From patchwork Wed Mar 17 21:42:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 3951 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4F13Xg02RLz40Qq for ; Wed, 17 Mar 2021 21:42:27 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4F13Xf5B69z1WM; Wed, 17 Mar 2021 21:42:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4F13Xf4Zlxz2xkF; Wed, 17 Mar 2021 21:42:26 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4F13Xd4PNDz2xNt for ; Wed, 17 Mar 2021 21:42:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4F13Xd0XYhzQt; Wed, 17 Mar 2021 21:42:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1616017345; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/hHdWlqbhd5SwYQoIPc3g4bHyGWDSCgff2Sx7AIbCAg=; b=Vkbx1i+DBB+Q3KIVrHgRomiTZA8Mu9qBWjX1bN3E7wfDwHRqGlhE57ccXFur4LV6Nzn0xL AvIsbdgv7NzNzXuhf9lpxizOxDwOz7J/fWAOy+6TAmapTa830B8J8fhIzm6PI6sfEPcnXj bJAMFz8qn8gvebBtVt/pswjuN/j868dR1yTC01n+w5irfpJPHfV7zg4Y92uNMDdhkYh4z+ /Umg5z+NGYNgsHXzeVKkDUUPaX7Jbwz/rkgRBoDPhm30+ibtc9t+bZzENjpdWQFPo3vd/A 4Dlz1Im9VtSjWuqKfvtgRiAM/b/hKfbbfcvsdrN+rEYbURuxz1dYHoynGlvoaQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1616017345; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/hHdWlqbhd5SwYQoIPc3g4bHyGWDSCgff2Sx7AIbCAg=; b=2X/ugKnry28jNkxMsL8iQcaLpSZMT3QEl4mIzErLTpbi5yodT4oERSHJwzOpaGCwV5py6Z wTZr6ldyCr96GpBg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] sudo: Update to 1.9.6p1 Date: Wed, 17 Mar 2021 22:42:22 +0100 Message-Id: <20210317214222.40830-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from 1.9.5p2 to 1.9.6p1 - Update not required for rootfile - Changelog Major changes between version 1.9.6p1 and 1.9.6: Fixed a regression introduced in sudo 1.9.6 that resulted in an error message instead of a usage message when sudo is run with no arguments. Major changes between version 1.9.6 and 1.9.5p2: Fixed a sudo_sendlog compilation problem with the AIX xlC compiler. Fixed a regression introduced in sudo 1.9.4 where the --disable-root-mailer configure option had no effect. Added a --disable-leaks configure option that avoids some memory leaks on exit that would otherwise occur. This is intended to be used with development tools that measure memory leaks. It is not safe to use in production at this time. Plugged some memory leaks identified by oss-fuzz and ASAN. Fixed the handling of sudoOptions for an LDAP sudoRole that contains multiple sudoCommands. Previously, some of the options would only be applied to the first sudoCommand. Fixed a potential out of bounds read in the parsing of NOTBEFORE and NOTAFTER sudoers command options (and their LDAP equivalents). The parser used for reading I/O log JSON files is now more resilient when processing invalid JSON. Fixed typos that prevented make uninstall from working. GitHub issue #87. Fixed a regression introduced in sudo 1.9.4 where the last line in a sudoers file might not have a terminating NUL character added if no newline was present. Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new --enable-fuzzer configure option can be combined with the --enable-sanitizer option to build sudo with fuzzing support. Multiple fuzz targets are available for fuzzing different parts of sudo. Fuzzers are built and tested via make fuzz or as part of make check (even when sudo is not built with fuzzing support). Fuzzing support currently requires the LLVM clang compiler (not gcc). Fixed the --enable-static-sudoers configure option. GitHub issue #92. Fixed a potential out of bounds read sudo when is run by a user with more groups than the value of max_groups in sudo.conf. Added an admin_flag sudoers option to make the use of the ~/.sudo_as_admin_successful file configurable on systems where sudo is build with the --enable-admin-flag configure option. This mostly affects Ubuntu and its derivatives. GitHub issue #56. The max_groups setting in sudo.conf is now limited to 1024. This setting is obsolete and should no longer be needed. Fixed a bug in the tilde expansion of CHROOT=dir and CWD=dir sudoers command options. A path ~/foo was expanded to /home/userfoo instead of /home/user/foo. This also affects the runchroot and runcwd Defaults settings. Fixed a bug on systems without a native getdelim(3) function where very long lines could cause parsing of the sudoers file to end prematurely. Bug #960. Fixed a potential integer overflow when converting the timestamp_timeout and passwd_timeout sudoers settings to a timespec struct. The default for the group_source setting in sudo.conf is now dynamic on macOS. Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946. Fixed a potential use-after-free in the PAM conversation function. Bug #967. Fixed potential redefinition of sys/stat.h macros in sudo_compat.h. Bug #968. Signed-off-by: Adolf Belka --- lfs/sudo | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/sudo b/lfs/sudo index bb2279e8f..6c09fac10 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ include Config -VER = 1.9.5p2 +VER = 1.9.6p1 THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = e6bc4c18c06346e6b3431637a2b5f3d5 +$(DL_FILE)_MD5 = 334f8337d497f2f5df2db72448bd259d install : $(TARGET)