From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] sudo: Update to version 1.9.14 Date: Wed, 28 Jun 2023 15:14:34 +0200 Message-ID: <20230628131434.3990218-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6547045076939222007==" List-Id: --===============6547045076939222007== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Update from version 1.9.13p3 to 1.9.14 - Update of rootfile not required - Changelog Significant change is that use_pty is now defined as the default setting. This parameter was made available back in version 1.8.0 but not as default. It was implemented in response to a variety of CVE's related to being vuln= erable to privilege escalation via TIOCSTI and/or lesser-known TIOCLINUX command in= jection. Apparently it was not made default as that would change the way that sudo = worked. As various existing bugs have been resolved it has now been declared by th= e sudo devs that now sudo with a pseudo terminal works close to the same as with the = users terminal Hence in this version the use of the pseudo terminal is now default. See https://github.com/sudo-project/sudo/issues/258 for more details. 1.9.14 Fixed a bug where if the intercept or log_subcmds sudoers option was enab= led and a sub-command was run where the first entry of the argument vector didn't = match the command being run. This resulted in commands like sudo su - being killed= due to the mismatch. Bug #1050. The sudoers plugin now canonicalizes command path names before matching (= where possible). This fixes a bug where sudo could execute the wrong path if t= here are multiple symbolic links with the same target and the same base name in s= udoers that a user is allowed to run. GitHub issue #228. Improved command matching when a chroot is specified in sudoers. The sudo= ers plugin will now change the root directory id needed before performing command m= atching. Previously, the root directory was simply prepended to the path that was= being processed. When NETGROUP_BASE is set in the ldap.conf file, sudo will now perform it= s own netgroup lookups of the host name instead of using the system innetgr(3)= function. This guarantees that user and host netgroup lookups are performed using = the same LDAP server (or servers). Fixed a bug introduced in sudo 1.9.13 that resulted in a missing " ; " se= parator between environment variables and the command in log entries. The visudo utility now displays a warning when it ignores a file in an in= clude dir such as /etc/sudoers.d. When running a command in a pseudo-terminal, sudo will initialize the ter= minal settings even if it is the background process. Previously, sudo only ini= tialized the pseudo-terminal when running in the foreground. This fixes an issue wher= e a program that checks the window size would read the wrong value when sudo was run= ning in the background. Fixed a bug where only the first two digits of the TSID field being was l= ogged. Bug #1046. The use_pty sudoers option is now enabled by default. To restore the hist= oric behavior where a command is run in the user's terminal, add Defaults !use_pty to = the sudoers file. GitHub issue #258. Sudo's -b option now works when the command is run in a pseudo-terminal. When disabling core dumps, sudo now only modifies the soft limit and leav= es the hard limit as-is. This avoids problems on Linux when sudo does not have CAP_S= YS_RESOURCE, which may be the case when run inside a container. GitHub issue #42. Sudo configuration file paths have been converted to colon-separated list= s of paths. This makes it possible to have configuration files on a read-only file s= ystem while still allowing for local modifications in a different (writable) directo= ry. The new --enable-adminconf configure option can be used to specify a directory t= hat is searched for configuration files in preference to the sysconfdir (which = is usually /etc). The intercept_verify sudoers option is now only applied when the intercep= t option is set in sudoers. Previously, it was also applied when log_subcmds was ena= bled. The NETGROUP_QUERY ldap.conf parameter can now be disabled for LDAP serve= rs that do not support querying the nisNetgroup object by its nisNetgroupTriple att= ribute, while still allowing sudo to query the LDAP server directly to determine netgr= oup membership. Fixed a long-standing bug where a sudoers rule without an explicit runas = list allowed the user to run a command as root and any group instead of just one of t= he groups that root is a member of. For example, a rule such as myuser ALL =3D ALL= would permit sudo -u root -g othergroup even if root did not belong to othergroup. Fixed a bug where a sudoers rule with an explicit runas list allowed a us= er to run sudo commands as themselves. For example, a rule such as myuser ALL =3D = (root) ALL, myuser should only allow commands to be run as root (optionally using on= e of root's groups). However, the rule also allowed the user to run sudo -u myuser -= g myuser command. Fixed a bug that prevented the user from specifying a group on the comman= d line via sudo -g if the rule's Runas_Spec contained a Runas_Alias. Sudo now requires a C99 compiler due to the use of flexible array members. Signed-off-by: Adolf Belka --- lfs/sudo | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/sudo b/lfs/sudo index 759e3c83a..3a55174d3 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 1.9.13p3 +VER =3D 1.9.14 =20 THISAPP =3D sudo-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_BLAKE2 =3D 46218ecf4cf06d2280ccf4c257b12a6f697eda17b96a6b7aa56f6c= 7f22d847ec2a8036b9f615c3328d985656539c95f37a40c6c72dfa5f65786ab45a28cf353f +$(DL_FILE)_BLAKE2 =3D 5731eda1cabb23dd3b77851ce1fcde8e1b7efc1b4fa27fe65522c7= b8e23c0330003eb2d4ebb47d63416fb3a52db478b2f60ca22da6a2d66cb27c52ea5264749e =20 install : $(TARGET) =20 --=20 2.41.0 --===============6547045076939222007==--