sudo package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
4 years ago · f3e71ab92b
5 changed files with 657 additions and 14 deletions
--- a/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch
+++ b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch
@ -0,0 +1,35 @@
				@@ -0,0 +1,35 @@
+diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
+index 2c685cd..7751a67 100644
+--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
+@@ -106,7 +106,15 @@ do_syslog(int pri, char *msg)
+      * Log the full line, breaking into multiple syslog(3) calls if necessary
+      */
+     fmt = _("%8s : %s");
+-    maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
+
+
+    if (!sudo_user_name) {
+        maxlen = def_syslog_maxlen - (strlen(fmt) - 5);
+    }
+    else {
+        maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
+    }
+
+     for (p = msg; *p != '\0'; ) {
+ 	len = strlen(p);
+ 	if (len > maxlen) {
+@@ -122,7 +130,12 @@ do_syslog(int pri, char *msg)
+ 	    save = *tmp;
+ 	    *tmp = '\0';
+ 
+-	    mysyslog(pri, fmt, sudo_user_name, p);
+        if(!sudo_user_name) {
+            mysyslog(pri, fmt, "NaN", p);
+        }
+	    else{
+            mysyslog(pri, fmt, sudo_user_name, p);
+        }
+ 
+ 	    *tmp = save;			/* restore saved character */
+ 
--- a/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch
+++ b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch
@ -0,0 +1,344 @@
				@@ -0,0 +1,344 @@
+unchanged:
+--- b/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
+@@ -210,59 +210,71 @@
+ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
+ {
+     const char *s;
+    int rc, status = AUTH_SUCCESS;
+     int *pam_status = (int *) auth->data;
+     debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
+ 
+-    *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
+-    switch (*pam_status) {
+    rc = pam_acct_mgmt(pamh, PAM_SILENT);
+    switch (rc) {
+ 	case PAM_SUCCESS:
+-	    debug_return_int(AUTH_SUCCESS);
+	    break;
+ 	case PAM_AUTH_ERR:
+ 	    log_warningx(0, N_("account validation failure, "
+ 		"is your account locked?"));
+-	    debug_return_int(AUTH_FATAL);
+	    status = AUTH_FATAL;
+	    break;
+ 	case PAM_NEW_AUTHTOK_REQD:
+ 	    /* Ignore if user is exempt from password restrictions. */
+-	    if (exempt)
+-		debug_return_int(AUTH_SUCCESS);
+	    if (exempt) {
+		rc = *pam_status;
+		break;
+	    }
+ 	    /* New password required, try to change it. */
+ 	    log_warningx(0, N_("Account or password is "
+ 		"expired, reset your password and try again"));
+-	    *pam_status = pam_chauthtok(pamh,
+-		PAM_CHANGE_EXPIRED_AUTHTOK);
+-	    if (*pam_status == PAM_SUCCESS)
+-		debug_return_int(AUTH_SUCCESS);
+-	    if ((s = pam_strerror(pamh, *pam_status)) == NULL)
+	    rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+	    if (rc == PAM_SUCCESS)
+		break;
+	    if ((s = pam_strerror(pamh, rc)) == NULL)
+ 		s = "unknown error";
+ 	    log_warningx(0,
+ 		N_("unable to change expired password: %s"), s);
+-	    debug_return_int(AUTH_FAILURE);
+	    status = AUTH_FAILURE;
+	    break;
+ 	case PAM_AUTHTOK_EXPIRED:
+ 	    /* Ignore if user is exempt from password restrictions. */
+-	    if (exempt)
+-		debug_return_int(AUTH_SUCCESS);
+	    if (exempt) {
+		rc = *pam_status;
+		break;
+	    }
+ 	    /* Password expired, cannot be updated by user. */
+ 	    log_warningx(0,
+ 		N_("Password expired, contact your system administrator"));
+-	    debug_return_int(AUTH_FATAL);
+	    status = AUTH_FATAL;
+	    break;
+ 	case PAM_ACCT_EXPIRED:
+ 	    log_warningx(0,
+ 		N_("Account expired or PAM config lacks an \"account\" "
+ 		"section for sudo, contact your system administrator"));
+-	    debug_return_int(AUTH_FATAL);
+	    status = AUTH_FATAL;
+	    break;
+ 	case PAM_AUTHINFO_UNAVAIL:
+ 	case PAM_MAXTRIES:
+ 	case PAM_PERM_DENIED:
+-	    s = pam_strerror(pamh, *pam_status);
+	    s = pam_strerror(pamh, rc);
+ 	    log_warningx(0, N_("PAM account management error: %s"),
+ 		s ? s : "unknown error");
+-	    debug_return_int(AUTH_FAILURE);
+	    status = AUTH_FAILURE;
+	    break;
+ 	default:
+-	    s = pam_strerror(pamh, *pam_status);
+	    s = pam_strerror(pamh, rc);
+ 	    log_warningx(0, N_("PAM account management error: %s"),
+ 		s ? s : "unknown error");
+-	    debug_return_int(AUTH_FATAL);
+	    status = AUTH_FATAL;
+	    break;
+     }
+    *pam_status = rc;
+    debug_return_int(status);
+ }
+ 
+ int
+unchanged:
+--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
+@@ -1286,6 +1286,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
+                        well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end
+                        of this manual.  This flag is _o_f_f by default.
+ 
+     pam_acct_mgmt     On systems that use PAM for authentication, ssuuddoo will
+                       perform PAM account validation for the invoking user by
+                       default.  The actual checks performed depend on which
+                       PAM modules are configured.  If enabled, account
+                       validation will be performed regardless of whether or
+                       not a password is required.  This flag is _o_n by
+                       default.
+
+                       This setting is only supported by version 1.8.28 or
+                       higher.
+
+      pam_session       On systems that use PAM for authentication, ssuuddoo will
+                        create a new PAM session for the command to be run in.
+                        Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM
+unchanged:
+--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
+@@ -2722,6 +2722,19 @@ This flag is
+ \fIoff\fR
+ by default.
+ .TP 18n
+pam_acct_mgmt
+On systems that use PAM for authentication,
+\fBsudo\fR
+will perform PAM account validation for the invoking user by default.
+The actual checks performed depend on which PAM modules are configured.
+If enabled, account validation will be performed regardless of whether
+or not a password is required.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.28 or higher.
+.TP 18n
+ pam_session
+ On systems that use PAM for authentication,
+ \fBsudo\fR
+unchanged:
+--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
+@@ -2560,6 +2560,18 @@ section at the end of this manual.
+ This flag is
+ .Em off
+ by default.
+.It pam_acct_mgmt
+On systems that use PAM for authentication,
+.Nm sudo
+will perform PAM account validation for the invoking user by default.
+The actual checks performed depend on which PAM modules are configured.
+If enabled, account validation will be performed regardless of whether
+or not a password is required.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.28 or higher.
+ .It pam_session
+ On systems that use PAM for authentication,
+ .Nm sudo
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/auth/pam.c.pamm	2019-01-11 21:30:17.000000000 +0100
+++ ./plugins/sudoers/auth/pam.c	2019-08-02 15:14:38.980077956 +0200
+@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud
+     int *pam_status = (int *) auth->data;
+     debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
+ 
+-    rc = pam_acct_mgmt(pamh, PAM_SILENT);
+-    switch (rc) {
+-	case PAM_SUCCESS:
+-	    break;
+-	case PAM_AUTH_ERR:
+-	    log_warningx(0, N_("account validation failure, "
+-		"is your account locked?"));
+-	    status = AUTH_FATAL;
+-	    break;
+-	case PAM_NEW_AUTHTOK_REQD:
+-	    /* Ignore if user is exempt from password restrictions. */
+-	    if (exempt) {
+-		rc = *pam_status;
+-		break;
+-	    }
+-	    /* New password required, try to change it. */
+-	    log_warningx(0, N_("Account or password is "
+-		"expired, reset your password and try again"));
+-	    rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+-	    if (rc == PAM_SUCCESS)
+-		break;
+-	    if ((s = pam_strerror(pamh, rc)) == NULL)
+-		s = "unknown error";
+-	    log_warningx(0,
+-		N_("unable to change expired password: %s"), s);
+-	    status = AUTH_FAILURE;
+-	    break;
+-	case PAM_AUTHTOK_EXPIRED:
+-	    /* Ignore if user is exempt from password restrictions. */
+-	    if (exempt) {
+-		rc = *pam_status;
+-		break;
+-	    }
+-	    /* Password expired, cannot be updated by user. */
+-	    log_warningx(0,
+-		N_("Password expired, contact your system administrator"));
+-	    status = AUTH_FATAL;
+-	    break;
+-	case PAM_ACCT_EXPIRED:
+-	    log_warningx(0,
+-		N_("Account expired or PAM config lacks an \"account\" "
+-		"section for sudo, contact your system administrator"));
+-	    status = AUTH_FATAL;
+-	    break;
+-	case PAM_AUTHINFO_UNAVAIL:
+-	case PAM_MAXTRIES:
+-	case PAM_PERM_DENIED:
+-	    s = pam_strerror(pamh, rc);
+-	    log_warningx(0, N_("PAM account management error: %s"),
+-		s ? s : "unknown error");
+-	    status = AUTH_FAILURE;
+-	    break;
+-	default:
+-	    s = pam_strerror(pamh, rc);
+-	    log_warningx(0, N_("PAM account management error: %s"),
+-		s ? s : "unknown error");
+-	    status = AUTH_FATAL;
+-	    break;
+    if (def_pam_acct_mgmt) {
+	rc = pam_acct_mgmt(pamh, PAM_SILENT);
+	switch (rc) {
+	    case PAM_SUCCESS:
+		break;
+	    case PAM_AUTH_ERR:
+		log_warningx(0, N_("account validation failure, "
+		    "is your account locked?"));
+		status = AUTH_FATAL;
+		break;
+	    case PAM_NEW_AUTHTOK_REQD:
+		/* Ignore if user is exempt from password restrictions. */
+		if (exempt) {
+		    rc = *pam_status;
+		    break;
+		}
+		/* New password required, try to change it. */
+		log_warningx(0, N_("Account or password is "
+		    "expired, reset your password and try again"));
+		rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+		if (rc == PAM_SUCCESS)
+		    break;
+		if ((s = pam_strerror(pamh, rc)) == NULL)
+		    s = "unknown error";
+		log_warningx(0,
+		    N_("unable to change expired password: %s"), s);
+		status = AUTH_FAILURE;
+		break;
+	    case PAM_AUTHTOK_EXPIRED:
+		/* Ignore if user is exempt from password restrictions. */
+		if (exempt) {
+		    rc = *pam_status;
+		    break;
+		}
+		/* Password expired, cannot be updated by user. */
+		log_warningx(0,
+		    N_("Password expired, contact your system administrator"));
+		status = AUTH_FATAL;
+		break;
+	    case PAM_ACCT_EXPIRED:
+		log_warningx(0,
+		    N_("Account expired or PAM config lacks an \"account\" "
+		    "section for sudo, contact your system administrator"));
+		status = AUTH_FATAL;
+		break;
+	    case PAM_AUTHINFO_UNAVAIL:
+	    case PAM_MAXTRIES:
+	    case PAM_PERM_DENIED:
+		s = pam_strerror(pamh, rc);
+		log_warningx(0, N_("PAM account management error: %s"),
+		    s ? s : "unknown error");
+		status = AUTH_FAILURE;
+		break;
+	    default:
+		s = pam_strerror(pamh, rc);
+		log_warningx(0, N_("PAM account management error: %s"),
+		    s ? s : "unknown error");
+		status = AUTH_FATAL;
+		break;
+	}
+	*pam_status = rc;
+     }
+-    *pam_status = rc;
+     debug_return_int(status);
+ }
+ 
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/defaults.c.pamm	2019-08-02 15:14:38.973077882 +0200
+++ ./plugins/sudoers/defaults.c	2019-08-02 15:14:38.987078030 +0200
+@@ -642,6 +642,7 @@ init_defaults(void)
+     if ((def_editor = strdup(EDITOR)) == NULL)
+ 	goto oom;
+     def_set_utmp = true;
+    def_pam_acct_mgmt = true;
+     def_pam_setcred = true;
+     def_syslog_maxlen = MAXSYSLOGLEN;
+     def_case_insensitive_user = true;
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/def_data.c.pamm	2019-08-02 15:14:38.976077914 +0200
+++ ./plugins/sudoers/def_data.c	2019-08-02 15:20:37.592876029 +0200
+@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[]
+ 	N_("Don't fork and wait for the command to finish, just exec it"),
+ 	NULL,
+     }, {
+  "pam_acct_mgmt", T_FLAG,
+  N_("Perform PAM account validation management"),
+  NULL,
+    }, {
+ 	NULL, 0, NULL
+     }
+ };
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/def_data.h.pamm	2019-08-02 15:14:38.976077914 +0200
+++ ./plugins/sudoers/def_data.h	2019-08-02 15:14:38.987078030 +0200
+@@ -230,6 +230,8 @@
+ #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+ #define I_CMND_NO_WAIT          115
+ #define def_cmnd_no_wait        (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
+#define I_PAM_ACCT_MGMT         116
+#define def_pam_acct_mgmt       (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag)
+ 
+ enum def_tuple {
+ 	never,
+only in patch2:
+unchanged:
+--- ./plugins/sudoers/def_data.in.pamm	2019-08-02 15:14:38.976077914 +0200
+++ ./plugins/sudoers/def_data.in	2019-08-02 15:14:38.987078030 +0200
+@@ -363,3 +363,6 @@ legacy_group_processing
+ cmnd_no_wait
+ 	T_FLAG
+ 	"Don't fork and wait for the command to finish, just exec it"
+pam_acct_mgmt
+	T_FLAG
+	"Perform PAM account validation management"
--- a/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch
+++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch
@ -0,0 +1,158 @@
				@@ -0,0 +1,158 @@
+diff -up ./src/tgetpass.c.bla ./src/tgetpass.c
+--- ./src/tgetpass.c.bla	2018-08-18 16:10:15.000000000 +0200
+++ ./src/tgetpass.c	2020-02-05 17:15:16.216904891 +0100
+@@ -44,11 +44,18 @@
+ #include "sudo.h"
+ #include "sudo_plugin.h"
+ 
+enum tgetpass_errval {
+    TGP_ERRVAL_NOERROR,
+    TGP_ERRVAL_TIMEOUT,
+    TGP_ERRVAL_NOPASSWORD,
+    TGP_ERRVAL_READERROR
+};
+
+ static volatile sig_atomic_t signo[NSIG];
+ 
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int);
+static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
+ static char *sudo_askpass(const char *, const char *);
+ 
+ static int
+@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call
+     debug_return_int(ret);
+ }
+ 
+static void
+tgetpass_display_error(enum tgetpass_errval errval)
+{
+    debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV)
+
+    switch (errval) {
+    case TGP_ERRVAL_NOERROR:
+	break;
+    case TGP_ERRVAL_TIMEOUT:
+	sudo_warnx(U_("timed out reading password"));
+	break;
+    case TGP_ERRVAL_NOPASSWORD:
+	sudo_warnx(U_("no password was provided"));
+	break;
+    case TGP_ERRVAL_READERROR:
+	sudo_warn(U_("unable to read password"));
+	break;
+    }
+    debug_return;
+}
+
+ /*
+  * Like getpass(3) but with timeout and echo flags.
+  */
+@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout
+     static const char *askpass;
+     static char buf[SUDO_CONV_REPL_MAX + 1];
+     int i, input, output, save_errno, neednl = 0, need_restart;
+    enum tgetpass_errval errval;
+     debug_decl(tgetpass, SUDO_DEBUG_CONV)
+ 
+     (void) fflush(stdout);
+@@ -175,7 +204,7 @@ restart:
+ 
+     if (timeout > 0)
+ 	alarm(timeout);
+-    pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK));
+    pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
+     alarm(0);
+     save_errno = errno;
+ 
+@@ -183,6 +212,7 @@ restart:
+ 	if (write(output, "\n", 1) == -1)
+ 	    goto restore;
+     }
+    tgetpass_display_error(errval);
+ 
+ restore:
+     /* Restore old signal handlers. */
+@@ -210,6 +240,8 @@ restore:
+     for (i = 0; i < NSIG; i++) {
+ 	if (signo[i]) {
+ 	    switch (i) {
+		case SIGALRM:
+		    break;
+ 		case SIGTSTP:
+ 		case SIGTTIN:
+ 		case SIGTTOU:
+@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const
+ {
+     static char buf[SUDO_CONV_REPL_MAX + 1], *pass;
+     struct sigaction sa, savechld;
+    enum tgetpass_errval errval;
+     int pfd[2], status;
+     pid_t child;
+     debug_decl(sudo_askpass, SUDO_DEBUG_CONV)
+@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const
+ 
+     /* Get response from child (askpass). */
+     (void) close(pfd[1]);
+-    pass = getln(pfd[0], buf, sizeof(buf), 0);
+    pass = getln(pfd[0], buf, sizeof(buf), 0, &errval);
+     (void) close(pfd[0]);
+ 
+    tgetpass_display_error(errval);
+
+     /* Wait for child to exit. */
+     for (;;) {
+ 	pid_t rv = waitpid(child, &status, 0);
+@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_erase, sudo_term_kill;
+ 
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback)
+getln(int fd, char *buf, size_t bufsiz, int feedback,
+      enum tgetpass_errval *errval)
+ {
+     size_t left = bufsiz;
+     ssize_t nr = -1;
+@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz,
+     char c = '\0';
+     debug_decl(getln, SUDO_DEBUG_CONV)
+ 
+    *errval = TGP_ERRVAL_NOERROR;
+
+     if (left == 0) {
+	*errval = TGP_ERRVAL_READERROR;
+ 	errno = EINVAL;
+ 	debug_return_str(NULL);		/* sanity */
+     }
+@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz,
+ 	}
+     }
+ 
+-    debug_return_str_masked(nr == 1 ? buf : NULL);
+    if (nr != 1) {
+	if (nr == 0) {
+	    *errval = TGP_ERRVAL_NOPASSWORD;
+	} else if (nr == -1) {
+	    if (errno == EINTR) {
+		if (signo[SIGALRM] == 1)
+		    *errval = TGP_ERRVAL_TIMEOUT;
+	    } else {
+		*errval = TGP_ERRVAL_READERROR;
+	    }
+	}
+	debug_return_str(NULL);
+    }
+
+    debug_return_str_masked(buf);
+ }
+ 
+ static void
+ tgetpass_handler(int s)
+ {
+-    if (s != SIGALRM)
+-	signo[s] = 1;
+    signo[s] = 1;
+ }
+ 
+ static bool
--- a/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch
+++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch
@ -0,0 +1,77 @@
				@@ -0,0 +1,77 @@
+diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c
+--- ./src/tgetpass.c.CVE-2019-18634	2020-02-05 17:16:07.601420697 +0100
+++ ./src/tgetpass.c	2020-02-05 17:22:34.206301510 +0100
+@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG]
+ 
+ static bool tty_present(void);
+ static void tgetpass_handler(int);
+-static char *getln(int, char *, size_t, int, enum tgetpass_errval *);
+static char *getln(int, char *, size_t, bool, enum tgetpass_errval *);
+ static char *sudo_askpass(const char *, const char *);
+ 
+ static int
+@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout
+     static const char *askpass;
+     static char buf[SUDO_CONV_REPL_MAX + 1];
+     int i, input, output, save_errno, neednl = 0, need_restart;
+    bool feedback = ISSET(flags, TGP_MASK);
+     enum tgetpass_errval errval;
+     debug_decl(tgetpass, SUDO_DEBUG_CONV)
+ 
+@@ -165,7 +166,7 @@ restart:
+      */
+     if (!ISSET(flags, TGP_ECHO)) {
+ 	for (;;) {
+-	    if (ISSET(flags, TGP_MASK))
+	    if (feedback)
+ 		neednl = sudo_term_cbreak(input);
+ 	    else
+ 		neednl = sudo_term_noecho(input);
+@@ -179,6 +180,9 @@ restart:
+ 	    }
+ 	}
+     }
+    /* Only use feedback mode when we can disable echo. */
+    if (!neednl)
+	feedback = false;
+ 
+     /*
+      * Catch signals that would otherwise cause the user to end
+@@ -204,7 +208,7 @@ restart:
+ 
+     if (timeout > 0)
+ 	alarm(timeout);
+-    pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval);
+    pass = getln(input, buf, sizeof(buf), feedback, &errval);
+     alarm(0);
+     save_errno = errno;
+ 
+@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const
+ extern int sudo_term_erase, sudo_term_kill;
+ 
+ static char *
+-getln(int fd, char *buf, size_t bufsiz, int feedback,
+getln(int fd, char *buf, size_t bufsiz, bool feedback,
+       enum tgetpass_errval *errval)
+ {
+     size_t left = bufsiz;
+@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz,
+ 		while (cp > buf) {
+ 		    if (write(fd, "\b \b", 3) == -1)
+ 			break;
+-		    --cp;
+		    cp--;
+ 		}
+		cp = buf;
+ 		left = bufsiz;
+ 		continue;
+ 	    } else if (c == sudo_term_erase) {
+ 		if (cp > buf) {
+-		    if (write(fd, "\b \b", 3) == -1)
+-			break;
+-		    --cp;
+		    ignore_result(write(fd, "\b \b", 3));
+		    cp--;
+ 		    left++;
+ 		}
+ 		continue;
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@ -1,7 +1,7 @@
				@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.23
-Release: 4%{?dist}.1
+Release: 9%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@ -52,14 +52,23 @@ Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
				@@ -52,14 +52,23 @@ Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
 # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
 Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch

-# 1672876 - Backporting sudo bug with expired passwords
-Patch10: sudo-1.8.23-pam-expired-passwords.patch
+# 1647678 - sudo access denied with pam_access and pts terminal configurations
+# 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch
+Patch10: sudo-1.8.23-pam_access-and-terminals.patch
+
 # 1665285 - Problem with sudo-1.8.23 and 'who am i'
 Patch11: sudo-1.8.23-who-am-i.patch

-# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.7.z]
-Patch12: sudo-1.8.28-CVE-strtouid.patch
-Patch13: sudo-1.8.28-CVE-strtouid-test.patch
+# 1738841 - Crash in do_syslog() while doing sudoedit
+Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch
+
+# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8]
+Patch13: sudo-1.8.28-CVE-strtouid.patch
+Patch14: sudo-1.8.28-CVE-strtouid-test.patch
+
+# 1798095 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.8]
+Patch15: sudo-1.8.29-CVE-2019-18634-part1.patch
+Patch16: sudo-1.8.29-CVE-2019-18634-part2.patch

 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -94,11 +103,16 @@ plugins that use %{name}.
				@@ -94,11 +103,16 @@ plugins that use %{name}.
 %patch8 -p1 -b .pam-mgmt-ignore-errors
 %patch9 -p1 -b .defaults-double-quote-fix

-%patch10 -p1 -b .pam-expired
+%patch10 -p1 -b .pam_access-and-terminals
+
 %patch11 -p1 -b .who-am-i
+%patch12 -p1 -b .do_syslog-username
+
+%patch13 -p1 -b .CVE-strtouid
+%patch14 -p1 -b .CVE-strtouid-test

-%patch12 -p1 -b .CVE-strtouid
-%patch13 -p1 -b .CVE-strtouid-test
+%patch15 -p1 -b .CVE-2019-18634-part1
+%patch16 -p1 -b .CVE-2019-18634-part2

 %build
 autoreconf -I m4 -fv --install
@ -172,7 +186,6 @@ auth       include      system-auth
				@@ -172,7 +186,6 @@ auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
-session    required     pam_limits.so
 session    include      system-auth
 EOF

@ -182,7 +195,6 @@ auth       include      sudo
				@@ -182,7 +195,6 @@ auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
-session    required     pam_limits.so
 session    include      sudo
 EOF

@ -237,10 +249,27 @@ rm -rf %{buildroot}
				@@ -237,10 +249,27 @@ rm -rf %{buildroot}
 %{_mandir}/man8/sudo_plugin.8*

 %changelog
-* Wed Oct 16 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4.1
- RHEL-7.7.z
+* Wed Feb 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.8.23-9
+- RHEL-7.8
+- CVE-2019-18634
+  Resolves: rhbz#1798095
+
+* Thu Oct 17 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-8
+- RHEL-7.8
 - fixed CVE-2019-14287
-  Resolves: rhbz#1760694
+  Resolves: rhbz#1760695
+
+* Thu Aug 22 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-7
+- RHEL-7.8 erratum
+  Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit
+
+* Mon Aug 19 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-6
+- RHEL-7.8 erratum
+  Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations
+
+* Mon Aug 12 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-5
+- RHEL-7.8 erratum
+  Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries

 * Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4
 - RHEL-7.7 erratum