diff --git a/.gitignore b/.gitignore index 807abc9..7770bdb 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ sudo-1.7.2p2-sudoers /sudo-1.7.4p4.tar.gz /sudo-1.7.2p2-sudoers /sudo-1.7.4p4-sudoers +/sudo-1.7.4p5.tar.gz diff --git a/sources b/sources index 96e1461..c05bae3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz +4c8105507363371dea89ceb7c92187dd sudo-1.7.4p5.tar.gz 56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers diff --git a/sudo-1.7.4p3-sudolist.patch b/sudo-1.7.4p3-sudolist.patch deleted file mode 100644 index e75b445..0000000 --- a/sudo-1.7.4p3-sudolist.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c ---- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200 -+++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200 -@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag) - - /* - * Only check the actual command if pwflag is not set. -- * It is set for the "validate", "list" and "kill" pseudo-commands. -- * Always check the host and user. -+ * It is set for the "sudovalidate", "sudolist" and "sudokill" -+ * pseudo-commands. Always check the host and user. - */ - if (pwflag) { - int nopass; -diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c ---- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200 -+++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200 -@@ -232,7 +232,7 @@ main(argc, argv, envp) - - pwflag = 0; - if (ISSET(sudo_mode, MODE_SHELL)) -- user_cmnd = "shell"; -+ user_cmnd = "sudoshell"; - else if (ISSET(sudo_mode, MODE_EDIT)) - user_cmnd = "sudoedit"; - else { -@@ -245,12 +245,12 @@ main(argc, argv, envp) - break; - case MODE_VALIDATE: - case MODE_VALIDATE|MODE_INVALIDATE: -- user_cmnd = "validate"; -+ user_cmnd = "sudovalidate"; - pwflag = I_VERIFYPW; - break; - case MODE_KILL: - case MODE_INVALIDATE: -- user_cmnd = "kill"; -+ user_cmnd = "sudokill"; - pwflag = -1; - break; - case MODE_LISTDEFS: -@@ -259,7 +259,7 @@ main(argc, argv, envp) - break; - case MODE_LIST: - case MODE_LIST|MODE_INVALIDATE: -- user_cmnd = "list"; -+ user_cmnd = "sudolist"; - pwflag = I_LISTPW; - break; - case MODE_CHECK: -@@ -701,13 +701,13 @@ init_vars(envp) - set_perms(PERM_ROOT); - - /* -- * If we were given the '-e', '-i' or '-s' options we need to redo -+ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo - * NewArgv and NewArgc. - */ -- if (ISSET(sudo_mode, MODE_EDIT)) { -+ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) { - NewArgv--; - NewArgc++; -- NewArgv[0] = "sudoedit"; -+ NewArgv[0] = user_cmnd; - } else if (ISSET(sudo_mode, MODE_SHELL)) { - char **av; - diff --git a/sudo-1.7.4p4-auditconn.patch b/sudo-1.7.4p4-auditconn.patch deleted file mode 100644 index c04b15f..0000000 --- a/sudo-1.7.4p4-auditconn.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -r 9a328aa25c53 -r a686884684ca linux_audit.c ---- a/linux_audit.c Fri Sep 17 12:13:17 2010 -0400 -+++ b/linux_audit.c Tue Sep 21 07:56:36 2010 -0400 -@@ -81,9 +81,9 @@ - } - *--cp = '\0'; - -- /* Log command, ignoring EPERM on error. */ -+ /* Log command, ignoring ECONNREFUSED on error. */ - rc = audit_log_user_command(au_fd, AUDIT_USER_CMD, command, NULL, result); -- if (rc <= 0) -+ if (rc <= 0 && errno != ECONNREFUSED) - warning("unable to send audit message"); - - efree(command); diff --git a/sudo-1.7.4p4-getgrouplist-fixed.patch b/sudo-1.7.4p4-getgrouplist-fixed.patch new file mode 100644 index 0000000..7d4fa21 --- /dev/null +++ b/sudo-1.7.4p4-getgrouplist-fixed.patch @@ -0,0 +1,42 @@ +diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in +--- sudo-1.7.4p4/configure.in.getgrouplist 2011-01-11 10:45:49.170262147 +0100 ++++ sudo-1.7.4p4/configure.in 2011-01-11 10:45:49.176261407 +0100 +@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS + AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ + strftime setrlimit initgroups getgroups fstat gettimeofday \ + regcomp setlocale getaddrinfo setenv vhangup \ +- mbr_check_membership setrlimit64) ++ mbr_check_membership setrlimit64 getgrouplist) + AC_CHECK_FUNCS(getline, [], [ + AC_LIBOBJ(getline) + AC_CHECK_FUNCS(fgetln) +diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c +--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-08-06 15:44:30.000000000 +0200 ++++ sudo-1.7.4p4/pwutil.c 2011-01-11 11:42:16.771282451 +0100 +@@ -628,5 +628,26 @@ user_in_group(pw, group) + } + #endif /* HAVE_MBR_CHECK_MEMBERSHIP */ + ++#ifdef HAVE_GETGROUPLIST ++ if (user_ngroups >= 0 && ++ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) ++ { ++ gid_t *grouplist, grouptmp; ++ int n_groups, i; ++ n_groups = 1; ++ ++ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { ++ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); ++ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) ++ for (i = 0; i < n_groups; i++) ++ if (grouplist[i] == grp->gr_gid) { ++ free(grouplist); ++ return(TRUE); ++ } ++ free(grouplist); ++ } ++ } ++#endif /* HAVE_GETGROUPLIST */ ++ + return(FALSE); + } diff --git a/sudo-1.7.4p4-getgrouplist.patch b/sudo-1.7.4p4-getgrouplist.patch deleted file mode 100644 index dd584e7..0000000 --- a/sudo-1.7.4p4-getgrouplist.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in ---- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200 -+++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200 -@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS - AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ - strftime setrlimit initgroups getgroups fstat gettimeofday \ - regcomp setlocale getaddrinfo setenv vhangup \ -- mbr_check_membership setrlimit64) -+ mbr_check_membership setrlimit64 getgrouplist) - AC_CHECK_FUNCS(getline, [], [ - AC_LIBOBJ(getline) - AC_CHECK_FUNCS(fgetln) -diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c ---- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200 -+++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200 -@@ -628,5 +628,23 @@ user_in_group(pw, group) - } - #endif /* HAVE_MBR_CHECK_MEMBERSHIP */ - -+#ifdef HAVE_GETGROUPLIST -+ { -+ gid_t *grouplist, grouptmp; -+ int n_groups, i; -+ n_groups = 1; -+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { -+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); -+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) -+ for (i = 0; i < n_groups; i++) -+ if (grouplist[i] == grp->gr_gid) { -+ free(grouplist); -+ return(TRUE); -+ } -+ free(grouplist); -+ } -+ } -+#endif /* HAVE_GETGROUPLIST */ -+ - return(FALSE); - } diff --git a/sudo.spec b/sudo.spec index d090d90..06acb1f 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.7.4p4 -Release: 5%{?dist} +Version: 1.7.4p5 +Release: 1%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -26,14 +26,11 @@ Patch1: sudo-1.6.7p5-strip.patch Patch2: sudo-1.7.2p1-envdebug.patch # add m4/ to paths in aclocal.m4 Patch3: sudo-1.7.4p3-m4path.patch -# don't emalloc(0) -Patch4: sudo-1.7.4p3-sudolist.patch # getgrouplist() to determine group membership (#235915) -Patch5: sudo-1.7.4p4-getgrouplist.patch +# - version with CVE-2009-0034 fixed +Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch # reset HOME when using the `-i' option (#635250) -Patch6: sudo-1.7.4p4-sudoi.patch -# Ignore ECONREFUSED from audit_log_user_command() -Patch7: sudo-1.7.4p4-auditconn.patch +Patch5: sudo-1.7.4p4-sudoi.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -52,10 +49,8 @@ on many different machines. %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug %patch3 -p1 -b .m4path -%patch4 -p1 -b .sudolist -%patch5 -p1 -b .getgrouplist -%patch6 -p0 -b .sudoi -%patch7 -p1 -b .auditconn +%patch4 -p1 -b .getgrouplist +%patch5 -p0 -b .sudoi %build # handle newer autoconf @@ -128,7 +123,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE -%doc sudoers.ldap.pod schema.* sudoers2ldif sample.* +%doc schema.* sudoers2ldif sample.* %attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo @@ -152,6 +147,11 @@ rm -rf $RPM_BUILD_ROOT /bin/chmod 0440 /etc/sudoers || : %changelog +* Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-1 +- rebase to 1.7.4p5 +- fixed sudo-1.7.4p4-getgrouplist.patch +- fixes CVE-2011-0008, CVE-2011-0010 + * Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 - anybody in the wheel group has now root access (using password) (rhbz#656873) - sync configuration paths with the nss_ldap package (rhbz#652687)