- rebase to 1.7.4p5

- fixed sudo-1.7.4p4-getgrouplist.patch - fixes CVE-2011-0008, CVE-2011-0010
2011-01-17 11:23:52 +01:00 · 2011-01-17 11:23:52 +01:00 · 92c68ba926
parent d12db81253
commit 92c68ba926
6 changed files with 23 additions and 101 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@ sudo-1.7.2p2-sudoers
 /sudo-1.7.4p4.tar.gz
 /sudo-1.7.2p2-sudoers
 /sudo-1.7.4p4-sudoers
+/sudo-1.7.4p5.tar.gz
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-55d9906535d70a1de347cd3d3550ee87  sudo-1.7.4p4.tar.gz
+4c8105507363371dea89ceb7c92187dd  sudo-1.7.4p5.tar.gz
 56f74aed3a7b32f2b01a34d65ac86f85  sudo-1.7.4p4-sudoers
--- a/sudo-1.7.4p3-sudolist.patch
+++ b/sudo-1.7.4p3-sudolist.patch
@ -1,67 +0,0 @@
-diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
--- sudo-1.7.4p3/parse.c.orig	2010-09-07 15:00:12.728260953 +0200
-+++ sudo-1.7.4p3/parse.c	2010-09-07 15:00:38.950188803 +0200
-@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
- 
-     /*
-      * Only check the actual command if pwflag is not set.
-     * It is set for the "validate", "list" and "kill" pseudo-commands.
-     * Always check the host and user.
-+     * It is set for the "sudovalidate", "sudolist" and "sudokill"
-+     * pseudo-commands. Always check the host and user.
-      */
-     if (pwflag) {
- 	int nopass;
-diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
--- sudo-1.7.4p3/sudo.c.orig	2010-09-07 14:57:08.201198517 +0200
-+++ sudo-1.7.4p3/sudo.c	2010-09-07 14:55:47.208260545 +0200
-@@ -232,7 +232,7 @@ main(argc, argv, envp)
- 
-     pwflag = 0;
-     if (ISSET(sudo_mode, MODE_SHELL))
-	user_cmnd = "shell";
-+	user_cmnd = "sudoshell";
-     else if (ISSET(sudo_mode, MODE_EDIT))
- 	user_cmnd = "sudoedit";
-     else {
-@@ -245,12 +245,12 @@ main(argc, argv, envp)
- 		break;
- 	    case MODE_VALIDATE:
- 	    case MODE_VALIDATE|MODE_INVALIDATE:
-		user_cmnd = "validate";
-+		user_cmnd = "sudovalidate";
- 		pwflag = I_VERIFYPW;
- 		break;
- 	    case MODE_KILL:
- 	    case MODE_INVALIDATE:
-		user_cmnd = "kill";
-+		user_cmnd = "sudokill";
- 		pwflag = -1;
- 		break;
- 	    case MODE_LISTDEFS:
-@@ -259,7 +259,7 @@ main(argc, argv, envp)
- 		break;
- 	    case MODE_LIST:
- 	    case MODE_LIST|MODE_INVALIDATE:
-		user_cmnd = "list";
-+		user_cmnd = "sudolist";
- 		pwflag = I_LISTPW;
- 		break;
- 	    case MODE_CHECK:
-@@ -701,13 +701,13 @@ init_vars(envp)
- 	set_perms(PERM_ROOT);
- 
-     /*
-     * If we were given the '-e', '-i' or '-s' options we need to redo
-+     * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
-      * NewArgv and NewArgc.
-      */
-    if (ISSET(sudo_mode, MODE_EDIT)) {
-+    if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
- 	NewArgv--;
- 	NewArgc++;
-	NewArgv[0] = "sudoedit";
-+	NewArgv[0] = user_cmnd;
-     } else if (ISSET(sudo_mode, MODE_SHELL)) {
- 	char **av;
- 
--- a/sudo-1.7.4p4-auditconn.patch
+++ b/sudo-1.7.4p4-auditconn.patch
@ -1,15 +0,0 @@
-diff -r 9a328aa25c53 -r a686884684ca linux_audit.c
--- a/linux_audit.c	Fri Sep 17 12:13:17 2010 -0400
-+++ b/linux_audit.c	Tue Sep 21 07:56:36 2010 -0400
-@@ -81,9 +81,9 @@
-     }
-     *--cp = '\0';
- 
-    /* Log command, ignoring EPERM on error. */
-+    /* Log command, ignoring ECONNREFUSED on error. */
-     rc = audit_log_user_command(au_fd, AUDIT_USER_CMD, command, NULL, result);
-    if (rc <= 0)
-+    if (rc <= 0 && errno != ECONNREFUSED)
- 	warning("unable to send audit message");
- 
-     efree(command);
--- a/sudo-1.7.4p4-getgrouplist-fixed.patch
+++ b/sudo-1.7.4p4-getgrouplist-fixed.patch
@ -1,6 +1,6 @@
 diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
--- sudo-1.7.4p4/configure.in.getgrouplist	2010-09-07 15:53:38.400260828 +0200
-+++ sudo-1.7.4p4/configure.in	2010-09-07 15:54:48.751188374 +0200
+--- sudo-1.7.4p4/configure.in.getgrouplist	2011-01-11 10:45:49.170262147 +0100
+++ sudo-1.7.4p4/configure.in	2011-01-11 10:45:49.176261407 +0100
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
 AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
 	       strftime setrlimit initgroups getgroups fstat gettimeofday \
@ -11,17 +11,20 @@ diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
     AC_LIBOBJ(getline)
     AC_CHECK_FUNCS(fgetln)
 diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
--- sudo-1.7.4p4/pwutil.c.getgrouplist	2010-09-07 15:53:26.816198477 +0200
-+++ sudo-1.7.4p4/pwutil.c	2010-09-07 15:54:16.990188543 +0200
-@@ -628,5 +628,23 @@ user_in_group(pw, group)
+--- sudo-1.7.4p4/pwutil.c.getgrouplist	2010-08-06 15:44:30.000000000 +0200
+++ sudo-1.7.4p4/pwutil.c	2011-01-11 11:42:16.771282451 +0100
+@@ -628,5 +628,26 @@ user_in_group(pw, group)
     }
 #endif /* HAVE_MBR_CHECK_MEMBERSHIP */
 
 +#ifdef HAVE_GETGROUPLIST
+    if (user_ngroups >= 0 &&
+	strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
 +    {
 +	gid_t *grouplist, grouptmp;
 +	int n_groups, i;
 +	n_groups = 1;
+
 +	if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
 +	    grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
 +	    if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
--- a/sudo.spec
+++ b/sudo.spec
@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.7.4p4
-Release: 5%{?dist}
+Version: 1.7.4p5
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@ -26,14 +26,11 @@ Patch1: sudo-1.6.7p5-strip.patch
 Patch2: sudo-1.7.2p1-envdebug.patch
 # add m4/ to paths in aclocal.m4
 Patch3: sudo-1.7.4p3-m4path.patch
-# don't emalloc(0)
-Patch4: sudo-1.7.4p3-sudolist.patch
 # getgrouplist() to determine group membership (#235915)
-Patch5: sudo-1.7.4p4-getgrouplist.patch
+# - version with CVE-2009-0034 fixed
+Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch
 # reset HOME when using the `-i' option (#635250)
-Patch6: sudo-1.7.4p4-sudoi.patch
-# Ignore ECONREFUSED from audit_log_user_command()
-Patch7: sudo-1.7.4p4-auditconn.patch
+Patch5: sudo-1.7.4p4-sudoi.patch

 %description
 Sudo (superuser do) allows a system administrator to give certain
@ -52,10 +49,8 @@ on many different machines.
 %patch1 -p1 -b .strip
 %patch2 -p1 -b .envdebug
 %patch3 -p1 -b .m4path
-%patch4 -p1 -b .sudolist
-%patch5 -p1 -b .getgrouplist
-%patch6 -p0 -b .sudoi
-%patch7 -p1 -b .auditconn
+%patch4 -p1 -b .getgrouplist
+%patch5 -p0 -b .sudoi

 %build
 # handle newer autoconf
@ -128,7 +123,7 @@ rm -rf $RPM_BUILD_ROOT
 %files
 %defattr(-,root,root)
 %doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
-%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
+%doc schema.* sudoers2ldif sample.*
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
 %attr(0750,root,root) %dir /etc/sudoers.d/
 %config(noreplace) /etc/pam.d/sudo
@ -152,6 +147,11 @@ rm -rf $RPM_BUILD_ROOT
 /bin/chmod 0440 /etc/sudoers || :

 %changelog
+* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-1
+- rebase to 1.7.4p5
+- fixed sudo-1.7.4p4-getgrouplist.patch
+- fixes CVE-2011-0008, CVE-2011-0010
+
 * Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5
 - anybody in the wheel group has now root access (using password) (rhbz#656873)
 - sync configuration paths with the nss_ldap package (rhbz#652687)