diff options
author | adam <adam@pkgsrc.org> | 2021-03-18 08:57:48 +0000 |
---|---|---|
committer | adam <adam@pkgsrc.org> | 2021-03-18 08:57:48 +0000 |
commit | 24e71e154f6cad88a4400cb59717e4cff01fce71 (patch) | |
tree | 1acb46af877667fb513812317067c4262ceceb43 /security/sudo/patches | |
parent | 3bcb80ea4e8a0cd914860b3fab234a708ae28898 (diff) | |
download | pkgsrc-24e71e154f6cad88a4400cb59717e4cff01fce71.tar.gz |
sudo: updated to 1.9.6p1
Major changes between version 1.9.6p1 and 1.9.6:
Fixed a regression introduced in sudo 1.9.6 that resulted in an error message instead of a usage message when sudo is run with no arguments.
Major changes between version 1.9.6 and 1.9.5p2:
Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
Fixed a regression introduced in sudo 1.9.4 where the --disable-root-mailer configure option had no effect.
Added a --disable-leaks configure option that avoids some memory leaks on exit that would otherwise occur. This is intended to be used with development tools that measure memory leaks. It is not safe to use in production at this time.
Plugged some memory leaks identified by oss-fuzz and ASAN.
Fixed the handling of sudoOptions for an LDAP sudoRole that contains multiple sudoCommands. Previously, some of the options would only be applied to the first sudoCommand.
Fixed a potential out of bounds read in the parsing of NOTBEFORE and NOTAFTER sudoers command options (and their LDAP equivalents).
The parser used for reading I/O log JSON files is now more resilient when processing invalid JSON.
Fixed typos that prevented make uninstall from working.
Fixed a regression introduced in sudo 1.9.4 where the last line in a sudoers file might not have a terminating NUL character added if no newline was present.
Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new --enable-fuzzer configure option can be combined with the --enable-sanitizer option to build sudo with fuzzing support. Multiple fuzz targets are available for fuzzing different parts of sudo. Fuzzers are built and tested via make fuzz or as part of make check (even when sudo is not built with fuzzing support). Fuzzing support currently requires the LLVM clang compiler (not gcc).
Fixed the --enable-static-sudoers configure option.
Fixed a potential out of bounds read sudo when is run by a user with more groups than the value of max_groups in sudo.conf.
Added an admin_flag sudoers option to make the use of the ~/.sudo_as_admin_successful file configurable on systems where sudo is build with the --enable-admin-flag configure option. This mostly affects Ubuntu and its derivatives.
The max_groups setting in sudo.conf is now limited to 1024. This setting is obsolete and should no longer be needed.
Fixed a bug in the tilde expansion of CHROOT=dir and CWD=dir sudoers command options. A path ~/foo was expanded to /home/userfoo instead of /home/user/foo. This also affects the runchroot and runcwd Defaults settings.
Fixed a bug on systems without a native getdelim(3) function where very long lines could cause parsing of the sudoers file to end prematurely.
Fixed a potential integer overflow when converting the timestamp_timeout and passwd_timeout sudoers settings to a timespec struct.
The default for the group_source setting in sudo.conf is now dynamic on macOS. Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined.
Fixed a potential use-after-free in the PAM conversation function.
Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.
Diffstat (limited to 'security/sudo/patches')
-rw-r--r-- | security/sudo/patches/patch-configure | 82 | ||||
-rw-r--r-- | security/sudo/patches/patch-logsrvd_Makefile.in | 8 | ||||
-rw-r--r-- | security/sudo/patches/patch-plugins_sudoers_Makefile.in | 14 |
3 files changed, 29 insertions, 75 deletions
diff --git a/security/sudo/patches/patch-configure b/security/sudo/patches/patch-configure index c5d2a5145a2..3a4c4cd93ff 100644 --- a/security/sudo/patches/patch-configure +++ b/security/sudo/patches/patch-configure @@ -1,4 +1,4 @@ -$NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ +$NetBSD: patch-configure,v 1.6 2021/03/18 08:57:48 adam Exp $ * Add "--with-nbsdops" option, NetBSD standard options. * Link with util(3) in the case of DragonFly, too. @@ -7,9 +7,9 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ functions (HAVE_KRB5_*). * Remove setting sysconfdir to "/etc". ---- configure.orig 2021-01-23 16:45:11.000000000 +0100 -+++ configure 2021-01-30 12:31:20.802349535 +0100 -@@ -892,6 +892,7 @@ with_libpath +--- configure.orig 2021-03-15 16:50:00.000000000 +0000 ++++ configure +@@ -920,6 +920,7 @@ with_libpath with_libraries with_efence with_csops @@ -17,7 +17,7 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ with_passwd with_skey with_opie -@@ -1621,7 +1622,7 @@ Fine tuning of the installation director +@@ -1652,7 +1653,7 @@ Fine tuning of the installation director --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] @@ -26,7 +26,7 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] -@@ -1737,6 +1738,7 @@ Optional Packages: +@@ -1776,6 +1777,7 @@ Optional Packages: --with-libraries additional libraries to link with --with-efence link with -lefence for malloc() debugging --with-csops add CSOps standard options @@ -34,7 +34,7 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ --without-passwd don't use passwd/shadow file for authentication --with-skey[=DIR] enable S/Key support --with-opie[=DIR] enable OPIE support -@@ -4863,6 +4865,23 @@ fi +@@ -5203,6 +5205,23 @@ fi @@ -56,9 +56,9 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ + + # Check whether --with-passwd was given. - if test "${with_passwd+set}" = set; then : - withval=$with_passwd; case $with_passwd in -@@ -15765,7 +15784,7 @@ fi + if test ${with_passwd+y} + then : +@@ -16699,7 +16718,7 @@ fi : ${mansectsu='1m'} : ${mansectform='4'} ;; @@ -67,71 +67,25 @@ $NetBSD: patch-configure,v 1.5 2021/01/30 11:06:45 spz Exp $ shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h -@@ -18026,7 +18045,7 @@ if test "x$ac_cv_header_login_cap_h" = x - _ACEOF +@@ -18732,7 +18751,7 @@ then : + printf "%s\n" "#define HAVE_LOGIN_CAP_H 1" >>confdefs.h LOGINCAP_USAGE='[-c class] '; LCMAN=1 case "$OS" in -- freebsd|netbsd) -+ dragonfly*|freebsd|netbsd*) +- freebsd*|netbsd*) ++ dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil" SUDOERS_LIBS="${SUDOERS_LIBS} -lutil" ;; -@@ -23965,10 +23984,9 @@ if test ${with_pam-"no"} != "no"; then - # Check for pam_start() in libpam first, then for pam_appl.h. - # - found_pam_lib=no -- as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh` --{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 - $as_echo_n "checking for pam_start in -lpam... " >&6; } --if eval \${$as_ac_Lib+:} false; then : -+if ${ac_cv_lib_pam_pam_start+:} false; then : - $as_echo_n "(cached) " >&6 - else - ac_check_lib_save_LIBS=$LIBS -@@ -23992,18 +24010,17 @@ return pam_start (); - } - _ACEOF - if ac_fn_c_try_link "$LINENO"; then : -- eval "$as_ac_Lib=yes" -+ ac_cv_lib_pam_pam_start=yes - else -- eval "$as_ac_Lib=no" -+ ac_cv_lib_pam_pam_start=no - fi - rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LIBS=$ac_check_lib_save_LIBS - fi --eval ac_res=\$$as_ac_Lib -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 --$as_echo "$ac_res" >&6; } --if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5 -+$as_echo "$ac_cv_lib_pam_pam_start" >&6; } -+if test "x$ac_cv_lib_pam_pam_start" = xyes; then : - found_pam_lib=yes - fi - -@@ -24738,6 +24755,8 @@ fi - rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +@@ -25528,6 +25547,8 @@ fi + rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext AUTH_OBJS="$AUTH_OBJS kerb5.lo" fi +fi +if test ${with_kerb5-'no'} != "no"; then _LIBS="$LIBS" LIBS="${LIBS} ${SUDOERS_LIBS}" - for ac_func in krb5_verify_user krb5_init_secure_context -@@ -27120,7 +27139,7 @@ fi - fi - - case "$OS" in -- netbsd) -+ netbsd*) - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--enable-new-dtags" >&5 -@@ -28297,7 +28316,6 @@ test "$docdir" = '${datarootdir}/doc/${P + ac_fn_c_check_func "$LINENO" "krb5_verify_user" "ac_cv_func_krb5_verify_user" +@@ -29695,7 +29716,6 @@ test "$docdir" = '${datarootdir}/doc/${P test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' test "$runstatedir" = '${localstatedir}/run' && runstatedir='$(localstatedir)/run' diff --git a/security/sudo/patches/patch-logsrvd_Makefile.in b/security/sudo/patches/patch-logsrvd_Makefile.in index aef850ead01..354c3bfbb96 100644 --- a/security/sudo/patches/patch-logsrvd_Makefile.in +++ b/security/sudo/patches/patch-logsrvd_Makefile.in @@ -1,12 +1,12 @@ -$NetBSD: patch-logsrvd_Makefile.in,v 1.1 2021/01/18 14:32:24 taca Exp $ +$NetBSD: patch-logsrvd_Makefile.in,v 1.2 2021/03/18 08:57:48 adam Exp $ Fix build error. ---- logsrvd/Makefile.in.orig 2021-01-09 20:12:16.000000000 +0000 +--- logsrvd/Makefile.in.orig 2021-03-13 15:47:23.000000000 +0000 +++ logsrvd/Makefile.in -@@ -46,7 +46,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@ +@@ -45,7 +45,7 @@ INSTALL_BACKUP = @INSTALL_BACKUP@ + # Libraries LT_LIBS = $(top_builddir)/lib/iolog/libsudo_iolog.la \ - $(top_builddir)/lib/eventlog/libsudo_eventlog.la \ $(top_builddir)/lib/logsrv/liblogsrv.la -LIBS = $(LT_LIBS) @LIBTLS@ +LIBS = $(LT_LIBS) @LIBTLS@ @LIBS@ diff --git a/security/sudo/patches/patch-plugins_sudoers_Makefile.in b/security/sudo/patches/patch-plugins_sudoers_Makefile.in index dccef64fa4b..64af6f980e5 100644 --- a/security/sudo/patches/patch-plugins_sudoers_Makefile.in +++ b/security/sudo/patches/patch-plugins_sudoers_Makefile.in @@ -1,26 +1,26 @@ -$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.4 2021/01/18 14:32:24 taca Exp $ +$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.5 2021/03/18 08:57:48 adam Exp $ * Do not install the sudoers file. * link with @LIBS@ for PKG_OPTIONS nls enabled case. ---- plugins/sudoers/Makefile.in.orig 2021-01-09 20:12:16.000000000 +0000 +--- plugins/sudoers/Makefile.in.orig 2021-03-13 15:47:23.000000000 +0000 +++ plugins/sudoers/Makefile.in -@@ -62,10 +62,10 @@ LIBUTIL = $(top_builddir)/lib/util/libsu +@@ -63,10 +63,10 @@ LIBUTIL = $(top_builddir)/lib/util/libsu LIBS = $(LIBUTIL) NET_LIBS = @NET_LIBS@ - SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBEVENTLOG) $(LIBLOGSRV) --REPLAY_LIBS = @REPLAY_LIBS@ $(LIBEVENTLOG) $(LIBIOLOG) + SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBTLS@ $(NET_LIBS) $(LIBIOLOG) $(LIBLOGSRV) +-REPLAY_LIBS = @REPLAY_LIBS@ $(LIBIOLOG) -VISUDO_LIBS = $(NET_LIBS) -CVTSUDOERS_LIBS = $(NET_LIBS) -TESTSUDOERS_LIBS = $(NET_LIBS) -+REPLAY_LIBS = @REPLAY_LIBS@ $(LIBEVENTLOG) $(LIBIOLOG) @LIBS@ ++REPLAY_LIBS = @REPLAY_LIBS@ $(LIBIOLOG) @LIBS@ +VISUDO_LIBS = $(NET_LIBS) @LIBS@ +CVTSUDOERS_LIBS = $(NET_LIBS) @LIBS@ +TESTSUDOERS_LIBS = $(NET_LIBS) @LIBS@ # C preprocessor defines CPPDEFS = -DLIBDIR=\"$(libdir)\" -DLOCALEDIR=\"$(localedir)\" \ -@@ -390,7 +390,7 @@ pre-install: +@@ -483,7 +483,7 @@ pre-install: fi; \ fi |