- rebase to 1.7.4p5

- fixed sudo-1.7.4p4-getgrouplist.patch
- fixes CVE-2011-0008, CVE-2011-0010
This commit is contained in:
Daniel Kopecek 2011-01-17 11:23:52 +01:00
parent d12db81253
commit 92c68ba926
6 changed files with 23 additions and 101 deletions

1
.gitignore vendored
View File

@ -3,3 +3,4 @@ sudo-1.7.2p2-sudoers
/sudo-1.7.4p4.tar.gz /sudo-1.7.4p4.tar.gz
/sudo-1.7.2p2-sudoers /sudo-1.7.2p2-sudoers
/sudo-1.7.4p4-sudoers /sudo-1.7.4p4-sudoers
/sudo-1.7.4p5.tar.gz

View File

@ -1,2 +1,2 @@
55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz 4c8105507363371dea89ceb7c92187dd sudo-1.7.4p5.tar.gz
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers 56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers

View File

@ -1,67 +0,0 @@
diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200
+++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200
@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
/*
* Only check the actual command if pwflag is not set.
- * It is set for the "validate", "list" and "kill" pseudo-commands.
- * Always check the host and user.
+ * It is set for the "sudovalidate", "sudolist" and "sudokill"
+ * pseudo-commands. Always check the host and user.
*/
if (pwflag) {
int nopass;
diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200
+++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200
@@ -232,7 +232,7 @@ main(argc, argv, envp)
pwflag = 0;
if (ISSET(sudo_mode, MODE_SHELL))
- user_cmnd = "shell";
+ user_cmnd = "sudoshell";
else if (ISSET(sudo_mode, MODE_EDIT))
user_cmnd = "sudoedit";
else {
@@ -245,12 +245,12 @@ main(argc, argv, envp)
break;
case MODE_VALIDATE:
case MODE_VALIDATE|MODE_INVALIDATE:
- user_cmnd = "validate";
+ user_cmnd = "sudovalidate";
pwflag = I_VERIFYPW;
break;
case MODE_KILL:
case MODE_INVALIDATE:
- user_cmnd = "kill";
+ user_cmnd = "sudokill";
pwflag = -1;
break;
case MODE_LISTDEFS:
@@ -259,7 +259,7 @@ main(argc, argv, envp)
break;
case MODE_LIST:
case MODE_LIST|MODE_INVALIDATE:
- user_cmnd = "list";
+ user_cmnd = "sudolist";
pwflag = I_LISTPW;
break;
case MODE_CHECK:
@@ -701,13 +701,13 @@ init_vars(envp)
set_perms(PERM_ROOT);
/*
- * If we were given the '-e', '-i' or '-s' options we need to redo
+ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
* NewArgv and NewArgc.
*/
- if (ISSET(sudo_mode, MODE_EDIT)) {
+ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
NewArgv--;
NewArgc++;
- NewArgv[0] = "sudoedit";
+ NewArgv[0] = user_cmnd;
} else if (ISSET(sudo_mode, MODE_SHELL)) {
char **av;

View File

@ -1,15 +0,0 @@
diff -r 9a328aa25c53 -r a686884684ca linux_audit.c
--- a/linux_audit.c Fri Sep 17 12:13:17 2010 -0400
+++ b/linux_audit.c Tue Sep 21 07:56:36 2010 -0400
@@ -81,9 +81,9 @@
}
*--cp = '\0';
- /* Log command, ignoring EPERM on error. */
+ /* Log command, ignoring ECONNREFUSED on error. */
rc = audit_log_user_command(au_fd, AUDIT_USER_CMD, command, NULL, result);
- if (rc <= 0)
+ if (rc <= 0 && errno != ECONNREFUSED)
warning("unable to send audit message");
efree(command);

View File

@ -1,6 +1,6 @@
diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200 --- sudo-1.7.4p4/configure.in.getgrouplist 2011-01-11 10:45:49.170262147 +0100
+++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200 +++ sudo-1.7.4p4/configure.in 2011-01-11 10:45:49.176261407 +0100
@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS @@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \ strftime setrlimit initgroups getgroups fstat gettimeofday \
@ -11,17 +11,20 @@ diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
AC_LIBOBJ(getline) AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln) AC_CHECK_FUNCS(fgetln)
diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200 --- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-08-06 15:44:30.000000000 +0200
+++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200 +++ sudo-1.7.4p4/pwutil.c 2011-01-11 11:42:16.771282451 +0100
@@ -628,5 +628,23 @@ user_in_group(pw, group) @@ -628,5 +628,26 @@ user_in_group(pw, group)
} }
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */ #endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+#ifdef HAVE_GETGROUPLIST +#ifdef HAVE_GETGROUPLIST
+ if (user_ngroups >= 0 &&
+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0)
+ { + {
+ gid_t *grouplist, grouptmp; + gid_t *grouplist, grouptmp;
+ int n_groups, i; + int n_groups, i;
+ n_groups = 1; + n_groups = 1;
+
+ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { + if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
+ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); + grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
+ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) + if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)

View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.7.4p4 Version: 1.7.4p5
Release: 5%{?dist} Release: 1%{?dist}
License: ISC License: ISC
Group: Applications/System Group: Applications/System
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
@ -26,14 +26,11 @@ Patch1: sudo-1.6.7p5-strip.patch
Patch2: sudo-1.7.2p1-envdebug.patch Patch2: sudo-1.7.2p1-envdebug.patch
# add m4/ to paths in aclocal.m4 # add m4/ to paths in aclocal.m4
Patch3: sudo-1.7.4p3-m4path.patch Patch3: sudo-1.7.4p3-m4path.patch
# don't emalloc(0)
Patch4: sudo-1.7.4p3-sudolist.patch
# getgrouplist() to determine group membership (#235915) # getgrouplist() to determine group membership (#235915)
Patch5: sudo-1.7.4p4-getgrouplist.patch # - version with CVE-2009-0034 fixed
Patch4: sudo-1.7.4p4-getgrouplist-fixed.patch
# reset HOME when using the `-i' option (#635250) # reset HOME when using the `-i' option (#635250)
Patch6: sudo-1.7.4p4-sudoi.patch Patch5: sudo-1.7.4p4-sudoi.patch
# Ignore ECONREFUSED from audit_log_user_command()
Patch7: sudo-1.7.4p4-auditconn.patch
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
@ -52,10 +49,8 @@ on many different machines.
%patch1 -p1 -b .strip %patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug %patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path %patch3 -p1 -b .m4path
%patch4 -p1 -b .sudolist %patch4 -p1 -b .getgrouplist
%patch5 -p1 -b .getgrouplist %patch5 -p0 -b .sudoi
%patch6 -p0 -b .sudoi
%patch7 -p1 -b .auditconn
%build %build
# handle newer autoconf # handle newer autoconf
@ -128,7 +123,7 @@ rm -rf $RPM_BUILD_ROOT
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE %doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc sudoers.ldap.pod schema.* sudoers2ldif sample.* %doc schema.* sudoers2ldif sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers %attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/ %attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo
@ -152,6 +147,11 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || : /bin/chmod 0440 /etc/sudoers || :
%changelog %changelog
* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-1
- rebase to 1.7.4p5
- fixed sudo-1.7.4p4-getgrouplist.patch
- fixes CVE-2011-0008, CVE-2011-0010
* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5 * Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5
- anybody in the wheel group has now root access (using password) (rhbz#656873) - anybody in the wheel group has now root access (using password) (rhbz#656873)
- sync configuration paths with the nss_ldap package (rhbz#652687) - sync configuration paths with the nss_ldap package (rhbz#652687)