c                deleted
- security/sudo/patches/patch-plugins_sudoers_Makefile.in       1.3
- security/sudo/patches/patch-plugins_sudoers_logging.c         deleted
- security/sudo/patches/patch-plugins_sudoers_starttime.c       deleted
- security/sudo/patches/patch-plugins_sudoers_sudoers.c         deleted
- security/sudo/patches/patch-src_Makefile.in                   1.4
- security/sudo/patches/patch-src_limits.c                      deleted

---
   Module Name:	pkgsrc
   Committed By:	kim
   Date:		Sat Dec 28 20:43:56 UTC 2019

   Modified Files:
   	pkgsrc/security/sudo: Makefile distinfo
   	pkgsrc/security/sudo/patches: patch-Makefile.in patch-configure
   	    patch-plugins_sudoers_Makefile.in patch-src_Makefile.in
   Removed Files:
   	pkgsrc/security/sudo/patches: patch-include_sudo__compat.h
   	    patch-include_sudo__event.h patch-lib_util_sig2str.c
   	    patch-lib_util_str2sig.c patch-plugins_sudoers_logging.c
   	    patch-plugins_sudoers_starttime.c patch-plugins_sudoers_sudoers.c
   	    patch-src_limits.c

   Log Message:
   Update to sudo 1.8.30beta3

   * Portability fixes from pkgsrc have been merged upstream

   * Add runas_check_shell flag to require a runas user to have a valid
     shell. Not enabled by default.

   * Add a new flag "allow_unknown_runas_id" to control matching of unknown
     IDs. Previous, sudo would always allow unknown user or group IDs if
     the sudoers entry permitted it. This included the "ALL" alias. With
     this change, the admin must explicitly enable support for unknown IDs.

   * Transparently handle the "sudo sudoedit" problem. Some admin are
     confused about how to give users sudoedit permission and many users
     try to run sudoedit via sudo instead of directly. If the user runs
     "sudo sudoedit" sudo will now treat it as plain "sudoedit" after
     issuing a warning. If the admin has specified a fully-qualified path
     for sudoedit in sudoers, sudo will treat it as just "sudoedit" and
     match accordingly. In visudo (but not sudo), a fully-qualified path
     for sudoedit is now treated as an error.

   * When restoring old resource limits, try to recover if we receive
     EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft
     limit is lower than the current resource usage. This can be a problem
     when restoring the old stack limit if sudo has raised it.

   * Restore resource limits before executing the askpass program. Linux
     with docker seems to have issues executing a program when the stack
     size is unlimited. Bug #908

   * macOS does not allow rlim_cur to be set to RLIM_INFINITY for
     RLIMIT_NOFILE. We need to use OPEN_MAX instead as per the macOS
     setrlimit manual. Bug #904

   * Use 64-bit resource limits on AIX.

---
   Module Name:	pkgsrc
   Committed By:	kim
   Date:		Wed Jan  1 01:47:29 UTC 2020

   Modified Files:
   	pkgsrc/security/sudo: Makefile distinfo

   Log Message:
   Update to sudo 1.8.30

   Notable changes:

   * The version string no longer has the word "beta" in it.

---
   Module Name:	pkgsrc
   Committed By:	jperkin
   Date:		Sat Jan 18 21:51:16 UTC 2020

   Modified Files:
   	pkgsrc/security/sudo: Makefile

   Log Message:
   *: Recursive revision bump for openssl 1.1.1.

---
   Module Name:	pkgsrc
   Committed By:	triaxx
   Date:		Thu Jan 30 21:08:00 UTC 2020

   Modified Files:
   	pkgsrc/security/sudo: Makefile

   Log Message:
   sudo: update master site

   TW Aren FTP server seems down and the fetching step hangs for hours.

---
   Module Name:	pkgsrc
   Committed By:	kim
   Date:		Mon Feb  3 07:47:56 UTC 2020

   Modified Files:
   	pkgsrc/security/sudo: Makefile distinfo

   Log Message:
   Update to sudo 1.8.31

   What's new:

   * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
     sudoers option is enabled on systems with uni-directional pipes.

   * The "sudoedit_checkdir" option now treats a user-owned directory
     as writable, even if it does not have the write bit set at the
     time of check.  Symbolic links will no longer be followed by
     sudoedit in any user-owned directory.  Bug #912

   * Fixed sudoedit on macOS 10.15 and above where the root file system
     is mounted read-only.  Bug #913.

   * Fixed a crash introduced in sudo 1.8.30 when suspending sudo
     at the password prompt.  Bug #914.

   * Fixed compilation on systems where the mmap MAP_ANON flag
     is not available.  Bug #915.

14 files changed, 39 insertions, 332 deletions

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index b543366740e..d93a2d37137 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.173 2019/12/19 16:59:44 kim Exp $
+# $NetBSD: Makefile,v 1.173.4.1 2020/02/09 19:21:38 bsiegert Exp $
 
-DISTNAME=	sudo-1.8.29
-PKGREVISION=	2
+DISTNAME=	sudo-1.8.31
 CATEGORIES=	security
 MASTER_SITES=	https://www.sudo.ws/dist/
 MASTER_SITES+=	ftp://ftp.sudo.ws/pub/sudo/
 MASTER_SITES+=	ftp://ftp.uwsg.indiana.edu/pub/security/sudo/
-MASTER_SITES+=	ftp://ftp.twaren.net/Unix/Security/Sudo/
+MASTER_SITES+=	http://ftp.twaren.net/Unix/Security/Sudo/
 MASTER_SITES+=	http://ftp.tux.org/pub/security/sudo/
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index 21dee6da817..553b9296cdd 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,18 +1,10 @@
-$NetBSD: distinfo,v 1.106 2019/12/19 16:59:44 kim Exp $
+$NetBSD: distinfo,v 1.106.4.1 2020/02/09 19:21:38 bsiegert Exp $
 
-SHA1 (sudo-1.8.29.tar.gz) = fdce342856f1803478eb549479190370001dca95
-RMD160 (sudo-1.8.29.tar.gz) = 706c7c8ec2a90b2e464e138384335b7de91d1c25
-SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340
-Size (sudo-1.8.29.tar.gz) = 3338260 bytes
-SHA1 (patch-Makefile.in) = 279c7ad0f7f85ea7bc2d4beb5aa21abdf6237a7c
-SHA1 (patch-configure) = 460b9575346c263b944535aa8e2408e959840c77
-SHA1 (patch-include_sudo__compat.h) = 4f9b021ebdd507949f13e289deabdb6090ab334c
-SHA1 (patch-include_sudo__event.h) = 4d0787a45c2c7d4a7d3ae3111ccb3a4a4b84d083
-SHA1 (patch-lib_util_sig2str.c) = e5636d9e414fc9354cd238751fa4a00026320dd3
-SHA1 (patch-lib_util_str2sig.c) = e04aa67cab901e1be10d59bd1b0ee740aa1295b8
-SHA1 (patch-plugins_sudoers_Makefile.in) = 46bbee9c51664357099dc6d6871341de3e3fcc6f
-SHA1 (patch-plugins_sudoers_logging.c) = 700ac9540a82bea4f3106cea941b785e5bd31203
-SHA1 (patch-plugins_sudoers_starttime.c) = acec2f8a96041381582acff4928233568411f2c6
-SHA1 (patch-plugins_sudoers_sudoers.c) = b5aa8a91da50d4b12ea47cd92e29d25ea325b52c
-SHA1 (patch-src_Makefile.in) = cc6398a810dc394d8e4b50f2b2412cda839c0ca9
-SHA1 (patch-src_limits.c) = 790c64fed4a4f406ce07b3d0e806866095c0a5ca
+SHA1 (sudo-1.8.31.tar.gz) = 24222b6fb644354c944bc024a0f77548b289410d
+RMD160 (sudo-1.8.31.tar.gz) = 8f67e551df2f528983f675cda6c9c908f9f1950b
+SHA512 (sudo-1.8.31.tar.gz) = b9e408a322938c7a712458e9012d8a5f648fba5b23a5057cf5d8372c7f931262595f1575c32c32b9cb1a04af670ff4611e7df48d197e5c4cc038d6b65439a28a
+Size (sudo-1.8.31.tar.gz) = 3350674 bytes
+SHA1 (patch-Makefile.in) = e8813e1aa208d9ef6304038328504a5402341560
+SHA1 (patch-configure) = 906a90a8e8f5397693d9f410b7715439cf029508
+SHA1 (patch-plugins_sudoers_Makefile.in) = 730193c6437197a7114dd31886050cecdcba6772
+SHA1 (patch-src_Makefile.in) = 8959049bc428f592f84de1cad1a898c07c6e6b39
diff --git a/security/sudo/patches/patch-Makefile.in b/security/sudo/patches/patch-Makefile.in
index 98b6c7eb03b..4d12fc38dcf 100644
--- a/security/sudo/patches/patch-Makefile.in
+++ b/security/sudo/patches/patch-Makefile.in
@@ -1,10 +1,10 @@
-$NetBSD: patch-Makefile.in,v 1.1 2018/08/14 13:18:38 adam Exp $
+$NetBSD: patch-Makefile.in,v 1.1.14.1 2020/02/09 19:21:38 bsiegert Exp $
 
 Don't setuid here.
 
---- Makefile.in.orig	2015-10-31 23:35:07.000000000 +0000
-+++ Makefile.in
-@@ -63,7 +63,8 @@ SHELL = @SHELL@
+--- Makefile.in.orig	2019-10-28 15:51:30.000000000 +0200
++++ Makefile.in	2019-12-28 21:41:28.028886752 +0200
+@@ -64,7 +64,8 @@
  SED = @SED@
  
  INSTALL = $(SHELL) $(top_srcdir)/install-sh -c
@@ -14,7 +14,7 @@ Don't setuid here.
  
  ECHO_N = @ECHO_N@
  ECHO_C = @ECHO_C@
-@@ -129,7 +130,7 @@ install-doc: config.status ChangeLog
+@@ -165,7 +166,7 @@
  	    exit $$?; \
  	done
  
diff --git a/security/sudo/patches/patch-configure b/security/sudo/patches/patch-configure
index c5872016794..25cbe9eb1a5 100644
--- a/security/sudo/patches/patch-configure
+++ b/security/sudo/patches/patch-configure
@@ -1,4 +1,4 @@
-$NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
+$NetBSD: patch-configure,v 1.1.14.1 2020/02/09 19:21:38 bsiegert Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.orig	2017-05-29 20:33:06.000000000 +0000
-+++ configure
-@@ -865,6 +865,7 @@ with_libpath
+--- configure.orig	2019-12-26 06:24:43.000000000 +0200
++++ configure	2019-12-28 21:41:28.049372280 +0200
+@@ -869,6 +869,7 @@
  with_libraries
  with_efence
  with_csops
@@ -17,7 +17,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
  with_passwd
  with_skey
  with_opie
-@@ -1571,7 +1572,7 @@ Fine tuning of the installation director
+@@ -1581,7 +1582,7 @@
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
@@ -26,7 +26,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --libdir=DIR            object code libraries [EPREFIX/lib]
-@@ -1674,6 +1675,7 @@ Optional Packages:
+@@ -1694,6 +1695,7 @@
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
@@ -34,7 +34,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
    --without-passwd        don't use passwd/shadow file for authentication
    --with-skey[=DIR]       enable S/Key support
    --with-opie[=DIR]       enable OPIE support
-@@ -4746,6 +4748,23 @@ fi
+@@ -4797,6 +4799,23 @@
  
  
  
@@ -58,7 +58,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
  # Check whether --with-passwd was given.
  if test "${with_passwd+set}" = set; then :
    withval=$with_passwd; case $with_passwd in
-@@ -15770,7 +15789,7 @@ fi
+@@ -15925,7 +15944,7 @@
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -67,7 +67,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
  		shadow_funcs="getspnam"
  		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
  		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
-@@ -17995,7 +18014,7 @@ if test "x$ac_cv_header_login_cap_h" = x
+@@ -18163,7 +18182,7 @@
  _ACEOF
   LOGINCAP_USAGE='[-c class] '; LCMAN=1
  	case "$OS" in
@@ -76,7 +76,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
  		SUDO_LIBS="${SUDO_LIBS} -lutil"
  		SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
  		;;
-@@ -22483,10 +22502,9 @@ if test ${with_pam-"no"} != "no"; then
+@@ -22993,10 +23012,9 @@
      # Check for pam_start() in libpam first, then for pam_appl.h.
      #
      found_pam_lib=no
@@ -89,7 +89,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
    $as_echo_n "(cached) " >&6
  else
    ac_check_lib_save_LIBS=$LIBS
-@@ -22510,18 +22528,17 @@ return pam_start ();
+@@ -23020,18 +23038,17 @@
  }
  _ACEOF
  if ac_fn_c_try_link "$LINENO"; then :
@@ -113,7 +113,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
    found_pam_lib=yes
  fi
  
-@@ -23256,6 +23273,8 @@ fi
+@@ -23766,6 +23783,8 @@
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  	AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
@@ -122,7 +122,7 @@ $NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
      for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -26426,7 +26445,6 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -27026,7 +27045,6 @@
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
diff --git a/security/sudo/patches/patch-include_sudo__compat.h b/security/sudo/patches/patch-include_sudo__compat.h
deleted file mode 100644
index 0b1597035a5..00000000000
--- a/security/sudo/patches/patch-include_sudo__compat.h
+++ /dev/null
@@ -1,20 +0,0 @@
-$NetBSD: patch-include_sudo__compat.h,v 1.1 2017/05/31 02:22:02 maya Exp $
-
-Work around missing WCONTINUED/WIFCONTINUED support in
-NetBSD<8
-
---- include/sudo_compat.h.orig	2017-05-10 15:38:43.000000000 +0000
-+++ include/sudo_compat.h
-@@ -304,6 +304,12 @@ extern int errno;
- # define SIG2STR_MAX 32
- #endif
- 
-+/* Deficiencies in NetBSD<8 */
-+#ifndef WCONTINUED
-+# define WCONTINUED 0
-+# define WIFCONTINUED(a) 0
-+#endif
-+
- /* WCOREDUMP is not POSIX, this usually works (verified on AIX). */
- #ifndef WCOREDUMP
- # define WCOREDUMP(x)	((x) & 0x80)
diff --git a/security/sudo/patches/patch-include_sudo__event.h b/security/sudo/patches/patch-include_sudo__event.h
deleted file mode 100644
index 8d1708aa59e..00000000000
--- a/security/sudo/patches/patch-include_sudo__event.h
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-include_sudo__event.h,v 1.2 2017/09/12 06:34:22 adam Exp $
-
-Missing include, fixes build error:
-error: field 'timeout' has incomplete type
-struct timeval timeout; /* for SUDO_EV_TIMEOUT */
-
---- include/sudo_event.h.orig	2017-08-23 18:07:28.000000000 +0000
-+++ include/sudo_event.h
-@@ -19,6 +19,7 @@
- 
- #include <signal.h>	/* for sigatomic_t and NSIG */
- #include "sudo_queue.h"
-+#include <sys/time.h> /* timeval */
- 
- /* Event types */
- #define SUDO_EV_TIMEOUT		0x01	/* fire after timeout */
diff --git a/security/sudo/patches/patch-lib_util_sig2str.c b/security/sudo/patches/patch-lib_util_sig2str.c
deleted file mode 100644
index 831d865c826..00000000000
--- a/security/sudo/patches/patch-lib_util_sig2str.c
+++ /dev/null
@@ -1,23 +0,0 @@
-$NetBSD: patch-lib_util_sig2str.c,v 1.1 2019/10/14 20:05:58 maya Exp $
-
-Handle sysconf(_SC_RTSIG_MAX) not existing (netbsd):
-just assume the static limits is good enough.
-
---- lib/util/sig2str.c.orig	2019-10-10 16:33:03.000000000 +0000
-+++ lib/util/sig2str.c
-@@ -65,6 +65,7 @@ sudo_sig2str(int signo, char *signame)
- #if defined(SIGRTMIN) && defined(SIGRTMAX)
-     /* Realtime signal support. */
-     if (signo >= SIGRTMIN && signo <= SIGRTMAX) {
-+#ifdef _SC_RTSIG_MAX
- 	const long rtmax = sysconf(_SC_RTSIG_MAX);
- 	if (rtmax > 0) {
- 	    if (signo == SIGRTMIN) {
-@@ -79,6 +80,7 @@ sudo_sig2str(int signo, char *signame)
- 		    (SIGRTMAX - signo));
- 	    }
- 	}
-+#endif
- 	return 0;
-     }
- #endif
diff --git a/security/sudo/patches/patch-lib_util_str2sig.c b/security/sudo/patches/patch-lib_util_str2sig.c
deleted file mode 100644
index 49a26d449ac..00000000000
--- a/security/sudo/patches/patch-lib_util_str2sig.c
+++ /dev/null
@@ -1,31 +0,0 @@
-$NetBSD: patch-lib_util_str2sig.c,v 1.2 2019/10/16 20:25:21 maya Exp $
-
-Handle sysconf(_SC_RTSIG_MAX) not existing (netbsd):
-just assume the static limits is good enough.
-
---- lib/util/str2sig.c.orig	2019-10-10 16:33:03.000000000 +0000
-+++ lib/util/str2sig.c
-@@ -112,7 +112,11 @@ sudo_str2sig(const char *signame, int *r
- 	}
- 	if (signame[5] == '+') {
- 	    if (isdigit((unsigned char)signame[6])) {
-+#ifdef _SC_RTSIG_MAX
- 		const long rtmax = sysconf(_SC_RTSIG_MAX);
-+#else
-+		const long rtmax = SIGRTMAX - SIGRTMIN;
-+#endif
- 		const int off = signame[6] - '0';
- 
- 		if (rtmax > 0 && off < rtmax / 2) {
-@@ -131,7 +135,11 @@ sudo_str2sig(const char *signame, int *r
- 	}
- 	if (signame[5] == '-') {
- 	    if (isdigit((unsigned char)signame[6])) {
-+#ifdef _SC_RTSIG_MAX
- 		const long rtmax = sysconf(_SC_RTSIG_MAX);
-+#else
-+		const long rtmax = SIGRTMAX - SIGRTMIN;
-+#endif
- 		const int off = signame[6] - '0';
- 
- 		if (rtmax > 0 && off < rtmax / 2) {
diff --git a/security/sudo/patches/patch-plugins_sudoers_Makefile.in b/security/sudo/patches/patch-plugins_sudoers_Makefile.in
index c3e735cf49b..88acff799ce 100644
--- a/security/sudo/patches/patch-plugins_sudoers_Makefile.in
+++ b/security/sudo/patches/patch-plugins_sudoers_Makefile.in
@@ -1,11 +1,11 @@
-$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.2 2019/12/15 18:42:10 adam Exp $
+$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.2.4.1 2020/02/09 19:21:38 bsiegert Exp $
 
 Do not install the sudoers file to etc.
 
---- plugins/sudoers/Makefile.in.orig	2019-10-28 12:28:53.000000000 +0000
-+++ plugins/sudoers/Makefile.in
-@@ -394,7 +394,7 @@ pre-install:
- 	    ./visudo -c -f $(sudoersdir)/sudoers; \
+--- plugins/sudoers/Makefile.in.orig	2019-12-25 21:21:05.000000000 +0200
++++ plugins/sudoers/Makefile.in	2019-12-28 22:01:00.540953438 +0200
+@@ -396,7 +396,7 @@
+ 	    fi; \
  	fi
  
 -install: install-plugin install-binaries install-sudoers install-doc
diff --git a/security/sudo/patches/patch-plugins_sudoers_logging.c b/security/sudo/patches/patch-plugins_sudoers_logging.c
deleted file mode 100644
index 6d2722874b8..00000000000
--- a/security/sudo/patches/patch-plugins_sudoers_logging.c
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-plugins_sudoers_logging.c,v 1.2 2018/03/07 09:17:06 adam Exp $
-
-Make sure CODESET is actually defined, for the sake of
-old NetBSD versions
-
---- plugins/sudoers/logging.c.orig	2015-10-31 23:35:25.000000000 +0000
-+++ plugins/sudoers/logging.c
-@@ -722,7 +722,7 @@ send_mail(const char *fmt, ...)
- 	    (void) fputc(*p, mail);
-     }
- 
--#ifdef HAVE_NL_LANGINFO
-+#if defined(HAVE_NL_LANGINFO) && defined(CODESET)
-     if (strcmp(def_sudoers_locale, "C") != 0)
- 	(void) fprintf(mail, "\nContent-Type: text/plain; charset=\"%s\"\nContent-Transfer-Encoding: 8bit", nl_langinfo(CODESET));
- #endif /* HAVE_NL_LANGINFO */
diff --git a/security/sudo/patches/patch-plugins_sudoers_starttime.c b/security/sudo/patches/patch-plugins_sudoers_starttime.c
deleted file mode 100644
index d6d81642fea..00000000000
--- a/security/sudo/patches/patch-plugins_sudoers_starttime.c
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-plugins_sudoers_starttime.c,v 1.2 2019/12/15 18:42:10 adam Exp $
-
-Fix a typo.
-
---- plugins/sudoers/starttime.c.orig	2019-10-28 12:28:52.000000000 +0000
-+++ plugins/sudoers/starttime.c
-@@ -31,7 +31,7 @@
- 
- #include <sys/types.h>
- #include <sys/stat.h>
--#if defined(HAVE_KINFO_PROC_44BSD) || defined (HAVE_KINFO_PROC_OPENBSD) || defined(HAVE_KINFO_PROC2_NETBSD2)
-+#if defined(HAVE_KINFO_PROC_44BSD) || defined (HAVE_KINFO_PROC_OPENBSD) || defined(HAVE_KINFO_PROC2_NETBSD)
- # include <sys/sysctl.h>
- #elif defined(HAVE_KINFO_PROC_FREEBSD)
- # include <sys/param.h>
diff --git a/security/sudo/patches/patch-plugins_sudoers_sudoers.c b/security/sudo/patches/patch-plugins_sudoers_sudoers.c
deleted file mode 100644
index 8d122222734..00000000000
--- a/security/sudo/patches/patch-plugins_sudoers_sudoers.c
+++ /dev/null
@@ -1,37 +0,0 @@
-$NetBSD: patch-plugins_sudoers_sudoers.c,v 1.1 2019/12/18 15:56:11 kim Exp $
-
-Indicate the resource for which get/setrlimit fails.
-Make the code match what src/limits.c does.
-
---- plugins/sudoers/sudoers.c.orig	2019-10-28 14:28:53.000000000 +0200
-+++ plugins/sudoers/sudoers.c	2019-12-18 15:41:53.019149463 +0200
-@@ -123,16 +123,15 @@
- unlimit_nproc(void)
- {
- #ifdef __linux__
--    struct rlimit rl;
-+    struct rlimit rl = { RLIM_INFINITY, RLIM_INFINITY };
-     debug_decl(unlimit_nproc, SUDOERS_DEBUG_UTIL)
- 
-     if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
--	    sudo_warn("getrlimit");
--    rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
--    if (setrlimit(RLIMIT_NPROC, &rl) != 0) {
-+	sudo_warn("getrlimit(RLIMIT_NPROC)");
-+    if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
- 	rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
- 	if (setrlimit(RLIMIT_NPROC, &rl) != 0)
--	    sudo_warn("setrlimit");
-+	    sudo_warn("setrlimit(RLIMIT_NPROC)");
-     }
-     debug_return;
- #endif /* __linux__ */
-@@ -148,7 +147,7 @@
-     debug_decl(restore_nproc, SUDOERS_DEBUG_UTIL)
- 
-     if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
--	sudo_warn("setrlimit");
-+	sudo_warn("setrlimit(RLIMIT_NPROC)");
- 
-     debug_return;
- #endif /* __linux__ */
diff --git a/security/sudo/patches/patch-src_Makefile.in b/security/sudo/patches/patch-src_Makefile.in
index 420b225b0c3..a790d0e57e2 100644
--- a/security/sudo/patches/patch-src_Makefile.in
+++ b/security/sudo/patches/patch-src_Makefile.in
@@ -1,10 +1,10 @@
-$NetBSD: patch-src_Makefile.in,v 1.3 2018/03/07 09:17:06 adam Exp $
+$NetBSD: patch-src_Makefile.in,v 1.3.18.1 2020/02/09 19:21:38 bsiegert Exp $
 
 * install the suid sudo without write-bits
 
---- src/Makefile.in.orig	2015-10-31 23:35:25.000000000 +0000
-+++ src/Makefile.in
-@@ -198,7 +198,7 @@ install-rc: install-dirs
+--- src/Makefile.in.orig	2019-12-10 15:11:46.000000000 +0200
++++ src/Makefile.in	2019-12-28 21:51:27.794734242 +0200
+@@ -219,7 +219,7 @@
  	fi
  
  install-binaries: install-dirs $(PROGS)
diff --git a/security/sudo/patches/patch-src_limits.c b/security/sudo/patches/patch-src_limits.c
deleted file mode 100644
index b7ea3d6f062..00000000000
--- a/security/sudo/patches/patch-src_limits.c
+++ /dev/null
@@ -1,126 +0,0 @@
-$NetBSD: patch-src_limits.c,v 1.2 2019/12/19 16:59:44 kim Exp $
-
-* Disable RLIMIT_STACK on NetBSD, see https://gnats.netbsd.org/51158
-* Indicate the name of the resource for which setrlimit fails.
-* Simplify resource limit fallback logic a bit.
-* Don't set the RLIMIT_STACK soft/hard limits to unlimited.
-* macOS does not allow rlim_cur to be set to RLIM_INFINITY for RLIMIT_NOFILE.
-
---- src/limits.c.orig	2019-10-28 14:28:52.000000000 +0200
-+++ src/limits.c	2019-12-19 18:52:11.232251175 +0200
-@@ -37,28 +37,48 @@
- #ifdef __linux__
- # include <sys/prctl.h>
- #endif
-+#include <limits.h>
- 
- #include "sudo.h"
- 
-+#if defined(OPEN_MAX) && OPEN_MAX > 256
-+# define SUDO_OPEN_MAX	OPEN_MAX
-+#else
-+# define SUDO_OPEN_MAX	256
-+#endif
-+
-+/*
-+ * macOS doesn't allow nofile soft limit to be infinite or
-+ * the stack hard limit to be infinite.
-+ * Linux containers have a problem with an infinite stack soft limit.
-+ */
-+static struct rlimit nofile_fallback = { SUDO_OPEN_MAX, RLIM_INFINITY };
-+static struct rlimit stack_fallback = { 8192 * 1024, 65532 * 1024 };
-+
- static struct saved_limit {
-+    char *name;
-     int resource;
-     bool saved;
--    struct rlimit limit;
-+    struct rlimit *fallback;
-+    struct rlimit newlimit;
-+    struct rlimit oldlimit;
- } saved_limits[] = {
- #ifdef RLIMIT_AS
--    { RLIMIT_AS },
-+    { "RLIMIT_AS", RLIMIT_AS, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } },
- #endif
--    { RLIMIT_CPU },
--    { RLIMIT_DATA },
--    { RLIMIT_FSIZE },
--    { RLIMIT_NOFILE },
-+    { "RLIMIT_CPU", RLIMIT_CPU, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } },
-+    { "RLIMIT_DATA", RLIMIT_DATA, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } },
-+    { "RLIMIT_FSIZE", RLIMIT_FSIZE, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } },
-+    { "RLIMIT_NOFILE", RLIMIT_NOFILE, false, &nofile_fallback, { RLIM_INFINITY, RLIM_INFINITY } },
- #ifdef RLIMIT_NPROC
--    { RLIMIT_NPROC },
-+    { "RLIMIT_NPROC", RLIMIT_NPROC, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } },
- #endif
- #ifdef RLIMIT_RSS
--    { RLIMIT_RSS },
-+    { "RLIMIT_RSS", RLIMIT_RSS, false, NULL, { RLIM_INFINITY, RLIM_INFINITY } },
-+#endif
-+#ifndef __NetBSD__
-+    { "RLIMIT_STACK", RLIMIT_STACK, false, &stack_fallback, { 8192 * 1024, RLIM_INFINITY } }
- #endif
--    { RLIMIT_STACK }
- };
- 
- static struct rlimit corelimit;
-@@ -160,21 +180,39 @@
- void
- unlimit_sudo(void)
- {
--    struct rlimit inf = { RLIM_INFINITY, RLIM_INFINITY };
-     unsigned int idx;
-+    int rc;
-     debug_decl(unlimit_sudo, SUDO_DEBUG_UTIL)
- 
-     /* Set resource limits to unlimited and stash the old values. */
-     for (idx = 0; idx < nitems(saved_limits); idx++) {
- 	struct saved_limit *lim = &saved_limits[idx];
--	if (getrlimit(lim->resource, &lim->limit) == -1)
-+	if (getrlimit(lim->resource, &lim->oldlimit) == -1)
- 	    continue;
- 	lim->saved = true;
--	if (setrlimit(lim->resource, &inf) == -1) {
--	    struct rlimit rl = lim->limit;
--	    rl.rlim_cur = rl.rlim_max;
--	    if (setrlimit(lim->resource, &rl) == -1)
--		sudo_warn("setrlimit(%d)", lim->resource);
-+	if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
-+	    /* Don't reduce the soft resource limit. */
-+	    if (lim->oldlimit.rlim_cur == RLIM_INFINITY ||
-+		    lim->oldlimit.rlim_cur > lim->newlimit.rlim_cur)
-+		lim->newlimit.rlim_cur = lim->oldlimit.rlim_cur;
-+	}
-+	if (lim->newlimit.rlim_max != RLIM_INFINITY) {
-+	    /* Don't reduce the hard resource limit. */
-+	    if (lim->oldlimit.rlim_max == RLIM_INFINITY ||
-+		    lim->oldlimit.rlim_max > lim->newlimit.rlim_max)
-+		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
-+	}
-+	if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
-+	    if (lim->fallback != NULL)
-+		rc = setrlimit(lim->resource, lim->fallback);
-+	    if (rc == -1) {
-+		/* Try setting new rlim_cur to old rlim_max. */
-+		lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
-+		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
-+		rc = setrlimit(lim->resource, &lim->newlimit);
-+	    }
-+	    if (rc == -1)
-+		sudo_warn("setrlimit(%s)", lim->name);
- 	}
-     }
- 
-@@ -194,8 +232,8 @@
-     for (idx = 0; idx < nitems(saved_limits); idx++) {
- 	struct saved_limit *lim = &saved_limits[idx];
- 	if (lim->saved) {
--	    if (setrlimit(lim->resource, &lim->limit) == -1)
--		sudo_warn("setrlimit(%d)", lim->resource);
-+	    if (setrlimit(lim->resource, &lim->oldlimit) == -1)
-+		sudo_warn("setrlimit(%s)", lim->name);
- 	}
-     }
-     restore_coredump();