Update sudo to 1.8.17p1.

What's new in Sudo 1.8.17p1

 * Fixed a bug introduced in 1.8.17 where the user's groups were
   not set on systems that don't use PAM.  Bug #749.

What's new in Sudo 1.8.17

 * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
   but pam_start(3) fails, fall back to AIX authentication.
   Bug #740.

 * Sudo now takes all sudoers sources into account when determining
   whether or not "sudo -l" or "sudo -b" should prompt for a password.
   In other words, if both file and ldap sudoers sources are in
   specified in /etc/nsswitch.conf, "sudo -v" will now require that
   all entries in both sources be have NOPASSWD (file) or !authenticate
   (ldap) in the entries.

 * Sudo now ignores SIGPIPE until the command is executed.  Previously,
   SIGPIPE was only ignored in a few select places.  Bug #739.

 * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
   file entries were missing the newline when loglinelen is set to
   a non-positive number.  Bug #742.

 * Unix groups are now set before the plugin session intialization
   code is run.  This makes it possible to use dynamic groups with
   the Linux-PAM pam_group module.

 * Fixed a bug where a debugging statement could dereference a NULL
   pointer when looking up a group that doesn't exist.  Bug #743.

 * Sudo has been run through the Coverity code scanner.  A number of
   minor bugs have been fixed as a result.  None were security issues.

 * SELinux support, which was broken in 1.8.16, has been repaired.

 * Fixed a bug when logging I/O where all output buffers might not
   get flushed at exit.

 * Forward slashes are no longer escaped in the JSON output of
   "visudo -x".  This was never required by the standard and not
   escaping them improves readability of the output.

 * Sudo no longer treats PAM_SESSION_ERR as a fatal error when
   opening the PAM session.  Other errors from pam_open_session()
   are still treated as fatal.  This avoids the "policy plugin
   failed session initialization" error message seen on some systems.

 * Korean translation for sudo and sudoers from translationproject.org.

 * Fixed a bug on AIX where the stack size hard resource limit was
   being set to 2GB instead of 4GB on 64-bit systems.

 * The SSSD backend now properly supports "sudo -U otheruser -l".

 * The SSSD backend now uses the value of "ipa_hostname"
   from sssd.conf, if specified, when matching the host name.

 * Fixed a hang on some systems when the command is being run in
   a pty and it failed to execute.

 * When performing a wildcard match in sudoers, check for an exact
   string match if the user command was fully-qualified (or resolved
   via the PATH).  This fixes an issue executing scripts on Linux
   when there are multiple wildcard matches with the same base name.
   Bug #746.

What's new in Sudo 1.8.16

 * Fixed a compilation error on Solaris 10 with Stun Studio 12.
   Bug #727.

 * When preserving variables from the invoking user's environment, if
   there are duplicates sudo now only keeps the first instance.

 * Fixed a bug that could cause warning mail to be sent in list
   mode (sudo -l) for users without sudo privileges when the
   LDAP and sssd backends are used.

 * Fixed a bug that prevented the "mail_no_user" option from working
   properly with the LDAP backend.

 * In the LDAP and sssd backends, white space is now ignored between
   an operator (!, +, +=, -=) when parsing a sudoOption.

 * It is now possible to disable Path settings in sudo.conf
   by omitting the path name.

 * The sudoedit_checkdir Defaults option is now enabled by default
   and has been extended.  When editing files with sudoedit, each
   directory in the path to be edited is now checked.  If a directory
   is writable by the invoking user, symbolic links will not be
   followed.  If the parent directory of the file to be edited is
   writable, sudoedit will refuse to edit it.
   Bug #707.

 * The netgroup_tuple Defaults option has been added to enable matching
   of the entire netgroup tuple, not just the host or user portion.
   Bug #717.

 * When matching commands based on the SHA2 digest, sudo will now
   use fexecve(2) to execute the command if it is available.  This
   fixes a time of check versus time of use race condition when the
   directory holding the command is writable by the invoking user.

 * On AIX systems, sudo now caches the auth registry string along
   with password and group information.  This fixes a potential
   problem when a user or group of the same name exists in multiple
   auth registries.  For example, local and LDAP.

 * Fixed a crash in the SSSD backend when the invoking user is not
   found.  Bug #732.

 * Added the --enable-asan configure flag to enable address sanitizer
   support.  A few minor memory leaks have been plugged to quiet
   the ASAN leak detector.

 * The value of _PATH_SUDO_CONF may once again be overridden via
   the Makefile.  Bug #735.

 * The sudoers2ldif script now handles multiple roles with same name.

 * Fixed a compilation error on systems that have the posix_spawn()
   and posix_spawnp() functions but an unusable spawn.h header.
   Bug #730.

 * Fixed support for negating character classes in sudo's version
   of the fnmatch() function.

 * Fixed a bug in the LDAP and SSSD backends that could allow an
   unauthorized user to list another user's privileges.  Bug #738.

 * The PAM conversation function now works around an ambiguity in the
   PAM spec with respect to multiple messages.  Bug #726.

4 files changed, 31 insertions, 32 deletions

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index c5723fb1ab6..835ea6969f9 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.151 2016/03/05 11:29:27 jperkin Exp $
+# $NetBSD: Makefile,v 1.152 2016/09/12 17:12:24 taca Exp $
 
-DISTNAME=	sudo-1.8.15
-PKGREVISION=	1
+DISTNAME=	sudo-1.8.17p1
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/dist/ \
 		ftp://ftp.sudo.ws/pub/sudo/ \
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index 3aae910d112..33125ef6439 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,12 +1,12 @@
-$NetBSD: distinfo,v 1.86 2016/01/09 11:22:12 adam Exp $
+$NetBSD: distinfo,v 1.87 2016/09/12 17:12:24 taca Exp $
 
-SHA1 (sudo-1.8.15.tar.gz) = acb5ff3f38fa9e0365f6a91a6620b9846e2ad843
-RMD160 (sudo-1.8.15.tar.gz) = 676ee3249c2ddacd64de54d6555b820912b56f6f
-SHA512 (sudo-1.8.15.tar.gz) = f2bff92104ddc4cbea8c788da446043cbfe02c977cedf18d46b1c82e98d7227432cb5a61233e7a06af84e3637f906edd5e02bb88c03a2ce4a16df410469a5dab
-Size (sudo-1.8.15.tar.gz) = 2660128 bytes
+SHA1 (sudo-1.8.17p1.tar.gz) = e9bb729513cd15e99def42019c35917bc9a73536
+RMD160 (sudo-1.8.17p1.tar.gz) = c3af867a6047c21614c4550534fa2566d6540913
+SHA512 (sudo-1.8.17p1.tar.gz) = e9facd2d5578d4effb516931322b5f4f9578baa779cba281d36a3d0995b1fd9d085d6b141544b3dc698569fa294163bbad9f779166a05a0f18f4ad81a630b954
+Size (sudo-1.8.17p1.tar.gz) = 2786618 bytes
 SHA1 (patch-aa) = 63c89e6d4e530ab92b7452f4025fbbf2a45dad65
-SHA1 (patch-af) = 9ef912344d9cd4c3811a4d705d3424cd88621710
-SHA1 (patch-ag) = c62f063ffc9e8fb3fce7c94a8cba531ecb8b76ff
+SHA1 (patch-af) = 19c7cb41432404050c2452c3c53f2e4f588b3ab1
+SHA1 (patch-ag) = cb03a0a7daf4b5ef203f23726ad3a335b712a718
 SHA1 (patch-plugins_sudoers_Makefile.in) = d8612ac7bf2f5a892d9720c4df91810ca807f4ed
 SHA1 (patch-plugins_sudoers_logging.c) = a42e54af2b6057804aecb3b6a48c565e8ac4df82
 SHA1 (patch-src_Makefile.in) = 43f7266d3d106fca69003ee040342c3b201fd262
diff --git a/security/sudo/patches/patch-af b/security/sudo/patches/patch-af
index 84644ceb55f..b3652283925 100644
--- a/security/sudo/patches/patch-af
+++ b/security/sudo/patches/patch-af
@@ -1,4 +1,4 @@
-$NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $
+$NetBSD: patch-af,v 1.33 2016/09/12 17:12:24 taca Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.ac.orig	2015-10-31 23:35:24.000000000 +0000
+--- configure.ac.orig	2016-06-22 16:36:23.000000000 +0000
 +++ configure.ac
-@@ -434,6 +434,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
+@@ -439,6 +439,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
  		;;
  esac])
  
@@ -30,7 +30,7 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $
  AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])],
  [case $with_passwd in
      yes|no)	AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
-@@ -1938,7 +1952,7 @@ case "$host" in
+@@ -1951,7 +1965,7 @@ case "$host" in
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -39,7 +39,7 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $
  		shadow_funcs="getspnam"
  		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
  		;;
-@@ -2286,7 +2300,7 @@ SUDO_MAILDIR
+@@ -2299,7 +2313,7 @@ SUDO_MAILDIR
  if test ${with_logincap-'no'} != "no"; then
      AC_CHECK_HEADERS([login_cap.h], [LOGINCAP_USAGE='[[-c class]] '; LCMAN=1
  	case "$OS" in
@@ -48,7 +48,7 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $
  		SUDO_LIBS="${SUDO_LIBS} -lutil"
  		SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
  		;;
-@@ -3374,6 +3388,8 @@ if test ${with_kerb5-'no'} != "no"; then
+@@ -3381,6 +3395,8 @@ if test ${with_kerb5-'no'} != "no"; then
  	])
  	AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
@@ -57,12 +57,12 @@ $NetBSD: patch-af,v 1.32 2016/01/01 17:00:49 spz Exp $
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
      AC_CHECK_FUNCS([krb5_verify_user krb5_init_secure_context])
-@@ -4167,7 +4183,7 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -4220,7 +4236,7 @@ test "$datarootdir" = '${prefix}/share' 
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
--test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
-+dnl test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
+-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
++dnl test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
  
  dnl
  dnl Substitute into the Makefile and man pages
diff --git a/security/sudo/patches/patch-ag b/security/sudo/patches/patch-ag
index 6491ce7fb55..7cbdebdc964 100644
--- a/security/sudo/patches/patch-ag
+++ b/security/sudo/patches/patch-ag
@@ -1,4 +1,4 @@
-$NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
+$NetBSD: patch-ag,v 1.24 2016/09/12 17:12:24 taca Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.orig	2015-10-31 23:35:24.000000000 +0000
+--- configure.orig	2016-06-22 16:36:22.000000000 +0000
 +++ configure
-@@ -1561,7 +1561,7 @@ Fine tuning of the installation director
+@@ -1562,7 +1562,7 @@ Fine tuning of the installation director
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
@@ -18,15 +18,15 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --libdir=DIR            object code libraries [EPREFIX/lib]
-@@ -1658,6 +1658,7 @@ Optional Packages:
+@@ -1661,6 +1661,7 @@ Optional Packages:
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
 +  --with-nbsdops          add NetBSD standard options
    --without-passwd        don't use passwd/shadow file for authentication
-   --with-skey=DIR         enable S/Key support
-   --with-opie=DIR         enable OPIE support
-@@ -4482,6 +4483,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn
+   --with-skey[=DIR]       enable S/Key support
+   --with-opie[=DIR]       enable OPIE support
+@@ -4499,6 +4500,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn
  esac
  fi
  
@@ -49,7 +49,7 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
  
  
  # Check whether --with-passwd was given.
-@@ -15163,7 +15180,7 @@ fi
+@@ -15209,7 +15226,7 @@ fi
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -58,7 +58,7 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
  		shadow_funcs="getspnam"
  		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
  		;;
-@@ -17182,7 +17199,7 @@ if test "x$ac_cv_header_login_cap_h" = x
+@@ -17228,7 +17245,7 @@ if test "x$ac_cv_header_login_cap_h" = x
  _ACEOF
   LOGINCAP_USAGE='[-c class] '; LCMAN=1
  	case "$OS" in
@@ -67,7 +67,7 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
  		SUDO_LIBS="${SUDO_LIBS} -lutil"
  		SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
  		;;
-@@ -21870,6 +21887,8 @@ fi
+@@ -21839,6 +21856,8 @@ fi
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  	AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
@@ -76,12 +76,12 @@ $NetBSD: patch-ag,v 1.23 2016/01/01 17:00:49 spz Exp $
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
      for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -24184,7 +24203,7 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -24341,7 +24360,7 @@ test "$datarootdir" = '${prefix}/share' 
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
--test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
-+# test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
+-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
++# test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
  
  if test X"$INIT_SCRIPT" != X""; then
      ac_config_files="$ac_config_files init.d/$INIT_SCRIPT"