From a5f9360d9a834c8995e7ec07feac039ad79e56b7 Mon Sep 17 00:00:00 2001
From: Daniel Kopecek <dkopecek@redhat.com>
Date: Sep 30 2014 13:45:25 +0000
Subject: update to 1.8.11


- major changes & fixes:
  - when running a command in the background, sudo will now forward
    SIGINFO to the command
  - the passwords in ldap.conf and ldap.secret may now be encoded in base64.
  - SELinux role changes are now audited. For sudoedit, we now audit
    the actual editor being run, instead of just the sudoedit command.
  - it is now possible to match an environment variable's value as well as
    its name using env_keep and env_check
  - new files created via sudoedit as a non-root user now have the proper group id
  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
  - it is now possible to disable network interface probing in sudo.conf by
    changing the value of the probe_interfaces setting
  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
    for the user's password even if the targetpw, rootpw or runaspw options are set.
  - the new use_netgroups sudoers option can be used to explicitly enable or disable
    netgroups support
  - visudo can now export a sudoers file in JSON format using the new -x flag
- added patch to read ldap.conf more closely to nss_ldap
- require /usr/bin/vi instead of vim-minimal
- include pam.d/system-auth in PAM session phase from pam.d/sudo
- include pam.d/sudo in PAM session phase from pam.d/sudo-i

---

diff --git a/sudo-1.8.11b4-ldapconfpatch.patch b/sudo-1.8.11b4-ldapconfpatch.patch
new file mode 100644
index 0000000..c7e9937
--- /dev/null
+++ b/sudo-1.8.11b4-ldapconfpatch.patch
@@ -0,0 +1,54 @@
+diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
+--- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch	2014-07-22 22:52:34.000000000 +0200
++++ sudo-1.8.11b4/plugins/sudoers/ldap.c	2014-09-15 11:22:11.122094452 +0200
+@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
+ }
+ #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+ 
++/*
++ * Read a line of input, remove whole line comments and strip off leading
++ * and trailing spaces.  Returns static storage that is reused.
++ */
++static char *
++sudo_ldap_parseln(fp)
++    FILE *fp;
++{
++    size_t len;
++    char *cp = NULL;
++    static char buf[LINE_MAX];
++
++    if (fgets(buf, sizeof(buf), fp) != NULL) {
++	/* Remove comments */
++	if (*buf == '#')
++	    *buf = '\0';
++
++	/* Trim leading and trailing whitespace/newline */
++	len = strlen(buf);
++	while (len > 0 && isspace((unsigned char)buf[len - 1]))
++	    buf[--len] = '\0';
++	for (cp = buf; isblank(*cp); cp++)
++	    continue;
++    }
++    return(cp);
++}
++
+ static bool
+ sudo_ldap_read_config(void)
+ {
+@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
+     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
+ 	debug_return_bool(false);
+ 
+-    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
++    while ((line = sudo_ldap_parseln(fp)) != NULL) {
+ 	if (*line == '\0')
+ 	    continue;		/* skip empty line */
+ 
+@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
+ 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
+ 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
+     }
+-    free(line);
+     fclose(fp);
+ 
+     if (!ldap_conf.host)
diff --git a/sudo.spec b/sudo.spec
index 132e1f2..2da6fe3 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,14 +1,15 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.8
-Release: 7%{?dist}
+Version: 1.8.11
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
 Source1: sudo-1.8.8-sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
 Requires(post): /bin/chmod
 
 BuildRequires: pam-devel
@@ -25,14 +26,8 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# configure.in fix
-Patch2: sudo-1.7.2p1-envdebug.patch
-# Fix several issues in the sssd code
-Patch3: sudo-1.8.8-sssdfixes.patch
-# Don't accept invalid number in uid/gid specifications
-Patch4: sudo-1.8.8-strictuidgid.patch
-# Fix several issues found by the clang static analyzer
-Patch5: sudo-1.8.8-clangbugs.patch
+# Patch to read ldap.conf more closely to nss_ldap
+Patch2: sudo-1.8.11b4-ldapconfpatch.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -58,10 +53,7 @@ plugins that use %{name}.
 %setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .envdebug
-%patch3 -p1 -b .sssdfixes
-%patch4 -p1 -b .strictuidgid
-%patch5 -p1 -b .clangbugs
+%patch2 -p1 -b .ldapconfpatch
 
 %build
 # Remove bundled copy of zlib
@@ -129,6 +121,7 @@ account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
+session    include      system-auth
 EOF
 
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
@@ -137,7 +130,7 @@ auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
-session    required     pam_limits.so
+session    include      sudo
 EOF
 
 
@@ -161,6 +154,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.*
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man5/sudo.conf.5*
@@ -184,10 +178,33 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
+%attr(0644,root,root) %{_libexecdir}/sudo/*.la
 
 %changelog
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
+- update to 1.8.11
+- major changes & fixes:
+  - when running a command in the background, sudo will now forward
+    SIGINFO to the command
+  - the passwords in ldap.conf and ldap.secret may now be encoded in base64. 
+  - SELinux role changes are now audited. For sudoedit, we now audit
+    the actual editor being run, instead of just the sudoedit command. 
+  - it is now possible to match an environment variable's value as well as
+    its name using env_keep and env_check
+  - new files created via sudoedit as a non-root user now have the proper group id
+  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
+  - it is now possible to disable network interface probing in sudo.conf by
+    changing the value of the probe_interfaces setting
+  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
+    for the user's password even if the targetpw, rootpw or runaspw options are set.
+  - the new use_netgroups sudoers option can be used to explicitly enable or disable
+    netgroups support
+  - visudo can now export a sudoers file in JSON format using the new -x flag
+- added patch to read ldap.conf more closely to nss_ldap
+- require /usr/bin/vi instead of vim-minimal
+- include pam.d/system-auth in PAM session phase from pam.d/sudo
+- include pam.d/sudo in PAM session phase from pam.d/sudo-i
 
 * Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
 - fix license handling