[sudo/f13/master] - rebase to 1.7.4p5 - fixed sudo-1.7.4p4-getgrouplist.patch - fixes CVE-2011-0008, CVE-2011-0010
Daniel Kopeček
mildew at fedoraproject.org
Mon Jan 17 10:58:43 UTC 2011
commit 626a5cd2235bd956bba5522cf05a2f89b7b3858a
Author: Daniel Kopecek <dkopecek at redhat.com>
Date: Mon Jan 17 11:58:31 2011 +0100
- rebase to 1.7.4p5
- fixed sudo-1.7.4p4-getgrouplist.patch
- fixes CVE-2011-0008, CVE-2011-0010
.gitignore | 1 +
sources | 2 +-
sudo-1.7.4p3-sudolist.patch | 67 --------------------
sudo-1.7.4p4-auditconn.patch | 15 -----
....patch => sudo-1.7.4p4-getgrouplist-fixed.patch | 13 +++--
sudo.spec | 26 ++++----
6 files changed, 23 insertions(+), 101 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e62db8c..24577da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ sudo-1.7.2p6.tar.gz
sudo-1.7.2p2-sudoers
/sudo-1.7.4p4.tar.gz
/sudo-1.7.4p4-sudoers
+/sudo-1.7.4p5.tar.gz
diff --git a/sources b/sources
index 7153aa5..a30cbc0 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz
+4c8105507363371dea89ceb7c92187dd sudo-1.7.4p5.tar.gz
874abe2dd29da4a8d773c4db8460fa27 sudo-1.7.4p4-sudoers
diff --git a/sudo-1.7.4p4-getgrouplist.patch b/sudo-1.7.4p4-getgrouplist-fixed.patch
similarity index 72%
rename from sudo-1.7.4p4-getgrouplist.patch
rename to sudo-1.7.4p4-getgrouplist-fixed.patch
index dd584e7..7d4fa21 100644
--- a/sudo-1.7.4p4-getgrouplist.patch
+++ b/sudo-1.7.4p4-getgrouplist-fixed.patch
@@ -1,6 +1,6 @@
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
---- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200
-+++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200
+--- sudo-1.7.4p4/configure.in.getgrouplist 2011-01-11 10:45:49.170262147 +0100
++++ sudo-1.7.4p4/configure.in 2011-01-11 10:45:49.176261407 +0100
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \
@@ -11,17 +11,20 @@ diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
---- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200
-+++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200
-@@ -628,5 +628,23 @@ user_in_group(pw, group)
+--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-08-06 15:44:30.000000000 +0200
++++ sudo-1.7.4p4/pwutil.c 2011-01-11 11:42:16.771282451 +0100
+@@ -628,5 +628,26 @@ user_in_group(pw, group)
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST
++ if (user_ngroups >= 0 &&
++ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
+ {
+ gid_t *grouplist, grouptmp;
+ int n_groups, i;
+ n_groups = 1;
++
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
diff --git a/sudo.spec b/sudo.spec
index 541e509..e3b1c36 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.7.4p4
-Release: 3%{?dist}
+Version: 1.7.4p5
+Release: 1%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -26,14 +26,11 @@ Patch1: sudo-1.6.7p5-strip.patch
Patch2: sudo-1.7.2p1-envdebug.patch
# add m4/ to paths in aclocal.m4
Patch3: sudo-1.7.4p3-m4path.patch
-# don't emalloc(0)
-Patch4: sudo-1.7.4p3-sudolist.patch
# getgrouplist() to determine group membership (#235915)
-Patch5: sudo-1.7.4p4-getgrouplist.patch
+# - version with CVE-2009-0034 fixed
+Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch
# reset HOME when using the `-i' option (#635250)
-Patch6: sudo-1.7.4p4-sudoi.patch
-# Ignore ECONREFUSED from audit_log_user_command()
-Patch7: sudo-1.7.4p4-auditconn.patch
+Patch5: sudo-1.7.4p4-sudoi.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -52,10 +49,8 @@ on many different machines.
%patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path
-%patch4 -p1 -b .sudolist
-%patch5 -p1 -b .getgrouplist
-%patch6 -p0 -b .sudoi
-%patch7 -p1 -b .auditconn
+%patch4 -p1 -b .getgrouplist-fixed
+%patch5 -p0 -b .sudoi
%build
# handle newer autoconf
@@ -126,7 +121,7 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
-%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
+%doc schema.* sudoers2ldif sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo
@@ -150,6 +145,11 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || :
%changelog
+* Mon Jan 17 2011 Daniel Kopecek <dkopecek at redhat.com> - 1.7.4p5-1
+- rebase to 1.7.4p5
+- fixed sudo-1.7.4p4-getgrouplist.patch
+- fixes CVE-2011-0008, CVE-2011-0010
+
* Wed Sep 29 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.4p4-3
- added upstream patch to fix rhbz#638345
More information about the scm-commits
mailing list