sudo package pdate

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>

SOURCES/sudo-1.8.23-pam-expired-passwords.patch

@@ -0,0 +1,103 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1544201494 25200
+# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
+# Parent  ef83f35c9cb090a8b4fd36942f1e47e65c285dce
+The fix for bug #843 was incomplete and caused pam_end() to be called early.
+sudo_pam_approval() must not set the global pam status to an error
+value if it returns AUTH_SUCCESS.  Otherwise, sudo_pam_cleanup()
+will call pam_end() before sudo_pam_begin_session().  This resulted
+in a NULL PAM handle being used in sudo_pam_begin_session().
+
+diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
+--- a/plugins/sudoers/auth/pam.c	Wed Dec 05 10:43:14 2018 -0700
++++ b/plugins/sudoers/auth/pam.c	Fri Dec 07 09:51:34 2018 -0700
+@@ -210,59 +210,68 @@
+ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
+ {
+     const char *s;
++    int rc, status = AUTH_SUCCESS;
+     int *pam_status = (int *) auth->data;
+     debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
+ 
+-    *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
+-    switch (*pam_status) {
++    rc = pam_acct_mgmt(pamh, PAM_SILENT);
++    switch (rc) {
+ 	case PAM_SUCCESS:
+-	    debug_return_int(AUTH_SUCCESS);
++	    break;
+ 	case PAM_AUTH_ERR:
+ 	    log_warningx(0, N_("account validation failure, "
+ 		"is your account locked?"));
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+ 	case PAM_NEW_AUTHTOK_REQD:
+ 	    /* Ignore if user is exempt from password restrictions. */
+ 	    if (exempt)
+-		debug_return_int(AUTH_SUCCESS);
++		break;
+ 	    /* New password required, try to change it. */
+ 	    log_warningx(0, N_("Account or password is "
+ 		"expired, reset your password and try again"));
+-	    *pam_status = pam_chauthtok(pamh,
+-		PAM_CHANGE_EXPIRED_AUTHTOK);
+-	    if (*pam_status == PAM_SUCCESS)
+-		debug_return_int(AUTH_SUCCESS);
+-	    if ((s = pam_strerror(pamh, *pam_status)) == NULL)
++	    rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++	    if (rc == PAM_SUCCESS)
++		break;
++	    if ((s = pam_strerror(pamh, rc)) == NULL)
+ 		s = "unknown error";
+ 	    log_warningx(0,
+ 		N_("unable to change expired password: %s"), s);
+-	    debug_return_int(AUTH_FAILURE);
++	    status = AUTH_FAILURE;
++	    break;
+ 	case PAM_AUTHTOK_EXPIRED:
+ 	    /* Ignore if user is exempt from password restrictions. */
+ 	    if (exempt)
+-		debug_return_int(AUTH_SUCCESS);
++		break;
+ 	    /* Password expired, cannot be updated by user. */
+ 	    log_warningx(0,
+ 		N_("Password expired, contact your system administrator"));
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+ 	case PAM_ACCT_EXPIRED:
+ 	    log_warningx(0,
+ 		N_("Account expired or PAM config lacks an \"account\" "
+ 		"section for sudo, contact your system administrator"));
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+ 	case PAM_AUTHINFO_UNAVAIL:
+ 	case PAM_MAXTRIES:
+ 	case PAM_PERM_DENIED:
+-	    s = pam_strerror(pamh, *pam_status);
++	    s = pam_strerror(pamh, rc);
+ 	    log_warningx(0, N_("PAM account management error: %s"),
+ 		s ? s : "unknown error");
+-	    debug_return_int(AUTH_FAILURE);
++	    status = AUTH_FAILURE;
++	    break;
+ 	default:
+-	    s = pam_strerror(pamh, *pam_status);
++	    s = pam_strerror(pamh, rc);
+ 	    log_warningx(0, N_("PAM account management error: %s"),
+ 		s ? s : "unknown error");
+-	    debug_return_int(AUTH_FATAL);
++	    status = AUTH_FATAL;
++	    break;
+     }
++    /* Ignore errors if user is exempt from password restrictions. */
++    *pam_status = exempt ? PAM_SUCCESS : rc;
++    debug_return_int(status);
+ }
+ 
+ int
+

SOURCES/sudo-1.8.23-who-am-i.patch

@@ -0,0 +1,56 @@
+commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
+Author: Todd C. Miller <Todd.Miller@sudo.ws>
+Date:   Wed Jan 2 07:39:33 2019 -0700
+
+    Fix setting of utmp entry when running command in a pty.
+    Regression introduced in sudo 1.8.22.
+
+diff --git a/src/exec_pty.c b/src/exec_pty.c
+index cbcccca3..68312a98 100644
+--- a/src/exec_pty.c
++++ b/src/exec_pty.c
+@@ -140,7 +140,7 @@ pty_cleanup(void)
+  * and slavename globals.
+  */
+ static bool
+-pty_setup(uid_t uid, const char *tty)
++pty_setup(struct command_details *details, const char *tty)
+ {
+     debug_decl(pty_setup, SUDO_DEBUG_EXEC);
+ 
+@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
+     }
+ 
+     if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
+-	slavename, sizeof(slavename), uid))
++	slavename, sizeof(slavename), details->euid))
+ 	sudo_fatal(U_("unable to allocate pty"));
+ 
+     /* Add entry to utmp/utmpx? */
+-    if (utmp_user != NULL)
++    if (ISSET(details->flags, CD_SET_UTMP)) {
++	utmp_user =
++	    details->utmp_user ? details->utmp_user : user_details.username;
+ 	utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
++    }
+ 
+     sudo_debug_printf(SUDO_DEBUG_INFO,
+ 	"%s: %s fd %d, pty master fd %d, pty slave fd %d",
+@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
+     /*
+      * Allocate a pty.
+      */
+-    if (pty_setup(details->euid, user_details.tty)) {
+-	if (ISSET(details->flags, CD_SET_UTMP))
+-	    utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
+-    } else if (TAILQ_EMPTY(&io_plugins)) {
+-	/* Not logging I/O and didn't allocate a pty. */
+-	debug_return_bool(false);
++    if (!pty_setup(details, user_details.tty)) {
++	if (TAILQ_EMPTY(&io_plugins)) {
++	    /* Not logging I/O and didn't allocate a pty. */
++	    debug_return_bool(false);
++	}
+     }
+ 
+     /*

SOURCES/sudo-1.8.28-CVE-strtouid-test.patch

@@ -0,0 +1,96 @@
+diff -up ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test ./lib/util/regress/atofoo/atofoo_test.c
+--- ./lib/util/regress/atofoo/atofoo_test.c.CVE-strtouid-test	2018-04-29 21:59:23.000000000 +0200
++++ ./lib/util/regress/atofoo/atofoo_test.c	2019-10-16 09:38:31.851404545 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2014-2019 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -24,6 +24,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
++#include <errno.h>
+ 
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -78,15 +79,20 @@ static struct strtoid_data {
+     id_t id;
+     const char *sep;
+     const char *ep;
++    int errnum;
+ } strtoid_data[] = {
+-    { "0,1", 0, ",", "," },
+-    { "10", 10, NULL, NULL },
+-    { "-2", -2, NULL, NULL },
++    { "0,1", 0, ",", ",", 0 },
++    { "10", 10, NULL, NULL, 0 },
++    { "-1", 0, NULL, NULL, EINVAL },
++    { "4294967295", 0, NULL, NULL, EINVAL },
++    { "4294967296", 0, NULL, NULL, ERANGE },
++    { "-2147483649", 0, NULL, NULL, ERANGE },
++    { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+-    { "-2", 4294967294U, NULL, NULL },
++    { "-2", 4294967294U, NULL, NULL, 0 },
+ #endif
+-    { "4294967294", 4294967294U, NULL, NULL },
+-    { NULL, 0, NULL, NULL }
++    { "4294967294", 4294967294U, NULL, NULL, 0 },
++    { NULL, 0, NULL, NULL, 0 }
+ };
+ 
+ static int
+@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
+ 	(*ntests)++;
+ 	errstr = "some error";
+ 	value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+-	if (errstr != NULL) {
+-	    if (d->id != (id_t)-1) {
+-		sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++	if (d->errnum != 0) {
++	    if (errstr == NULL) {
++		sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
++		    d->idstr, d->errnum);
++		errors++;
++	    } else if (value != 0) {
++		sudo_warnx_nodebug("FAIL: %s should return 0 on error",
++		    d->idstr);
++		errors++;
++	    } else if (errno != d->errnum) {
++		sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
++		    d->idstr, errno, d->errnum);
+ 		errors++;
+ 	    }
++	} else if (errstr != NULL) {
++	    sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++	    errors++;
+ 	} else if (value != d->id) {
+ 	    sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+ 	    errors++;
+diff -up ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.out.ok
+--- ./plugins/sudoers/regress/testsudoers/test5.out.ok.CVE-strtouid-test	2018-04-29 21:59:23.000000000 +0200
++++ ./plugins/sudoers/regress/testsudoers/test5.out.ok	2019-10-16 09:29:50.246761680 +0200
+@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
+ Entries for user root:
+ 
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
++testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+ 
+ Entries for user root:
+diff -up ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test ./plugins/sudoers/regress/testsudoers/test5.sh
+--- ./plugins/sudoers/regress/testsudoers/test5.sh.CVE-strtouid-test	2018-04-29 21:59:23.000000000 +0200
++++ ./plugins/sudoers/regress/testsudoers/test5.sh	2019-10-16 09:29:50.246761680 +0200
+@@ -24,7 +24,7 @@ EOF
+ 
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
++./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+ 

SOURCES/sudo-1.8.28-CVE-strtouid.patch

@@ -0,0 +1,172 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+diff -r fcd7a6d8330e lib/util/strtoid.c
+--- a/lib/util/strtoid.c	Fri Jan 11 13:31:15 2019 -0700
++++ b/lib/util/strtoid.c	Thu Oct 10 09:52:12 2019 -0600
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2016 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2013-2019 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -47,6 +47,27 @@
+ #include "sudo_util.h"
+ 
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++    bool valid = false;
++    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++    if (ep != p) {
++	/* check for valid separator (including '\0') */
++	if (sep == NULL)
++	    sep = "";
++	do {
++	    if (*ep == *sep)
++		valid = true;
++	} while (*sep++ != '\0');
++    }
++    debug_return_bool(valid);
++}
++
++/*
+  * Parse a uid/gid in string form.
+  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+  * If endp is non-NULL it is set to the next char after the ID.
+@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha
+     char *ep;
+     id_t ret = 0;
+     long long llval;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+ 	p++;
+-    if (sep == NULL)
+-	sep = "";
++
++    /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+     errno = 0;
+     llval = strtoll(p, &ep, 10);
+-    if (ep != p) {
+-	/* check for valid separator (including '\0') */
+-	do {
+-	    if (*ep == *sep)
+-		valid = true;
+-	} while (*sep++ != '\0');
++    if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++	errno = ERANGE;
++	if (errstr != NULL)
++	    *errstr = N_("value too large");
++	goto done;
+     }
+-    if (!valid) {
++    if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++	errno = ERANGE;
++	if (errstr != NULL)
++	    *errstr = N_("value too small");
++	goto done;
++    }
++
++    /* Disallow id -1, which means "no change". */
++    if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
+ 	if (errstr != NULL)
+ 	    *errstr = N_("invalid value");
+ 	errno = EINVAL;
+ 	goto done;
+     }
+-    if (errno == ERANGE) {
+-	if (errstr != NULL) {
+-	    if (llval == LLONG_MAX)
+-		*errstr = N_("value too large");
+-	    else
+-		*errstr = N_("value too small");
+-	}
+-	goto done;
+-    }
+     ret = (id_t)llval;
+     if (errstr != NULL)
+ 	*errstr = NULL;
+@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha
+ {
+     char *ep;
+     id_t ret = 0;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+ 	p++;
+-    if (sep == NULL)
+-	sep = "";
++
+     errno = 0;
+     if (*p == '-') {
+ 	long lval = strtol(p, &ep, 10);
+-	if (ep != p) {
+-	    /* check for valid separator (including '\0') */
+-	    do {
+-		if (*ep == *sep)
+-		    valid = true;
+-	    } while (*sep++ != '\0');
+-	}
+-	if (!valid) {
+-	    if (errstr != NULL)
+-		*errstr = N_("invalid value");
+-	    errno = EINVAL;
+-	    goto done;
+-	}
+ 	if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ 	    errno = ERANGE;
+ 	    if (errstr != NULL)
+@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha
+ 		*errstr = N_("value too small");
+ 	    goto done;
+ 	}
+-	ret = (id_t)lval;
+-    } else {
+-	unsigned long ulval = strtoul(p, &ep, 10);
+-	if (ep != p) {
+-	    /* check for valid separator (including '\0') */
+-	    do {
+-		if (*ep == *sep)
+-		    valid = true;
+-	    } while (*sep++ != '\0');
+-	}
+-	if (!valid) {
++
++	/* Disallow id -1, which means "no change". */
++	if (!valid_separator(p, ep, sep) || lval == -1) {
+ 	    if (errstr != NULL)
+ 		*errstr = N_("invalid value");
+ 	    errno = EINVAL;
+ 	    goto done;
+ 	}
++	ret = (id_t)lval;
++    } else {
++	unsigned long ulval = strtoul(p, &ep, 10);
+ 	if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ 	    errno = ERANGE;
+ 	    if (errstr != NULL)
+ 		*errstr = N_("value too large");
+ 	    goto done;
+ 	}
++
++	/* Disallow id -1, which means "no change". */
++	if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++	    if (errstr != NULL)
++		*errstr = N_("invalid value");
++	    errno = EINVAL;
++	    goto done;
++	}
+ 	ret = (id_t)ulval;
+     }
+     if (errstr != NULL)

SPECS/sudo.spec

@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.23
-Release: 3%{?dist}
+Release: 4%{?dist}.1
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -50,7 +50,16 @@ Patch7: sudo-1.8.23-nowaitopt.patch
 #  bz in RHEL. The feature itself was delivered via the rebase to 1.8.23.
 Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
 # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
-Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch 
+Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
+
+# 1672876 - Backporting sudo bug with expired passwords
+Patch10: sudo-1.8.23-pam-expired-passwords.patch
+# 1665285 - Problem with sudo-1.8.23 and 'who am i'
+Patch11: sudo-1.8.23-who-am-i.patch
+
+# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.7.z]
+Patch12: sudo-1.8.28-CVE-strtouid.patch
+Patch13: sudo-1.8.28-CVE-strtouid-test.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -85,6 +94,12 @@ plugins that use %{name}.
 %patch8 -p1 -b .pam-mgmt-ignore-errors
 %patch9 -p1 -b .defaults-double-quote-fix
 
+%patch10 -p1 -b .pam-expired
+%patch11 -p1 -b .who-am-i
+
+%patch12 -p1 -b .CVE-strtouid
+%patch13 -p1 -b .CVE-strtouid-test
+
 %build
 autoreconf -I m4 -fv --install
 
@@ -222,6 +237,16 @@ rm -rf %{buildroot}
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Wed Oct 16 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4.1
+- RHEL-7.7.z
+- fixed CVE-2019-14287
+  Resolves: rhbz#1760694
+
+* Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4
+- RHEL-7.7 erratum
+  Resolves: rhbz#1672876 - Backporting sudo bug with expired passwords
+  Resolves: rhbz#1665285 - Problem with sudo-1.8.23 and 'who am i'
+
 * Mon Sep 24 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-3
 - RHEL-7.6 erratum
   Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version
@@ -318,11 +343,11 @@ rm -rf %{buildroot}
 
 * Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-2
 - RHEL 7.4 erratum
-- Fixes coverity scan issues created by our patches: 
+- Fixes coverity scan issues created by our patches:
   - fixed resource leaks and a compiler warning in digest backport patch
   - removed needless code from cmnd_no_wait patch causing clang warning
   - format of the last changelog message causes problems to rhpkg push,
-    so don't use that as a commit message 
+    so don't use that as a commit message
   Resolves: rhbz#1360687
 
 * Wed Mar 01 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1
@@ -331,7 +356,7 @@ rm -rf %{buildroot}
   - Resolves: rhbz#1123526 - performance improvement
   - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags
   - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale
-  - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command 
+  - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command
     was runnable even if denied by sudoers when using LDAP or SSSD backend.
   - Resolves: rhbz#1387303 - add ignore_iolog_errors option
   - Resolves: rhbz#1389360 - wrong log file group ownership
@@ -538,7 +563,7 @@ rm -rf %{buildroot}
 * Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
 - update to 1.8.5
 - fixed CVE-2012-2337
-- temporarily disabled SSSD support 
+- temporarily disabled SSSD support
 
 * Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
 - fixed problems with undefined symbols (rhbz#798517)
@@ -557,7 +582,7 @@ rm -rf %{buildroot}
 
 * Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
 - update to 1.8.3p1
-- disable output word wrapping if the output is piped 
+- disable output word wrapping if the output is piped
 
 * Wed Sep  7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2
 - Remove execute bit from sample script in docs so we don't pull in perl
@@ -692,7 +717,7 @@ rm -rf %{buildroot}
 - sparc64 needs to be in the -fPIE list with s390
 
 * Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
-- fix complains about audit_log_user_command(): Connection 
+- fix complains about audit_log_user_command(): Connection
   refused (#401201)
 
 * Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4
@@ -794,7 +819,7 @@ rm -rf %{buildroot}
 - rebuild
 
 * Mon Oct  4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1
-- added missing BuildRequires for libselinux-devel (#132883) 
+- added missing BuildRequires for libselinux-devel (#132883)
 
 * Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30
 - Fix missing param error in sesh
@@ -821,7 +846,7 @@ rm -rf %{buildroot}
   exec of child with SELinux patch
 
 * Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23
-- change to default to sysadm_r 
+- change to default to sysadm_r
 - Fix tty handling
 
 * Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22
@@ -829,7 +854,7 @@ rm -rf %{buildroot}
 - replace /bin/bash -c with /bin/sesh
 
 * Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21
-- Hard code to use "/bin/bash -c" for selinux 
+- Hard code to use "/bin/bash -c" for selinux
 
 * Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20
 - Eliminate closing and reopening of terminals, to match su.
@@ -854,7 +879,7 @@ rm -rf %{buildroot}
 - Fix is_selinux_enabled call
 
 * Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13
-- Clean up patch on failure 
+- Clean up patch on failure
 
 * Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12
 - Remove sudo.te for now.
@@ -977,7 +1002,7 @@ rm -rf %{buildroot}
 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
 
 * Thu Oct 08 1998 Michael Maher <mike@redhat.com>
-- built package for 5.2 
+- built package for 5.2
 
 * Mon May 18 1998 Michael Maher <mike@redhat.com>
 - updated SPEC file
@@ -989,10 +1014,9 @@ rm -rf %{buildroot}
 - built for glibc, no problems
 
 * Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>
-- Fixed for 4.2 PowerTools 
+- Fixed for 4.2 PowerTools
 - Still need to be pamified
 - Still need to move stmp file to /var/log
 
 * Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>
 - First version for PowerCD.
-