diff --git a/.gitignore b/.gitignore index 82092b4..44949ff 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ sudo-1.7.2p2-sudoers /sudo-1.8.5.tar.gz /sudo-1.8.6.tar.gz /sudo-1.8.6p3.tar.gz +/sudo-1.8.6p7.tar.gz diff --git a/sources b/sources index 10ec75c..95bc198 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers -a7b5c39a904721956eccddd30689250f sudo-1.8.6p3.tar.gz +126abfa2e841139e774d4c67d80f0e5b sudo-1.8.6p7.tar.gz diff --git a/sudo.spec b/sudo.spec index 6c6cd1d..35f41ff 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.6p3 -Release: 2%{?dist} +Version: 1.8.6p7 +Release: 1%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -20,15 +20,12 @@ BuildRequires: audit-libs-devel libcap-devel BuildRequires: libselinux-devel BuildRequires: sendmail BuildRequires: gettext +BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch # configure.in fix Patch2: sudo-1.7.2p1-envdebug.patch -# Do not inform the user that the command was not permitted by the policy -# if they do not successfully authenticate. This is a regression introduced -# in sudo 1.8.6. -Patch3: sudo-1.8.6p3-noauthwarn-regression.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -55,7 +52,6 @@ plugins that use %{name}. %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug -%patch3 -p1 -b .noauthwarn-regression %build autoreconf -I m4 -fv --install @@ -72,22 +68,22 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ - --docdir=%{_datadir}/doc/%{name}-%{version} \ + --docdir=%{_datadir}/doc/%{name}-%{version} \ --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ - --with-pam-login \ + --with-pam-login \ --with-editor=/bin/vi \ --with-env-editor \ --with-ignore-dot \ --with-tty-tickets \ --with-ldap \ - --with-selinux \ - --with-passprompt="[sudo] password for %p: " \ - --with-linux-audit \ - --with-sssd -# --without-kerb5 \ -# --without-kerb4 + --with-selinux \ + --with-passprompt="[sudo] password for %p: " \ + --with-linux-audit \ + --with-sssd +# --without-kerb5 \ +# --without-kerb4 make %install @@ -99,6 +95,8 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers +chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files + # Remove execute permission on this script so we don't pull in perl deps chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif @@ -110,7 +108,7 @@ rm sudo.lang sudoers.lang mkdir -p $RPM_BUILD_ROOT/etc/pam.d cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF -#%PAM-1.0 +#%%PAM-1.0 auth include system-auth account include system-auth password include system-auth @@ -119,7 +117,7 @@ session required pam_limits.so EOF cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF -#%PAM-1.0 +#%%PAM-1.0 auth include sudo account include sudo password include sudo @@ -128,7 +126,7 @@ session required pam_limits.so EOF -%clean +%clean rm -rf $RPM_BUILD_ROOT %files -f sudo_all.lang @@ -143,14 +141,15 @@ rm -rf $RPM_BUILD_ROOT %attr(0111,root,root) %{_bindir}/sudoreplay %attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_libexecdir}/sesh -%{_libexecdir}/sudo_noexec.* -%{_libexecdir}/sudoers.* +%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so +%attr(0644,root,root) %{_libexecdir}/sudoers.so %{_mandir}/man5/sudoers.5* %{_mandir}/man5/sudoers.ldap.5* %{_mandir}/man8/sudo.8* %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* +%dir %{_docdir}/sudo-%{version} %{_docdir}/sudo-%{version}/* @@ -165,6 +164,16 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 +- update to 1.8.6p7 +- fixes CVE-2013-1775 and CVE-2013-1776 +- fixed several packaging issues (thanks to ville.skytta@iki.fi) + - build with system zlib. + - let rpmbuild strip libexecdir/*.so. + - own the %%{_docdir}/sudo-* dir. + - fix some rpmlint warnings (spaces vs tabs, unescaped macros). + - fix bogus %%changelog dates. + * Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 - added upstream patch for a regression - don't include arch specific files in the -devel subpackage @@ -208,7 +217,7 @@ rm -rf $RPM_BUILD_ROOT * Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild -* Tue Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 +* Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 - disable output word wrapping if the output is piped @@ -341,7 +350,7 @@ rm -rf $RPM_BUILD_ROOT - upgrade to the latest upstream release - add selinux support -* Mon Feb 02 2008 Dennis Gilmore 1.6.9p4-6 +* Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 @@ -467,7 +476,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 - fixed spec file: sesh in file section with selinux flag (#119682) -* Thu Mar 30 2004 Colin Walters 1.6.7p5-24 +* Tue Mar 30 2004 Colin Walters 1.6.7p5-24 - Enhance sesh.c to fork/exec children itself, to avoid having sudo reap all domains. - Only reinstall default signal handlers immediately before @@ -629,7 +638,7 @@ rm -rf $RPM_BUILD_ROOT * Tue Oct 27 1998 Preston Brown - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) -* Fri Oct 08 1998 Michael Maher +* Thu Oct 08 1998 Michael Maher - built package for 5.2 * Mon May 18 1998 Michael Maher