From f3e71ab92b9c02bb3bf65ffa76c3a5fc7873bf33 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Sun, 2 Aug 2020 11:16:35 +0200 Subject: [PATCH] sudo package update Signed-off-by: basebuilder_pel7x64builder0 --- ...8.23-fix_empty_username_in_do_syslog.patch | 35 ++ ...sudo-1.8.23-pam_access-and-terminals.patch | 344 ++++++++++++++++++ .../sudo-1.8.29-CVE-2019-18634-part1.patch | 158 ++++++++ .../sudo-1.8.29-CVE-2019-18634-part2.patch | 77 ++++ SPECS/sudo.spec | 57 ++- 5 files changed, 657 insertions(+), 14 deletions(-) create mode 100644 SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch create mode 100644 SOURCES/sudo-1.8.23-pam_access-and-terminals.patch create mode 100644 SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch create mode 100644 SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch diff --git a/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch new file mode 100644 index 00000000..8ad39558 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch @@ -0,0 +1,35 @@ +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 2c685cd..7751a67 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -106,7 +106,15 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _("%8s : %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); ++ ++ ++ if (!sudo_user_name) { ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5); ++ } ++ else { ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); ++ } ++ + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -122,7 +130,12 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, sudo_user_name, p); ++ if(!sudo_user_name) { ++ mysyslog(pri, fmt, "NaN", p); ++ } ++ else{ ++ mysyslog(pri, fmt, sudo_user_name, p); ++ } + + *tmp = save; /* restore saved character */ + diff --git a/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch new file mode 100644 index 00000000..94c46c8d --- /dev/null +++ b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch @@ -0,0 +1,344 @@ +unchanged: +--- b/plugins/sudoers/auth/pam.c ++++ b/plugins/sudoers/auth/pam.c +@@ -210,59 +210,71 @@ + sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; ++ int rc, status = AUTH_SUCCESS; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (*pam_status) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { + case PAM_SUCCESS: +- debug_return_int(AUTH_SUCCESS); ++ break; + case PAM_AUTH_ERR: + log_warningx(0, N_("account validation failure, " + "is your account locked?")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_NEW_AUTHTOK_REQD: + /* Ignore if user is exempt from password restrictions. */ +- if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } + /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); +- *pam_status = pam_chauthtok(pamh, +- PAM_CHANGE_EXPIRED_AUTHTOK); +- if (*pam_status == PAM_SUCCESS) +- debug_return_int(AUTH_SUCCESS); +- if ((s = pam_strerror(pamh, *pam_status)) == NULL) ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) + s = "unknown error"; + log_warningx(0, + N_("unable to change expired password: %s"), s); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + case PAM_AUTHTOK_EXPIRED: + /* Ignore if user is exempt from password restrictions. */ +- if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } + /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_ACCT_EXPIRED: + log_warningx(0, + N_("Account expired or PAM config lacks an \"account\" " + "section for sudo, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_MAXTRIES: + case PAM_PERM_DENIED: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + default: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + } ++ *pam_status = rc; ++ debug_return_int(status); + } + + int +unchanged: +--- a/doc/sudoers.cat ++++ b/doc/sudoers.cat +@@ -1286,6 +1286,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS + well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end + of this manual. This flag is _o_f_f by default. + ++ pam_acct_mgmt On systems that use PAM for authentication, ssuuddoo will ++ perform PAM account validation for the invoking user by ++ default. The actual checks performed depend on which ++ PAM modules are configured. If enabled, account ++ validation will be performed regardless of whether or ++ not a password is required. This flag is _o_n by ++ default. ++ ++ This setting is only supported by version 1.8.28 or ++ higher. ++ + pam_session On systems that use PAM for authentication, ssuuddoo will + create a new PAM session for the command to be run in. + Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM +unchanged: +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -2722,6 +2722,19 @@ This flag is + \fIoff\fR + by default. + .TP 18n ++pam_acct_mgmt ++On systems that use PAM for authentication, ++\fBsudo\fR ++will perform PAM account validation for the invoking user by default. ++The actual checks performed depend on which PAM modules are configured. ++If enabled, account validation will be performed regardless of whether ++or not a password is required. ++This flag is ++\fIon\fR ++by default. ++.sp ++This setting is only supported by version 1.8.28 or higher. ++.TP 18n + pam_session + On systems that use PAM for authentication, + \fBsudo\fR +unchanged: +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -2560,6 +2560,18 @@ section at the end of this manual. + This flag is + .Em off + by default. ++.It pam_acct_mgmt ++On systems that use PAM for authentication, ++.Nm sudo ++will perform PAM account validation for the invoking user by default. ++The actual checks performed depend on which PAM modules are configured. ++If enabled, account validation will be performed regardless of whether ++or not a password is required. ++This flag is ++.Em on ++by default. ++.Pp ++This setting is only supported by version 1.8.28 or higher. + .It pam_session + On systems that use PAM for authentication, + .Nm sudo +only in patch2: +unchanged: +--- ./plugins/sudoers/auth/pam.c.pamm 2019-01-11 21:30:17.000000000 +0100 ++++ ./plugins/sudoers/auth/pam.c 2019-08-02 15:14:38.980077956 +0200 +@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- rc = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (rc) { +- case PAM_SUCCESS: +- break; +- case PAM_AUTH_ERR: +- log_warningx(0, N_("account validation failure, " +- "is your account locked?")); +- status = AUTH_FATAL; +- break; +- case PAM_NEW_AUTHTOK_REQD: +- /* Ignore if user is exempt from password restrictions. */ +- if (exempt) { +- rc = *pam_status; +- break; +- } +- /* New password required, try to change it. */ +- log_warningx(0, N_("Account or password is " +- "expired, reset your password and try again")); +- rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); +- if (rc == PAM_SUCCESS) +- break; +- if ((s = pam_strerror(pamh, rc)) == NULL) +- s = "unknown error"; +- log_warningx(0, +- N_("unable to change expired password: %s"), s); +- status = AUTH_FAILURE; +- break; +- case PAM_AUTHTOK_EXPIRED: +- /* Ignore if user is exempt from password restrictions. */ +- if (exempt) { +- rc = *pam_status; +- break; +- } +- /* Password expired, cannot be updated by user. */ +- log_warningx(0, +- N_("Password expired, contact your system administrator")); +- status = AUTH_FATAL; +- break; +- case PAM_ACCT_EXPIRED: +- log_warningx(0, +- N_("Account expired or PAM config lacks an \"account\" " +- "section for sudo, contact your system administrator")); +- status = AUTH_FATAL; +- break; +- case PAM_AUTHINFO_UNAVAIL: +- case PAM_MAXTRIES: +- case PAM_PERM_DENIED: +- s = pam_strerror(pamh, rc); +- log_warningx(0, N_("PAM account management error: %s"), +- s ? s : "unknown error"); +- status = AUTH_FAILURE; +- break; +- default: +- s = pam_strerror(pamh, rc); +- log_warningx(0, N_("PAM account management error: %s"), +- s ? s : "unknown error"); +- status = AUTH_FATAL; +- break; ++ if (def_pam_acct_mgmt) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { ++ case PAM_SUCCESS: ++ break; ++ case PAM_AUTH_ERR: ++ log_warningx(0, N_("account validation failure, " ++ "is your account locked?")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } ++ /* New password required, try to change it. */ ++ log_warningx(0, N_("Account or password is " ++ "expired, reset your password and try again")); ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) ++ s = "unknown error"; ++ log_warningx(0, ++ N_("unable to change expired password: %s"), s); ++ status = AUTH_FAILURE; ++ break; ++ case PAM_AUTHTOK_EXPIRED: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } ++ /* Password expired, cannot be updated by user. */ ++ log_warningx(0, ++ N_("Password expired, contact your system administrator")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_ACCT_EXPIRED: ++ log_warningx(0, ++ N_("Account expired or PAM config lacks an \"account\" " ++ "section for sudo, contact your system administrator")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_AUTHINFO_UNAVAIL: ++ case PAM_MAXTRIES: ++ case PAM_PERM_DENIED: ++ s = pam_strerror(pamh, rc); ++ log_warningx(0, N_("PAM account management error: %s"), ++ s ? s : "unknown error"); ++ status = AUTH_FAILURE; ++ break; ++ default: ++ s = pam_strerror(pamh, rc); ++ log_warningx(0, N_("PAM account management error: %s"), ++ s ? s : "unknown error"); ++ status = AUTH_FATAL; ++ break; ++ } ++ *pam_status = rc; + } +- *pam_status = rc; + debug_return_int(status); + } + +only in patch2: +unchanged: +--- ./plugins/sudoers/defaults.c.pamm 2019-08-02 15:14:38.973077882 +0200 ++++ ./plugins/sudoers/defaults.c 2019-08-02 15:14:38.987078030 +0200 +@@ -642,6 +642,7 @@ init_defaults(void) + if ((def_editor = strdup(EDITOR)) == NULL) + goto oom; + def_set_utmp = true; ++ def_pam_acct_mgmt = true; + def_pam_setcred = true; + def_syslog_maxlen = MAXSYSLOGLEN; + def_case_insensitive_user = true; +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.c.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.c 2019-08-02 15:20:37.592876029 +0200 +@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't fork and wait for the command to finish, just exec it"), + NULL, + }, { ++ "pam_acct_mgmt", T_FLAG, ++ N_("Perform PAM account validation management"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.h.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.h 2019-08-02 15:14:38.987078030 +0200 +@@ -230,6 +230,8 @@ + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + #define I_CMND_NO_WAIT 115 + #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) ++#define I_PAM_ACCT_MGMT 116 ++#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag) + + enum def_tuple { + never, +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.in.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.in 2019-08-02 15:14:38.987078030 +0200 +@@ -363,3 +363,6 @@ legacy_group_processing + cmnd_no_wait + T_FLAG + "Don't fork and wait for the command to finish, just exec it" ++pam_acct_mgmt ++ T_FLAG ++ "Perform PAM account validation management" diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch new file mode 100644 index 00000000..5b719190 --- /dev/null +++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part1.patch @@ -0,0 +1,158 @@ +diff -up ./src/tgetpass.c.bla ./src/tgetpass.c +--- ./src/tgetpass.c.bla 2018-08-18 16:10:15.000000000 +0200 ++++ ./src/tgetpass.c 2020-02-05 17:15:16.216904891 +0100 +@@ -44,11 +44,18 @@ + #include "sudo.h" + #include "sudo_plugin.h" + ++enum tgetpass_errval { ++ TGP_ERRVAL_NOERROR, ++ TGP_ERRVAL_TIMEOUT, ++ TGP_ERRVAL_NOPASSWORD, ++ TGP_ERRVAL_READERROR ++}; ++ + static volatile sig_atomic_t signo[NSIG]; + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int); ++static char *getln(int, char *, size_t, int, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -77,6 +84,27 @@ suspend(int signo, struct sudo_conv_call + debug_return_int(ret); + } + ++static void ++tgetpass_display_error(enum tgetpass_errval errval) ++{ ++ debug_decl(tgetpass_display_error, SUDO_DEBUG_CONV) ++ ++ switch (errval) { ++ case TGP_ERRVAL_NOERROR: ++ break; ++ case TGP_ERRVAL_TIMEOUT: ++ sudo_warnx(U_("timed out reading password")); ++ break; ++ case TGP_ERRVAL_NOPASSWORD: ++ sudo_warnx(U_("no password was provided")); ++ break; ++ case TGP_ERRVAL_READERROR: ++ sudo_warn(U_("unable to read password")); ++ break; ++ } ++ debug_return; ++} ++ + /* + * Like getpass(3) but with timeout and echo flags. + */ +@@ -90,6 +118,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + + (void) fflush(stdout); +@@ -175,7 +204,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK)); ++ pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); + alarm(0); + save_errno = errno; + +@@ -183,6 +212,7 @@ restart: + if (write(output, "\n", 1) == -1) + goto restore; + } ++ tgetpass_display_error(errval); + + restore: + /* Restore old signal handlers. */ +@@ -210,6 +240,8 @@ restore: + for (i = 0; i < NSIG; i++) { + if (signo[i]) { + switch (i) { ++ case SIGALRM: ++ break; + case SIGTSTP: + case SIGTTIN: + case SIGTTOU: +@@ -239,6 +271,7 @@ sudo_askpass(const char *askpass, const + { + static char buf[SUDO_CONV_REPL_MAX + 1], *pass; + struct sigaction sa, savechld; ++ enum tgetpass_errval errval; + int pfd[2], status; + pid_t child; + debug_decl(sudo_askpass, SUDO_DEBUG_CONV) +@@ -281,9 +314,11 @@ sudo_askpass(const char *askpass, const + + /* Get response from child (askpass). */ + (void) close(pfd[1]); +- pass = getln(pfd[0], buf, sizeof(buf), 0); ++ pass = getln(pfd[0], buf, sizeof(buf), 0, &errval); + (void) close(pfd[0]); + ++ tgetpass_display_error(errval); ++ + /* Wait for child to exit. */ + for (;;) { + pid_t rv = waitpid(child, &status, 0); +@@ -305,7 +340,8 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback) ++getln(int fd, char *buf, size_t bufsiz, int feedback, ++ enum tgetpass_errval *errval) + { + size_t left = bufsiz; + ssize_t nr = -1; +@@ -313,7 +349,10 @@ getln(int fd, char *buf, size_t bufsiz, + char c = '\0'; + debug_decl(getln, SUDO_DEBUG_CONV) + ++ *errval = TGP_ERRVAL_NOERROR; ++ + if (left == 0) { ++ *errval = TGP_ERRVAL_READERROR; + errno = EINVAL; + debug_return_str(NULL); /* sanity */ + } +@@ -354,14 +393,27 @@ getln(int fd, char *buf, size_t bufsiz, + } + } + +- debug_return_str_masked(nr == 1 ? buf : NULL); ++ if (nr != 1) { ++ if (nr == 0) { ++ *errval = TGP_ERRVAL_NOPASSWORD; ++ } else if (nr == -1) { ++ if (errno == EINTR) { ++ if (signo[SIGALRM] == 1) ++ *errval = TGP_ERRVAL_TIMEOUT; ++ } else { ++ *errval = TGP_ERRVAL_READERROR; ++ } ++ } ++ debug_return_str(NULL); ++ } ++ ++ debug_return_str_masked(buf); + } + + static void + tgetpass_handler(int s) + { +- if (s != SIGALRM) +- signo[s] = 1; ++ signo[s] = 1; + } + + static bool diff --git a/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch new file mode 100644 index 00000000..86743bab --- /dev/null +++ b/SOURCES/sudo-1.8.29-CVE-2019-18634-part2.patch @@ -0,0 +1,77 @@ +diff -up ./src/tgetpass.c.CVE-2019-18634 ./src/tgetpass.c +--- ./src/tgetpass.c.CVE-2019-18634 2020-02-05 17:16:07.601420697 +0100 ++++ ./src/tgetpass.c 2020-02-05 17:22:34.206301510 +0100 +@@ -55,7 +55,7 @@ static volatile sig_atomic_t signo[NSIG] + + static bool tty_present(void); + static void tgetpass_handler(int); +-static char *getln(int, char *, size_t, int, enum tgetpass_errval *); ++static char *getln(int, char *, size_t, bool, enum tgetpass_errval *); + static char *sudo_askpass(const char *, const char *); + + static int +@@ -118,6 +118,7 @@ tgetpass(const char *prompt, int timeout + static const char *askpass; + static char buf[SUDO_CONV_REPL_MAX + 1]; + int i, input, output, save_errno, neednl = 0, need_restart; ++ bool feedback = ISSET(flags, TGP_MASK); + enum tgetpass_errval errval; + debug_decl(tgetpass, SUDO_DEBUG_CONV) + +@@ -165,7 +166,7 @@ restart: + */ + if (!ISSET(flags, TGP_ECHO)) { + for (;;) { +- if (ISSET(flags, TGP_MASK)) ++ if (feedback) + neednl = sudo_term_cbreak(input); + else + neednl = sudo_term_noecho(input); +@@ -179,6 +180,9 @@ restart: + } + } + } ++ /* Only use feedback mode when we can disable echo. */ ++ if (!neednl) ++ feedback = false; + + /* + * Catch signals that would otherwise cause the user to end +@@ -204,7 +208,7 @@ restart: + + if (timeout > 0) + alarm(timeout); +- pass = getln(input, buf, sizeof(buf), ISSET(flags, TGP_MASK), &errval); ++ pass = getln(input, buf, sizeof(buf), feedback, &errval); + alarm(0); + save_errno = errno; + +@@ -340,7 +344,7 @@ sudo_askpass(const char *askpass, const + extern int sudo_term_erase, sudo_term_kill; + + static char * +-getln(int fd, char *buf, size_t bufsiz, int feedback, ++getln(int fd, char *buf, size_t bufsiz, bool feedback, + enum tgetpass_errval *errval) + { + size_t left = bufsiz; +@@ -366,15 +370,15 @@ getln(int fd, char *buf, size_t bufsiz, + while (cp > buf) { + if (write(fd, "\b \b", 3) == -1) + break; +- --cp; ++ cp--; + } ++ cp = buf; + left = bufsiz; + continue; + } else if (c == sudo_term_erase) { + if (cp > buf) { +- if (write(fd, "\b \b", 3) == -1) +- break; +- --cp; ++ ignore_result(write(fd, "\b \b", 3)); ++ cp--; + left++; + } + continue; diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index b4703670..ce0645b4 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 -Release: 4%{?dist}.1 +Release: 9%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -52,14 +52,23 @@ Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch -# 1672876 - Backporting sudo bug with expired passwords -Patch10: sudo-1.8.23-pam-expired-passwords.patch +# 1647678 - sudo access denied with pam_access and pts terminal configurations +# 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch +Patch10: sudo-1.8.23-pam_access-and-terminals.patch + # 1665285 - Problem with sudo-1.8.23 and 'who am i' Patch11: sudo-1.8.23-who-am-i.patch -# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.7.z] -Patch12: sudo-1.8.28-CVE-strtouid.patch -Patch13: sudo-1.8.28-CVE-strtouid-test.patch +# 1738841 - Crash in do_syslog() while doing sudoedit +Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch + +# 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] +Patch13: sudo-1.8.28-CVE-strtouid.patch +Patch14: sudo-1.8.28-CVE-strtouid-test.patch + +# 1798095 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.8] +Patch15: sudo-1.8.29-CVE-2019-18634-part1.patch +Patch16: sudo-1.8.29-CVE-2019-18634-part2.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -94,11 +103,16 @@ plugins that use %{name}. %patch8 -p1 -b .pam-mgmt-ignore-errors %patch9 -p1 -b .defaults-double-quote-fix -%patch10 -p1 -b .pam-expired +%patch10 -p1 -b .pam_access-and-terminals + %patch11 -p1 -b .who-am-i +%patch12 -p1 -b .do_syslog-username + +%patch13 -p1 -b .CVE-strtouid +%patch14 -p1 -b .CVE-strtouid-test -%patch12 -p1 -b .CVE-strtouid -%patch13 -p1 -b .CVE-strtouid-test +%patch15 -p1 -b .CVE-2019-18634-part1 +%patch16 -p1 -b .CVE-2019-18634-part2 %build autoreconf -I m4 -fv --install @@ -172,7 +186,6 @@ auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth EOF @@ -182,7 +195,6 @@ auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke -session required pam_limits.so session include sudo EOF @@ -237,10 +249,27 @@ rm -rf %{buildroot} %{_mandir}/man8/sudo_plugin.8* %changelog -* Wed Oct 16 2019 Radovan Sroka 1.8.23-4.1 -- RHEL-7.7.z +* Wed Feb 05 2020 Radovan Sroka - 1.8.23-9 +- RHEL-7.8 +- CVE-2019-18634 + Resolves: rhbz#1798095 + +* Thu Oct 17 2019 Marek Tamaskovic 1.8.23-8 +- RHEL-7.8 - fixed CVE-2019-14287 - Resolves: rhbz#1760694 + Resolves: rhbz#1760695 + +* Thu Aug 22 2019 Marek Tamaskovic 1.8.23-7 +- RHEL-7.8 erratum + Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit + +* Mon Aug 19 2019 Marek Tamaskovic 1.8.23-6 +- RHEL-7.8 erratum + Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations + +* Mon Aug 12 2019 Marek Tamaskovic 1.8.23-5 +- RHEL-7.8 erratum + Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries * Wed Feb 20 2019 Radovan Sroka 1.8.23-4 - RHEL-7.7 erratum