From patchwork Sun Sep 26 10:37:46 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 4741
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HHMfl2j94z3xWd
	for <patchwork@web04.haj.ipfire.org>; Sun, 26 Sep 2021 10:37:51 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4HHMfl05WXz15D;
	Sun, 26 Sep 2021 10:37:51 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HHMfk64p5z2ylJ;
	Sun, 26 Sep 2021 10:37:50 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HHMfk110zz2xmx
 for <development@lists.ipfire.org>; Sun, 26 Sep 2021 10:37:50 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4HHMfj4ML4z13n;
 Sun, 26 Sep 2021 10:37:49 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1632652669;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=D+iJKuEG890xBiVnWOyBO/yRZ6XwfiAvn84edxQVX/k=;
 b=qwVVeUo87T/Q4xQAMXVwlAMhG4hM9e5qxCfUrKsVIOlGLSQhU/6zFMDnqtEa2Q7JKUZ177
 VON4HPw89uB1zUAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1632652669;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=D+iJKuEG890xBiVnWOyBO/yRZ6XwfiAvn84edxQVX/k=;
 b=IOPGdoXQh+UNHwPs71yMLBGDimHdjOvqiHXWPCh85D8yNTI89wUPnRJRKMvuEH1BhcCYVe
 Z+4n7qy+Hah4ZnkalsWo6Novxy/aK+D1DHsrAsmQbm2XL3sLrJR65W07dTP5u6Tzyh3wwa
 vy8/R/fPlZGWhIb2oa/PIB00t7K/qM3Puq3QVIUKcyKCY8Cc2jEpGj7sObYI7O0B0gpb3a
 XxKw+aLWK+6bgby2RBZU2r/7sCaGyHGtHlXYXM+q9Fnnl8DcP3A/oKqYvJCiXqOf6Fyp2H
 MZ2130ursvqmx1IC4q05Vr0clznzwMwcp8TB0Zd7HXO1fxhEHX1I3WscCiu8mg==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2] sudo: Update to version 1.9.8p2
Date: Sun, 26 Sep 2021 12:37:46 +0200
Message-Id: <20210926103746.3033-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- v2 version is to extend from 1.9.8p1 to 1.9.8p2
- Update from 1.9.7p2 to 1.9.8p2
- Update rootfile
- Changelog
   What's new in Sudo 1.9.8p2
    * Fixed a potential out-of-bounds read with "sudo -i" when the
      target user's shell is bash.  This is a regression introduced
      in sudo 1.9.8.  Bug #998.
    * sudo_logsrvd now only sends a log ID for first command of a session.
      There is no need to send the log ID for each sub-command.
    * Fixed a few minor memory leaks in intercept mode.
    * Fixed a problem with sudo_logsrvd in relay mode if "store_first"
      was enabled when handling sub-commands.  A new zero-length journal
      file was created for each sub-command instead of simply using
      the existing journal file.
   What's new in Sudo 1.9.8p1
    * Fixed support for passing a prompt (sudo -p) or a login class
      (sudo -l) on the command line.  This is a regression introduced
      in sudo 1.9.8.  Bug #993.
    * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
      This is a regression introduced in sudo 1.9.8.  Bug #994.
    * Fixed a compilation error when the --enable-static-sudoers configure
      option was specified.  This is a regression introduced in sudo
      1.9.8 caused by a symbol clash with the intercept and log server
      protobuf functions.
   What's new in Sudo 1.9.8
    * It is now possible to transparently intercepting sub-commands
      executed by the original command run via sudo.  Intercept support
      is implemented using LD_PRELOAD (or the equivalent supported by
      the system) and so has some limitations.  The two main limitations
      are that only dynamic executables are supported and only the
      execl, execle, execlp, execv, execve, execvp, and execvpe library
      functions are currently intercepted. Its main use case is to
      support restricting privileged shells run via sudo.
      To support this, there is a new "intercept" Defaults setting and
      an INTERCEPT command tag that can be used in sudoers.  For example:
         Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
         Defaults!SHELLS intercept
      would cause sudo to run the listed shells in intercept mode.
      This can also be set on a per-rule basis.  For example:
         Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
         chuck ALL = INTERCEPT: SHELLS
      would only apply intercept mode to user "chuck" when running one
      of the listed shells.
      In intercept mode, sudo will not prompt for a password before
      running a sub-command and will not allow a set-user-ID or
      set-group-ID program to be run by default.  The new
      intercept_authenticate and intercept_allow_setid sudoers settings
      can be used to change this behavior.
    * The new "log_subcmds" sudoers setting can be used to log additional
      commands run in a privileged shell.  It uses the same mechanism as
      the intercept support described above and has the same limitations.
    * The new "log_exit_status" sudoers setting can be used to log
      the exit status commands run via sudo.  This is also a corresponding
      "log_exit" setting in the sudo_logsrvd.conf eventlog stanza.
    * Support for logging sudo_logsrvd errors via syslog or to a file.
      Previously, most sudo_logsrvd errors were only visible in the
      debug log.
    * Better diagnostics when there is a TLS certificate validation error.
    * Using the "+=" or "-=" operators in a Defaults setting that takes
      a string, not a list, now produces a warning from sudo and a
      syntax error from inside visudo.
    * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
      had no effect when creating I/O log parent directories if the I/O log
      file name ended with the string "XXXXXX".
    * Fixed a bug in the sudoers custom prompt code where the size
      parameter that was passed to the strlcpy() function was incorrect.
      No overflow was possible since the correct amount of memory was
      already pre-allocated.
    * The mksigname and mksiglist helper programs are now built with
      the host compiler, not the target compiler, when cross-compiling.
      Bug #989.
    * Fixed compilation error when the --enable-static-sudoers configure
      option was specified.  This was due to a typo introduced in sudo
      1.9.7.  GitHub PR #113.
   For more details of the changes then view the ChangeLog file in the source tarball
     or at https://www.sudo.ws/changes.html

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/sudo | 2 ++
 lfs/sudo                     | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/sudo b/config/rootfiles/common/sudo
index babdcb484..80e83efa4 100644
--- a/config/rootfiles/common/sudo
+++ b/config/rootfiles/common/sudo
@@ -18,6 +18,8 @@ usr/lib/sudo/group_file.so
 usr/lib/sudo/libsudo_util.so.0.0.0
 #usr/lib/sudo/sample_approval.la
 usr/lib/sudo/sample_approval.so
+#usr/lib/sudo/sudo_intercept.la
+usr/lib/sudo/sudo_intercept.so
 #usr/lib/sudo/sudo_noexec.la
 usr/lib/sudo/sudo_noexec.so
 #usr/lib/sudo/sudoers.la
diff --git a/lfs/sudo b/lfs/sudo
index a74c34e7e..bec0f6021 100644
--- a/lfs/sudo
+++ b/lfs/sudo
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.9.7p2
+VER        = 1.9.8p2
 
 THISAPP    = sudo-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = d6f8217bfd16649236e100c49e0a7cc4
+$(DL_FILE)_MD5 = f831c1d62835cde89c261465d9c781e4
 
 install : $(TARGET)