diff --git a/.gitignore b/.gitignore
index 44949ff..420d45e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,4 @@ sudo-1.7.2p2-sudoers
 /sudo-1.8.6.tar.gz
 /sudo-1.8.6p3.tar.gz
 /sudo-1.8.6p7.tar.gz
+/sudo-1.8.8.tar.gz
diff --git a/sources b/sources
index 95bc198..97b27b4 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 56f74aed3a7b32f2b01a34d65ac86f85  sudo-1.7.4p4-sudoers
-126abfa2e841139e774d4c67d80f0e5b  sudo-1.8.6p7.tar.gz
+fc4f074090afd56d9ff4ff4e97321971  sudo-1.8.8.tar.gz
diff --git a/sudo-1.8.8-clangbugs.patch b/sudo-1.8.8-clangbugs.patch
new file mode 100644
index 0000000..9d4f1cb
--- /dev/null
+++ b/sudo-1.8.8-clangbugs.patch
@@ -0,0 +1,60 @@
+diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c
+--- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs	2013-09-30 23:41:07.899529555 +0200
++++ sudo-1.8.8/plugins/sudoers/auth/pam.c	2013-09-30 23:41:58.988707761 +0200
+@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw
+ 	    (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
+ 	    pamh = NULL;
+ 	    status = AUTH_FAILURE;
++	    goto done;
+ 	}
+     }
+ 
+diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c
+--- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs	2013-09-30 23:44:20.404200629 +0200
++++ sudo-1.8.8/plugins/sudoers/sssd.c	2013-09-30 23:49:05.998194738 +0200
+@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns
+     debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
+ 
+     if (nss && nss->handle) {
+-	handle = nss->handle;
+-	dlclose(handle->ssslib);
++	    handle = nss->handle;
++	    dlclose(handle->ssslib);
++	    efree(nss->handle);
+     }
+-
+-    efree(nss->handle);
+     debug_return_int(0);
+ }
+ 
+@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss
+ 	sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL);
+ 
+     if (f_sss_result != NULL) {
+-	if (f_sss_result->num_rules > 0) {
+-	    if (state != NULL) {
+-		sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
+-		*state |= _SUDO_SSS_STATE_HOSTMATCH;
++	    if (f_sss_result->num_rules > 0) {
++		    if (state != NULL) {
++			    sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
++			    *state |= _SUDO_SSS_STATE_HOSTMATCH;
++		    }
+ 	    }
+-	}
+-    }
+ 
+-    sudo_debug_printf(SUDO_DEBUG_DEBUG,
+-	"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
+-	u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
++	    sudo_debug_printf(SUDO_DEBUG_DEBUG,
++	                      "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
++	                      u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
++    } else {
++	    sudo_debug_printf(SUDO_DEBUG_DEBUG,
++	                      "u_sss_result=(%p, %u) => f_sss_result=NULL",
++	                      u_sss_result, u_sss_result->num_rules);
++    }
+ 
+     handle->fn_free_result(u_sss_result);
+ 
diff --git a/sudo-1.8.8-sssdfixes.patch b/sudo-1.8.8-sssdfixes.patch
new file mode 100644
index 0000000..31edde6
--- /dev/null
+++ b/sudo-1.8.8-sssdfixes.patch
@@ -0,0 +1,119 @@
+diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c
+--- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes	2013-09-30 23:18:49.641913457 +0200
++++ sudo-1.8.8/plugins/sudoers/sssd.c	2013-09-30 23:25:54.819376696 +0200
+@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
+  * Walk through search results and return true if we have a runas match,
+  * else false.  RunAs info is optional.
+  */
+-static int
++static bool
+ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+-    int ret;
++    bool ret;
+     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-	 debug_return_int(false);
++	 debug_return_bool(false);
+ 
+     ret = sudo_sss_check_runas_user(handle, rule) != false &&
+ 	 sudo_sss_check_runas_group(handle, rule) != false;
+ 
+-    debug_return_int(ret);
++    debug_return_bool(ret);
+ }
+ 
+-static int
++static bool
+ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+     char **val_array, *val;
+-    int ret = false, i;
++    bool ret = false;
++    int i;
+     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-	debug_return_int(ret);
++	debug_return_bool(ret);
+ 
+     /* get the values from the rule */
+     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
+@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
+ 	break;
+     case ENOENT:
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+-	debug_return_int(false);
++	debug_return_bool(false);
+     default:
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
+-	debug_return_int(ret);
++	debug_return_bool(ret);
+     }
+ 
+     /* walk through values */
+@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
+ 
+     handle->fn_free_values(val_array);
+ 
+-    debug_return_int(ret);
++    debug_return_bool(ret);
++}
++
++/*
++ * Look for netgroup specifcations in the sudoUser attribute and
++ * if found, filter according to netgroup membership.
++ *  returns:
++ *   true -> netgroup spec found && negroup member
++ *  false -> netgroup spec found && not a meber of netgroup
++ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
++ */
++bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
++{
++	bool ret = false, netgroup_spec_found = false;
++	char **val_array, *val;
++	int i;
++	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
++
++	if (!handle || !rule)
++		debug_return_bool(ret);
++
++	switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
++		case 0:
++			break;
++		case ENOENT:
++			sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
++			debug_return_bool(ret);
++		default:
++			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
++			debug_return_bool(ret);
++	}
++
++	for (i = 0; val_array[i] != NULL && !ret; ++i) {
++		val = val_array[i];
++		if (*val == '+') {
++			netgroup_spec_found = true;
++		}
++		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
++		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
++			ret = true;
++			sudo_debug_printf(SUDO_DEBUG_DIAG,
++			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
++		}
++	}
++	handle->fn_free_values(val_array);
++	debug_return_bool(netgroup_spec_found ? ret : true);
+ }
+ 
+ static int
+@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
+     (void)unused;
+     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
+ 
+-    if (sudo_sss_check_host(handle, rule))
++    if (sudo_sss_check_host(handle, rule) &&
++        sudo_sss_filter_user_netgroup(handle, rule))
+ 	debug_return_int(1);
+     else
+ 	debug_return_int(0);
diff --git a/sudo-1.8.8-strictuidgid.patch b/sudo-1.8.8-strictuidgid.patch
new file mode 100644
index 0000000..ebb14ff
--- /dev/null
+++ b/sudo-1.8.8-strictuidgid.patch
@@ -0,0 +1,53 @@
+diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c
+--- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid	2013-09-30 23:30:12.359263967 +0200
++++ sudo-1.8.8/plugins/sudoers/match.c	2013-09-30 23:31:04.335443002 +0200
+@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos
+ bool
+ userpw_matches(char *sudoers_user, char *user, struct passwd *pw)
+ {
+-    debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
+-
+-    if (pw != NULL && *sudoers_user == '#') {
+-	uid_t uid = (uid_t) atoi(sudoers_user + 1);
+-	if (uid == pw->pw_uid)
+-	    debug_return_bool(true);
+-    }
+-    debug_return_bool(strcmp(sudoers_user, user) == 0);
++	debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
++	if (pw != NULL && *sudoers_user == '#') {
++		char *end = NULL;
++		uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10);
++		if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) {
++			if (uid == pw->pw_uid)
++				debug_return_bool(true);
++		}
++	}
++	debug_return_bool(strcmp(sudoers_user, user) == 0);
+ }
+ 
+ /*
+@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char
+ bool
+ group_matches(char *sudoers_group, struct group *gr)
+ {
+-    debug_decl(group_matches, SUDO_DEBUG_MATCH)
+-
+-    if (*sudoers_group == '#') {
+-	gid_t gid = (gid_t) atoi(sudoers_group + 1);
+-	if (gid == gr->gr_gid)
+-	    debug_return_bool(true);
+-    }
+-    debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
++	debug_decl(group_matches, SUDO_DEBUG_MATCH)
++	if (*sudoers_group == '#') {
++		char *end = NULL;
++		gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10);
++		if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) {
++			if (gid == gr->gr_gid)
++				debug_return_bool(true);
++		}
++	}
++	debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
+ }
+ 
+ /*
diff --git a/sudo.spec b/sudo.spec
index f12c88a..aefcc1e 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.6p7
-Release: 2%{?dist}
+Version: 1.8.8
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -9,6 +9,7 @@ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
 Source1: sudo-1.7.4p4-sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: /etc/pam.d/system-auth, vim-minimal
+Requires(post): /bin/chmod
 
 BuildRequires: pam-devel
 BuildRequires: groff
@@ -26,6 +27,12 @@ BuildRequires: zlib-devel
 Patch1: sudo-1.6.7p5-strip.patch
 # configure.in fix
 Patch2: sudo-1.7.2p1-envdebug.patch
+# Fix several issues in the sssd code
+Patch3: sudo-1.8.8-sssdfixes.patch
+# Don't accept invalid number in uid/gid specifications
+Patch4: sudo-1.8.8-strictuidgid.patch
+# Fix several issues found by the clang static analyzer
+Patch5: sudo-1.8.8-clangbugs.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -52,6 +59,9 @@ plugins that use %{name}.
 
 %patch1 -p1 -b .strip
 %patch2 -p1 -b .envdebug
+%patch3 -p1 -b .sssdfixes
+%patch4 -p1 -b .strictuidgid
+%patch5 -p1 -b .clangbugs
 
 %build
 autoreconf -I m4 -fv --install
@@ -68,7 +78,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --prefix=%{_prefix} \
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
-        --docdir=%{_datadir}/doc/%{name}-%{version} \
+        --docdir=%{_pkgdocdir} \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
@@ -95,10 +105,10 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
 
-chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files
+chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
 
 # Remove execute permission on this script so we don't pull in perl deps
-chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
+chmod -x $RPM_BUILD_ROOT%{_pkgdocdir}/sudoers2ldif
 
 %find_lang sudo
 %find_lang sudoers
@@ -140,17 +150,20 @@ rm -rf $RPM_BUILD_ROOT
 %attr(4111,root,root) %{_bindir}/sudoedit
 %attr(0111,root,root) %{_bindir}/sudoreplay
 %attr(0755,root,root) %{_sbindir}/visudo
-%attr(0755,root,root) %{_libexecdir}/sesh
-%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so
-%attr(0644,root,root) %{_libexecdir}/sudoers.so
+%attr(0755,root,root) %{_libexecdir}/sudo/sesh
+%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
+%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
+%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
+%{_mandir}/man5/sudo.conf.5*
 %{_mandir}/man8/sudo.8*
 %{_mandir}/man8/sudoedit.8*
 %{_mandir}/man8/sudoreplay.8*
 %{_mandir}/man8/visudo.8*
-%dir %{_docdir}/sudo-%{version}
-%{_docdir}/sudo-%{version}/*
+%dir %{_pkgdocdir}/
+%{_pkgdocdir}/*
 
 
 # Make sure permissions are ok even if we're updating
@@ -164,6 +177,31 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1
+- update to 1.8.8
+- major changes & fixes:
+  - LDAP SASL support now works properly with Kerberos
+  - root may no longer change its SELinux role without entering a password
+  - user messages are now always displayed in the user's locale, even when
+    the same message is being logged or mailed in a different locale.
+  - log files created by sudo now explicitly have the group set to group
+    ID 0 rather than relying on BSD group semantics
+  - sudo now stores its libexec files in a sudo subdirectory instead of in
+    libexec itself
+  - system_group and group_file sudoers group provider plugins are now
+    installed by default
+  - the paths to ldap.conf and ldap.secret may now be specified as arguments
+    to the sudoers plugin in the sudo.conf file
+  - ...and many new features and settings. See the upstream ChangeLog for the
+    full list.
+- several sssd support fixes
+- added patch to make uid/gid specification parsing more strict (don't accept
+  an invalid number as uid/gid)
+- use the _pkgdocdir macro
+  (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)
+- fixed several bugs found by the clang static analyzer
+- added %%post dependency on chmod
+
 * Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild