From patchwork Wed Jan 27 20:14:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 3819 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4DQvwB5hyVz3wxn for ; Wed, 27 Jan 2021 20:14:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4DQvw95lLBz1Dm; Wed, 27 Jan 2021 20:14:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4DQvw94Vznz2xkD; Wed, 27 Jan 2021 20:14:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4DQvw802xVz2xkD for ; Wed, 27 Jan 2021 20:14:47 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4DQvw73TDGz1Dm; Wed, 27 Jan 2021 20:14:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1611778487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0lFfzNFQyeRJ0jBwogj/FgfmJOrz9EpNQq/BVNtSG8U=; b=z6sR2oWucCCS3Rpu7nAnQkHMdqn3E+VftR45uwoT5iDyt59swzO3M85KbwxP1wNOpHOS4T 5bUw3UL9qEZSVDCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1611778487; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0lFfzNFQyeRJ0jBwogj/FgfmJOrz9EpNQq/BVNtSG8U=; b=smMKjKDkt0rV3CFn2yOzzEJHVnmuyEtOZOB39NgBxWMQii0e6yL6umDC+g/O3uT3r0VUXu vQRLBf/YfijvCwu3dlWozNMVjMr9yWR+igx7KTSIso/PmuzJ+638Q4MG9ruaf54sPBsKJn 1R+3lC8iX/oFAVftzpXFIcrDrwN63Yh+TykNLJmGlnhXzxTxGmZsW3ku0LyexVA5W1Zrl4 KtwOzVqZ9WXbDJThxalxTrQ8o4XRv8yUxHrzBCXBPI4mV2i6syD6bEEUPeSsS3BXCm0cjj L2ILQGfoOmY6yfK7TKst0ZBZg3ruQEGQaVyg3NYtWvvkLWw2Da/QZ8JW9AQiQQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] sudo: Upgrade to 1.9.5p2 Date: Wed, 27 Jan 2021 21:14:44 +0100 Message-Id: <20210127201444.3979076-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update sudo from 1.9.5p1 to 1.9.5p2 - Major changes between version 1.9.5p2 and 1.9.5p1: Fixed sudo's setprogname(3) emulation on systems that don't provide it. Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. - No change to rootfile Signed-off-by: Adolf Belka Reviewed-by: Peter Müller --- lfs/sudo | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/sudo b/lfs/sudo index feba249cd..bb2279e8f 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ include Config -VER = 1.9.5p1 +VER = 1.9.5p2 THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 145f6e69c116f82cf0377ccf459344eb +$(DL_FILE)_MD5 = e6bc4c18c06346e6b3431637a2b5f3d5 install : $(TARGET)