[sudo/f18] update to 1.8.6p7
Daniel Kopeček
mildew at fedoraproject.org
Thu Feb 28 12:42:48 UTC 2013
commit 3aa52f5a8eea7158f8e80757df1d05233da4e0f9
Author: Daniel Kopecek <dkopecek at redhat.com>
Date: Thu Feb 28 13:19:12 2013 +0100
update to 1.8.6p7
- fixes CVE-2013-1775 and CVE-2013-1776
- fixed several packaging issues (thanks to ville.skytta at iki.fi)
- build with system zlib.
- let rpmbuild strip libexecdir/*.so.
- own the %{_docdir}/sudo-* dir.
- fix some rpmlint warnings (spaces vs tabs, unescaped macros).
- fix bogus %changelog dates.
.gitignore | 1 +
sources | 2 +-
sudo.spec | 57 +++++++++++++++++++++++++++++++++------------------------
3 files changed, 35 insertions(+), 25 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 82092b4..44949ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ sudo-1.7.2p2-sudoers
/sudo-1.8.5.tar.gz
/sudo-1.8.6.tar.gz
/sudo-1.8.6p3.tar.gz
+/sudo-1.8.6p7.tar.gz
diff --git a/sources b/sources
index 10ec75c..95bc198 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers
-a7b5c39a904721956eccddd30689250f sudo-1.8.6p3.tar.gz
+126abfa2e841139e774d4c67d80f0e5b sudo-1.8.6p7.tar.gz
diff --git a/sudo.spec b/sudo.spec
index 6c6cd1d..35f41ff 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.8.6p3
-Release: 2%{?dist}
+Version: 1.8.6p7
+Release: 1%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -20,15 +20,12 @@ BuildRequires: audit-libs-devel libcap-devel
BuildRequires: libselinux-devel
BuildRequires: sendmail
BuildRequires: gettext
+BuildRequires: zlib-devel
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
# configure.in fix
Patch2: sudo-1.7.2p1-envdebug.patch
-# Do not inform the user that the command was not permitted by the policy
-# if they do not successfully authenticate. This is a regression introduced
-# in sudo 1.8.6.
-Patch3: sudo-1.8.6p3-noauthwarn-regression.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -55,7 +52,6 @@ plugins that use %{name}.
%patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug
-%patch3 -p1 -b .noauthwarn-regression
%build
autoreconf -I m4 -fv --install
@@ -72,22 +68,22 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
- --docdir=%{_datadir}/doc/%{name}-%{version} \
+ --docdir=%{_datadir}/doc/%{name}-%{version} \
--with-logging=syslog \
--with-logfac=authpriv \
--with-pam \
- --with-pam-login \
+ --with-pam-login \
--with-editor=/bin/vi \
--with-env-editor \
--with-ignore-dot \
--with-tty-tickets \
--with-ldap \
- --with-selinux \
- --with-passprompt="[sudo] password for %p: " \
- --with-linux-audit \
- --with-sssd
-# --without-kerb5 \
-# --without-kerb4
+ --with-selinux \
+ --with-passprompt="[sudo] password for %p: " \
+ --with-linux-audit \
+ --with-sssd
+# --without-kerb5 \
+# --without-kerb4
make
%install
@@ -99,6 +95,8 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
+chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files
+
# Remove execute permission on this script so we don't pull in perl deps
chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
@@ -110,7 +108,7 @@ rm sudo.lang sudoers.lang
mkdir -p $RPM_BUILD_ROOT/etc/pam.d
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
-#%PAM-1.0
+#%%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
@@ -119,7 +117,7 @@ session required pam_limits.so
EOF
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
-#%PAM-1.0
+#%%PAM-1.0
auth include sudo
account include sudo
password include sudo
@@ -128,7 +126,7 @@ session required pam_limits.so
EOF
-%clean
+%clean
rm -rf $RPM_BUILD_ROOT
%files -f sudo_all.lang
@@ -143,14 +141,15 @@ rm -rf $RPM_BUILD_ROOT
%attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh
-%{_libexecdir}/sudo_noexec.*
-%{_libexecdir}/sudoers.*
+%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so
+%attr(0644,root,root) %{_libexecdir}/sudoers.so
%{_mandir}/man5/sudoers.5*
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
+%dir %{_docdir}/sudo-%{version}
%{_docdir}/sudo-%{version}/*
@@ -165,6 +164,16 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
+* Thu Feb 28 2013 Daniel Kopecek <dkopecek at redhat.com> - 1.8.6p7-1
+- update to 1.8.6p7
+- fixes CVE-2013-1775 and CVE-2013-1776
+- fixed several packaging issues (thanks to ville.skytta at iki.fi)
+ - build with system zlib.
+ - let rpmbuild strip libexecdir/*.so.
+ - own the %%{_docdir}/sudo-* dir.
+ - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
+ - fix bogus %%changelog dates.
+
* Mon Nov 12 2012 Daniel Kopecek <dkopecek at redhat.com> - 1.8.6p3-2
- added upstream patch for a regression
- don't include arch specific files in the -devel subpackage
@@ -208,7 +217,7 @@ rm -rf $RPM_BUILD_ROOT
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.8.3p1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
-* Tue Nov 10 2011 Daniel Kopecek <dkopecek at redhat.com> - 1.8.3p1-1
+* Thu Nov 10 2011 Daniel Kopecek <dkopecek at redhat.com> - 1.8.3p1-1
- update to 1.8.3p1
- disable output word wrapping if the output is piped
@@ -341,7 +350,7 @@ rm -rf $RPM_BUILD_ROOT
- upgrade to the latest upstream release
- add selinux support
-* Mon Feb 02 2008 Dennis Gilmore <dennis at ausil.us> 1.6.9p4-6
+* Mon Feb 04 2008 Dennis Gilmore <dennis at ausil.us> 1.6.9p4-6
- sparc64 needs to be in the -fPIE list with s390
* Mon Jan 07 2008 Peter Vrabec <pvrabec at redhat.com> 1.6.9p4-5
@@ -467,7 +476,7 @@ rm -rf $RPM_BUILD_ROOT
* Thu Apr 1 2004 Thomas Woerner <twoerner at redhat.com> 1.6.7p5-25
- fixed spec file: sesh in file section with selinux flag (#119682)
-* Thu Mar 30 2004 Colin Walters <walters at redhat.com> 1.6.7p5-24
+* Tue Mar 30 2004 Colin Walters <walters at redhat.com> 1.6.7p5-24
- Enhance sesh.c to fork/exec children itself, to avoid
having sudo reap all domains.
- Only reinstall default signal handlers immediately before
@@ -629,7 +638,7 @@ rm -rf $RPM_BUILD_ROOT
* Tue Oct 27 1998 Preston Brown <pbrown at redhat.com>
- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
-* Fri Oct 08 1998 Michael Maher <mike at redhat.com>
+* Thu Oct 08 1998 Michael Maher <mike at redhat.com>
- built package for 5.2
* Mon May 18 1998 Michael Maher <mike at redhat.com>
More information about the scm-commits
mailing list