Message ID | 20210127201444.3979076-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | 273708295b5553f174b27101a33c7d1402e4eb78 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DQvwB5hyVz3wxn for <patchwork@web04.haj.ipfire.org>; Wed, 27 Jan 2021 20:14:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DQvw95lLBz1Dm; Wed, 27 Jan 2021 20:14:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DQvw94Vznz2xkD; Wed, 27 Jan 2021 20:14:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DQvw802xVz2xkD for <development@lists.ipfire.org>; Wed, 27 Jan 2021 20:14:47 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DQvw73TDGz1Dm; Wed, 27 Jan 2021 20:14:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1611778487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0lFfzNFQyeRJ0jBwogj/FgfmJOrz9EpNQq/BVNtSG8U=; b=z6sR2oWucCCS3Rpu7nAnQkHMdqn3E+VftR45uwoT5iDyt59swzO3M85KbwxP1wNOpHOS4T 5bUw3UL9qEZSVDCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1611778487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0lFfzNFQyeRJ0jBwogj/FgfmJOrz9EpNQq/BVNtSG8U=; b=smMKjKDkt0rV3CFn2yOzzEJHVnmuyEtOZOB39NgBxWMQii0e6yL6umDC+g/O3uT3r0VUXu vQRLBf/YfijvCwu3dlWozNMVjMr9yWR+igx7KTSIso/PmuzJ+638Q4MG9ruaf54sPBsKJn 1R+3lC8iX/oFAVftzpXFIcrDrwN63Yh+TykNLJmGlnhXzxTxGmZsW3ku0LyexVA5W1Zrl4 KtwOzVqZ9WXbDJThxalxTrQ8o4XRv8yUxHrzBCXBPI4mV2i6syD6bEEUPeSsS3BXCm0cjj L2ILQGfoOmY6yfK7TKst0ZBZg3ruQEGQaVyg3NYtWvvkLWw2Da/QZ8JW9AQiQQ== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] sudo: Upgrade to 1.9.5p2 Date: Wed, 27 Jan 2021 21:14:44 +0100 Message-Id: <20210127201444.3979076-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
sudo: Upgrade to 1.9.5p2
|
|
Commit Message
Adolf Belka
Jan. 27, 2021, 8:14 p.m. UTC
- Update sudo from 1.9.5p1 to 1.9.5p2
- Major changes between version 1.9.5p2 and 1.9.5p1:
Fixed sudo's setprogname(3) emulation on systems that don't provide it.
Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954.
Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically.
The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache.
When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.
Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.
- No change to rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/sudo | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Hello Adolf, thank you. Looks good to me. Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Thanks, and best regards, Peter Müller > - Update sudo from 1.9.5p1 to 1.9.5p2 > - Major changes between version 1.9.5p2 and 1.9.5p1: > Fixed sudo's setprogname(3) emulation on systems that don't provide it. > Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. > Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. > The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. > When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. > Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. > - No change to rootfile > > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > lfs/sudo | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/sudo b/lfs/sudo > index feba249cd..bb2279e8f 100644 > --- a/lfs/sudo > +++ b/lfs/sudo > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.9.5p1 > +VER = 1.9.5p2 > > THISAPP = sudo-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 145f6e69c116f82cf0377ccf459344eb > +$(DL_FILE)_MD5 = e6bc4c18c06346e6b3431637a2b5f3d5 > > install : $(TARGET) > >
Thank you to both of you for working on this. I have merged this into next :) > On 27 Jan 2021, at 20:48, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Adolf, > > thank you. Looks good to me. > > Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > > Thanks, and best regards, > Peter Müller > > >> - Update sudo from 1.9.5p1 to 1.9.5p2 >> - Major changes between version 1.9.5p2 and 1.9.5p1: >> Fixed sudo's setprogname(3) emulation on systems that don't provide it. >> Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. >> Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. >> The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. >> When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. >> Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. >> - No change to rootfile >> >> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >> --- >> lfs/sudo | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/lfs/sudo b/lfs/sudo >> index feba249cd..bb2279e8f 100644 >> --- a/lfs/sudo >> +++ b/lfs/sudo >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER = 1.9.5p1 >> +VER = 1.9.5p2 >> >> THISAPP = sudo-$(VER) >> DL_FILE = $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects = $(DL_FILE) >> >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_MD5 = 145f6e69c116f82cf0377ccf459344eb >> +$(DL_FILE)_MD5 = e6bc4c18c06346e6b3431637a2b5f3d5 >> >> install : $(TARGET) >> >>
diff --git a/lfs/sudo b/lfs/sudo index feba249cd..bb2279e8f 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ include Config -VER = 1.9.5p1 +VER = 1.9.5p2 THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 145f6e69c116f82cf0377ccf459344eb +$(DL_FILE)_MD5 = e6bc4c18c06346e6b3431637a2b5f3d5 install : $(TARGET)