[sudo/f18] update to 1.8.6p7

Daniel Kopeček mildew at fedoraproject.org
Thu Feb 28 12:42:48 UTC 2013 

commit 3aa52f5a8eea7158f8e80757df1d05233da4e0f9
Author: Daniel Kopecek <dkopecek at redhat.com>
Date:   Thu Feb 28 13:19:12 2013 +0100

    update to 1.8.6p7
    
    - fixes CVE-2013-1775 and CVE-2013-1776
    - fixed several packaging issues (thanks to ville.skytta at iki.fi)
      - build with system zlib.
      - let rpmbuild strip libexecdir/*.so.
      - own the %{_docdir}/sudo-* dir.
      - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
      - fix bogus %changelog dates.

 .gitignore |    1 +
 sources    |    2 +-
 sudo.spec  |   57 +++++++++++++++++++++++++++++++++------------------------
 3 files changed, 35 insertions(+), 25 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 82092b4..44949ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ sudo-1.7.2p2-sudoers
 /sudo-1.8.5.tar.gz
 /sudo-1.8.6.tar.gz
 /sudo-1.8.6p3.tar.gz
+/sudo-1.8.6p7.tar.gz
diff --git a/sources b/sources
index 10ec75c..95bc198 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 56f74aed3a7b32f2b01a34d65ac86f85  sudo-1.7.4p4-sudoers
-a7b5c39a904721956eccddd30689250f  sudo-1.8.6p3.tar.gz
+126abfa2e841139e774d4c67d80f0e5b  sudo-1.8.6p7.tar.gz
diff --git a/sudo.spec b/sudo.spec
index 6c6cd1d..35f41ff 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.6p3
-Release: 2%{?dist}
+Version: 1.8.6p7
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -20,15 +20,12 @@ BuildRequires: audit-libs-devel libcap-devel
 BuildRequires: libselinux-devel
 BuildRequires: sendmail
 BuildRequires: gettext
+BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
 # configure.in fix
 Patch2: sudo-1.7.2p1-envdebug.patch
-# Do not inform the user that the command was not permitted by the policy
-# if they do not successfully authenticate. This is a regression introduced
-# in sudo 1.8.6.
-Patch3: sudo-1.8.6p3-noauthwarn-regression.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -55,7 +52,6 @@ plugins that use %{name}.
 
 %patch1 -p1 -b .strip
 %patch2 -p1 -b .envdebug
-%patch3 -p1 -b .noauthwarn-regression
 
 %build
 autoreconf -I m4 -fv --install
@@ -72,22 +68,22 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --prefix=%{_prefix} \
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
-	--docdir=%{_datadir}/doc/%{name}-%{version} \
+        --docdir=%{_datadir}/doc/%{name}-%{version} \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
-	--with-pam-login \
+        --with-pam-login \
         --with-editor=/bin/vi \
         --with-env-editor \
         --with-ignore-dot \
         --with-tty-tickets \
         --with-ldap \
-	--with-selinux \
-	--with-passprompt="[sudo] password for %p: " \
-	--with-linux-audit \
-	--with-sssd
-#	--without-kerb5 \
-#	--without-kerb4
+        --with-selinux \
+        --with-passprompt="[sudo] password for %p: " \
+        --with-linux-audit \
+        --with-sssd
+#       --without-kerb5 \
+#       --without-kerb4
 make
 
 %install
@@ -99,6 +95,8 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
 
+chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files
+
 # Remove execute permission on this script so we don't pull in perl deps
 chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
 
@@ -110,7 +108,7 @@ rm sudo.lang sudoers.lang
 
 mkdir -p $RPM_BUILD_ROOT/etc/pam.d
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
-#%PAM-1.0
+#%%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
@@ -119,7 +117,7 @@ session    required     pam_limits.so
 EOF
 
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
-#%PAM-1.0
+#%%PAM-1.0
 auth       include      sudo
 account    include      sudo
 password   include      sudo
@@ -128,7 +126,7 @@ session    required     pam_limits.so
 EOF
 
 
-%clean 
+%clean
 rm -rf $RPM_BUILD_ROOT
 
 %files -f sudo_all.lang
@@ -143,14 +141,15 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0111,root,root) %{_bindir}/sudoreplay
 %attr(0755,root,root) %{_sbindir}/visudo
 %attr(0755,root,root) %{_libexecdir}/sesh
-%{_libexecdir}/sudo_noexec.*
-%{_libexecdir}/sudoers.*
+%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so
+%attr(0644,root,root) %{_libexecdir}/sudoers.so
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man8/sudo.8*
 %{_mandir}/man8/sudoedit.8*
 %{_mandir}/man8/sudoreplay.8*
 %{_mandir}/man8/visudo.8*
+%dir %{_docdir}/sudo-%{version}
 %{_docdir}/sudo-%{version}/*
 
 
@@ -165,6 +164,16 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Thu Feb 28 2013 Daniel Kopecek <dkopecek at redhat.com> - 1.8.6p7-1
+- update to 1.8.6p7
+- fixes CVE-2013-1775 and CVE-2013-1776
+- fixed several packaging issues (thanks to ville.skytta at iki.fi)
+  - build with system zlib.
+  - let rpmbuild strip libexecdir/*.so.
+  - own the %%{_docdir}/sudo-* dir.
+  - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
+  - fix bogus %%changelog dates.
+
 * Mon Nov 12 2012 Daniel Kopecek <dkopecek at redhat.com> - 1.8.6p3-2
 - added upstream patch for a regression
 - don't include arch specific files in the -devel subpackage
@@ -208,7 +217,7 @@ rm -rf $RPM_BUILD_ROOT
 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.8.3p1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
-* Tue Nov 10 2011 Daniel Kopecek <dkopecek at redhat.com> - 1.8.3p1-1
+* Thu Nov 10 2011 Daniel Kopecek <dkopecek at redhat.com> - 1.8.3p1-1
 - update to 1.8.3p1
 - disable output word wrapping if the output is piped 
 
@@ -341,7 +350,7 @@ rm -rf $RPM_BUILD_ROOT
 - upgrade to the latest upstream release
 - add selinux support
 
-* Mon Feb 02 2008 Dennis Gilmore <dennis at ausil.us> 1.6.9p4-6
+* Mon Feb 04 2008 Dennis Gilmore <dennis at ausil.us> 1.6.9p4-6
 - sparc64 needs to be in the -fPIE list with s390
 
 * Mon Jan 07 2008 Peter Vrabec <pvrabec at redhat.com> 1.6.9p4-5
@@ -467,7 +476,7 @@ rm -rf $RPM_BUILD_ROOT
 * Thu Apr  1 2004 Thomas Woerner <twoerner at redhat.com> 1.6.7p5-25
 - fixed spec file: sesh in file section with selinux flag (#119682)
 
-* Thu Mar 30 2004 Colin Walters <walters at redhat.com> 1.6.7p5-24
+* Tue Mar 30 2004 Colin Walters <walters at redhat.com> 1.6.7p5-24
 - Enhance sesh.c to fork/exec children itself, to avoid
   having sudo reap all domains.
 - Only reinstall default signal handlers immediately before
@@ -629,7 +638,7 @@ rm -rf $RPM_BUILD_ROOT
 * Tue Oct 27 1998 Preston Brown <pbrown at redhat.com>
 - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
 
-* Fri Oct 08 1998 Michael Maher <mike at redhat.com>
+* Thu Oct 08 1998 Michael Maher <mike at redhat.com>
 - built package for 5.2 
 
 * Mon May 18 1998 Michael Maher <mike at redhat.com>

More information about the scm-commits mailing list