update to 1.8.12

- fixes CVE-2014-9680

.gitignore

@@ -10,3 +10,8 @@ sudo-1.7.2p2-sudoers
 /sudo-1.8.6.tar.gz
 /sudo-1.8.6p3.tar.gz
 /sudo-1.8.6p7.tar.gz
+/sudo-1.8.8.tar.gz
+/sudo-1.8.8-sudoers
+/sudo-1.8.11.tar.gz
+/sudo-1.8.11p2.tar.gz
+/sudo-1.8.12.tar.gz

sources

@@ -1,2 +1,2 @@
-56f74aed3a7b32f2b01a34d65ac86f85  sudo-1.7.4p4-sudoers
-126abfa2e841139e774d4c67d80f0e5b  sudo-1.8.6p7.tar.gz
+775b863cdff3a2ee2a26c2d53b51aff5  sudo-1.8.8-sudoers
+87558f3a55c62bc9244b19594f103ffa  sudo-1.8.12.tar.gz

sudo-1.7.4p3-m4path.patch

@@ -1,17 +0,0 @@
-diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
---- sudo-1.7.4p3/aclocal.m4.m4path	2010-09-07 13:11:59.095198365 +0200
-+++ sudo-1.7.4p3/aclocal.m4	2010-09-07 13:12:25.718209211 +0200
-@@ -368,8 +368,8 @@ EOF
- dnl
- dnl Pull in libtool macros
- dnl
--m4_include([libtool.m4])
--m4_include([ltoptions.m4])
--m4_include([ltsugar.m4])
--m4_include([ltversion.m4])
--m4_include([lt~obsolete.m4])
-+m4_include([m4/libtool.m4])
-+m4_include([m4/ltoptions.m4])
-+m4_include([m4/ltsugar.m4])
-+m4_include([m4/ltversion.m4])
-+m4_include([m4/lt~obsolete.m4])

sudo-1.8.11b4-ldapconfpatch.patch

@@ -0,0 +1,54 @@
+diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
+--- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch	2014-07-22 22:52:34.000000000 +0200
++++ sudo-1.8.11b4/plugins/sudoers/ldap.c	2014-09-15 11:22:11.122094452 +0200
+@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
+ }
+ #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+ 
++/*
++ * Read a line of input, remove whole line comments and strip off leading
++ * and trailing spaces.  Returns static storage that is reused.
++ */
++static char *
++sudo_ldap_parseln(fp)
++    FILE *fp;
++{
++    size_t len;
++    char *cp = NULL;
++    static char buf[LINE_MAX];
++
++    if (fgets(buf, sizeof(buf), fp) != NULL) {
++	/* Remove comments */
++	if (*buf == '#')
++	    *buf = '\0';
++
++	/* Trim leading and trailing whitespace/newline */
++	len = strlen(buf);
++	while (len > 0 && isspace((unsigned char)buf[len - 1]))
++	    buf[--len] = '\0';
++	for (cp = buf; isblank(*cp); cp++)
++	    continue;
++    }
++    return(cp);
++}
++
+ static bool
+ sudo_ldap_read_config(void)
+ {
+@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
+     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
+ 	debug_return_bool(false);
+ 
+-    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
++    while ((line = sudo_ldap_parseln(fp)) != NULL) {
+ 	if (*line == '\0')
+ 	    continue;		/* skip empty line */
+ 
+@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
+ 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
+ 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
+     }
+-    free(line);
+     fclose(fp);
+ 
+     if (!ldap_conf.host)

sudo-1.8.11p2-auditfix.patch

@@ -0,0 +1,17 @@
+diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c
+--- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix	2014-11-03 12:44:53.674230966 +0100
++++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c	2014-11-03 12:45:13.407021599 +0100
+@@ -57,10 +57,10 @@ linux_audit_open(void)
+     au_fd = audit_open();
+     if (au_fd == -1) {
+ 	/* Kernel may not have audit support. */
+-	if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
+-	    sudo_warn(U_("unable to open audit system"));
++	if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
+ 	    au_fd = AUDIT_NOT_CONFIGURED;
+-	}
++	else
++	    sudo_warn(U_("unable to open audit system"));
+     } else {
+ 	(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
+     }

sudo-1.8.6p3-noauthwarn-regression.patch

@@ -1,77 +0,0 @@
-diff -up sudo-1.8.6p3/plugins/sudoers/audit.c.orig sudo-1.8.6p3/plugins/sudoers/audit.c
---- sudo-1.8.6p3/plugins/sudoers/audit.c.orig	2012-11-07 13:04:55.424637797 +0100
-+++ sudo-1.8.6p3/plugins/sudoers/audit.c	2012-11-07 13:06:53.705032954 +0100
-@@ -26,6 +26,11 @@
- #  include <stdlib.h>
- # endif
- #endif /* STDC_HEADERS */
-+#ifdef HAVE_STDBOOL_H
-+# include <stdbool.h>
-+#else
-+# include "compat/stdbool.h"
-+#endif /* HAVE_STDBOOL_H */
- #include <stdarg.h>
- 
- #include "missing.h"
-diff -up sudo-1.8.6p3/plugins/sudoers/logging.c.orig sudo-1.8.6p3/plugins/sudoers/logging.c
---- sudo-1.8.6p3/plugins/sudoers/logging.c.orig	2012-11-07 13:04:55.424637797 +0100
-+++ sudo-1.8.6p3/plugins/sudoers/logging.c	2012-11-07 13:06:53.705032954 +0100
-@@ -247,14 +247,20 @@ do_logfile(char *msg)
- }
- 
- /*
-- * Log and mail the denial message, optionally informing the user.
-+ * Log, audit and mail the denial message, optionally informing the user.
-  */
--static void
-+void
- log_denial(int status, bool inform_user)
- {
-     char *logline, *message;
-     debug_decl(log_denial, SUDO_DEBUG_LOGGING)
- 
-+    /* Handle auditing first. */
-+    if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
-+	audit_failure(NewArgv, _("No user or host"));
-+    else
-+	audit_failure(NewArgv, _("validation failure"));
-+
-     /* Set error message. */
-     if (ISSET(status, FLAG_NO_USER))
- 	message = _("user NOT in sudoers");
-@@ -312,12 +318,6 @@ log_failure(int status, int flags)
-     debug_decl(log_failure, SUDO_DEBUG_LOGGING)
-     bool inform_user = true;
- 
--    /* Handle auditing first. */
--    if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
--	audit_failure(NewArgv, _("No user or host"));
--    else
--	audit_failure(NewArgv, _("validation failure"));
--
-     /* The user doesn't always get to see the log message (path info). */
-     if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && def_path_info &&
- 	(flags == NOT_FOUND_DOT || flags == NOT_FOUND))
-diff -up sudo-1.8.6p3/plugins/sudoers/logging.h.orig sudo-1.8.6p3/plugins/sudoers/logging.h
---- sudo-1.8.6p3/plugins/sudoers/logging.h.orig	2012-11-07 13:04:55.425637802 +0100
-+++ sudo-1.8.6p3/plugins/sudoers/logging.h	2012-11-07 13:06:53.706032965 +0100
-@@ -56,6 +56,7 @@ void audit_success(char *exec_args[]);
- void audit_failure(char *exec_args[], char const *const fmt, ...);
- void log_allowed(int status);
- void log_auth_failure(int status, int tries);
-+void log_denial(int status, bool inform_user);
- void log_failure(int status, int flags);
- void log_error(int flags, const char *fmt, ...) __printflike(2, 3);
- void log_fatal(int flags, const char *fmt, ...) __printflike(2, 3) __attribute__((__noreturn__));
-diff -up sudo-1.8.6p3/plugins/sudoers/sudoers.c.orig sudo-1.8.6p3/plugins/sudoers/sudoers.c
---- sudo-1.8.6p3/plugins/sudoers/sudoers.c.orig	2012-11-07 13:04:55.425637802 +0100
-+++ sudo-1.8.6p3/plugins/sudoers/sudoers.c	2012-11-07 13:06:53.706032965 +0100
-@@ -466,7 +466,7 @@ sudoers_policy_main(int argc, char * con
-     rval = check_user(validated, sudo_mode);
-     if (rval != true) {
- 	if (!ISSET(validated, VALIDATE_OK))
--	    log_failure(validated, cmnd_status);
-+	    log_denial(validated, false);
- 	goto done;
-     }
- 

sudo-1.8.8-clangbugs.patch

@@ -0,0 +1,60 @@
+diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c
+--- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs	2013-09-30 23:41:07.899529555 +0200
++++ sudo-1.8.8/plugins/sudoers/auth/pam.c	2013-09-30 23:41:58.988707761 +0200
+@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw
+ 	    (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
+ 	    pamh = NULL;
+ 	    status = AUTH_FAILURE;
++	    goto done;
+ 	}
+     }
+ 
+diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c
+--- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs	2013-09-30 23:44:20.404200629 +0200
++++ sudo-1.8.8/plugins/sudoers/sssd.c	2013-09-30 23:49:05.998194738 +0200
+@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns
+     debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
+ 
+     if (nss && nss->handle) {
+-	handle = nss->handle;
+-	dlclose(handle->ssslib);
++	    handle = nss->handle;
++	    dlclose(handle->ssslib);
++	    efree(nss->handle);
+     }
+-
+-    efree(nss->handle);
+     debug_return_int(0);
+ }
+ 
+@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss
+ 	sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL);
+ 
+     if (f_sss_result != NULL) {
+-	if (f_sss_result->num_rules > 0) {
+-	    if (state != NULL) {
+-		sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
+-		*state |= _SUDO_SSS_STATE_HOSTMATCH;
++	    if (f_sss_result->num_rules > 0) {
++		    if (state != NULL) {
++			    sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
++			    *state |= _SUDO_SSS_STATE_HOSTMATCH;
++		    }
+ 	    }
+-	}
+-    }
+ 
+-    sudo_debug_printf(SUDO_DEBUG_DEBUG,
+-	"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
+-	u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
++	    sudo_debug_printf(SUDO_DEBUG_DEBUG,
++	                      "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
++	                      u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
++    } else {
++	    sudo_debug_printf(SUDO_DEBUG_DEBUG,
++	                      "u_sss_result=(%p, %u) => f_sss_result=NULL",
++	                      u_sss_result, u_sss_result->num_rules);
++    }
+ 
+     handle->fn_free_result(u_sss_result);
+ 

sudo-1.8.8-sssdfixes.patch

@@ -0,0 +1,119 @@
+diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c
+--- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes	2013-09-30 23:18:49.641913457 +0200
++++ sudo-1.8.8/plugins/sudoers/sssd.c	2013-09-30 23:25:54.819376696 +0200
+@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
+  * Walk through search results and return true if we have a runas match,
+  * else false.  RunAs info is optional.
+  */
+-static int
++static bool
+ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+-    int ret;
++    bool ret;
+     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-	 debug_return_int(false);
++	 debug_return_bool(false);
+ 
+     ret = sudo_sss_check_runas_user(handle, rule) != false &&
+ 	 sudo_sss_check_runas_group(handle, rule) != false;
+ 
+-    debug_return_int(ret);
++    debug_return_bool(ret);
+ }
+ 
+-static int
++static bool
+ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+     char **val_array, *val;
+-    int ret = false, i;
++    bool ret = false;
++    int i;
+     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-	debug_return_int(ret);
++	debug_return_bool(ret);
+ 
+     /* get the values from the rule */
+     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
+@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
+ 	break;
+     case ENOENT:
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+-	debug_return_int(false);
++	debug_return_bool(false);
+     default:
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
+-	debug_return_int(ret);
++	debug_return_bool(ret);
+     }
+ 
+     /* walk through values */
+@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
+ 
+     handle->fn_free_values(val_array);
+ 
+-    debug_return_int(ret);
++    debug_return_bool(ret);
++}
++
++/*
++ * Look for netgroup specifcations in the sudoUser attribute and
++ * if found, filter according to netgroup membership.
++ *  returns:
++ *   true -> netgroup spec found && negroup member
++ *  false -> netgroup spec found && not a meber of netgroup
++ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
++ */
++bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
++{
++	bool ret = false, netgroup_spec_found = false;
++	char **val_array, *val;
++	int i;
++	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
++
++	if (!handle || !rule)
++		debug_return_bool(ret);
++
++	switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
++		case 0:
++			break;
++		case ENOENT:
++			sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
++			debug_return_bool(ret);
++		default:
++			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
++			debug_return_bool(ret);
++	}
++
++	for (i = 0; val_array[i] != NULL && !ret; ++i) {
++		val = val_array[i];
++		if (*val == '+') {
++			netgroup_spec_found = true;
++		}
++		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
++		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
++			ret = true;
++			sudo_debug_printf(SUDO_DEBUG_DIAG,
++			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
++		}
++	}
++	handle->fn_free_values(val_array);
++	debug_return_bool(netgroup_spec_found ? ret : true);
+ }
+ 
+ static int
+@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
+     (void)unused;
+     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
+ 
+-    if (sudo_sss_check_host(handle, rule))
++    if (sudo_sss_check_host(handle, rule) &&
++        sudo_sss_filter_user_netgroup(handle, rule))
+ 	debug_return_int(1);
+     else
+ 	debug_return_int(0);

sudo-1.8.8-strictuidgid.patch

@@ -0,0 +1,53 @@
+diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c
+--- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid	2013-09-30 23:30:12.359263967 +0200
++++ sudo-1.8.8/plugins/sudoers/match.c	2013-09-30 23:31:04.335443002 +0200
+@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos
+ bool
+ userpw_matches(char *sudoers_user, char *user, struct passwd *pw)
+ {
+-    debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
+-
+-    if (pw != NULL && *sudoers_user == '#') {
+-	uid_t uid = (uid_t) atoi(sudoers_user + 1);
+-	if (uid == pw->pw_uid)
+-	    debug_return_bool(true);
+-    }
+-    debug_return_bool(strcmp(sudoers_user, user) == 0);
++	debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
++	if (pw != NULL && *sudoers_user == '#') {
++		char *end = NULL;
++		uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10);
++		if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) {
++			if (uid == pw->pw_uid)
++				debug_return_bool(true);
++		}
++	}
++	debug_return_bool(strcmp(sudoers_user, user) == 0);
+ }
+ 
+ /*
+@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char
+ bool
+ group_matches(char *sudoers_group, struct group *gr)
+ {
+-    debug_decl(group_matches, SUDO_DEBUG_MATCH)
+-
+-    if (*sudoers_group == '#') {
+-	gid_t gid = (gid_t) atoi(sudoers_group + 1);
+-	if (gid == gr->gr_gid)
+-	    debug_return_bool(true);
+-    }
+-    debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
++	debug_decl(group_matches, SUDO_DEBUG_MATCH)
++	if (*sudoers_group == '#') {
++		char *end = NULL;
++		gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10);
++		if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) {
++			if (gid == gr->gr_gid)
++				debug_return_bool(true);
++		}
++	}
++	debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
+ }
+ 
+ /*

sudo.spec

@@ -1,14 +1,16 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.6p7
-Release: 2%{?dist}
+Version: 1.8.12
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
-Source1: sudo-1.7.4p4-sudoers
+Source1: sudo-1.8.8-sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
+Requires(post): /bin/chmod
 
 BuildRequires: pam-devel
 BuildRequires: groff
@@ -24,8 +26,8 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# configure.in fix
-Patch2: sudo-1.7.2p1-envdebug.patch
+# Patch to read ldap.conf more closely to nss_ldap
+Patch2: sudo-1.8.11b4-ldapconfpatch.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -51,9 +53,11 @@ plugins that use %{name}.
 %setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .envdebug
+%patch2 -p1 -b .ldapconfpatch
 
 %build
+# Remove bundled copy of zlib
+rm -rf zlib/
 autoreconf -I m4 -fv --install
 
 %ifarch s390 s390x sparc64
@@ -68,7 +72,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --prefix=%{_prefix} \
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
-        --docdir=%{_datadir}/doc/%{name}-%{version} \
+        --docdir=%{_pkgdocdir} \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
@@ -95,10 +99,16 @@ install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
 
-chmod +x $RPM_BUILD_ROOT%{_libexecdir}/*.so # for stripping, reset in %%files
+chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
 
 # Remove execute permission on this script so we don't pull in perl deps
-chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
+chmod -x $RPM_BUILD_ROOT%{_pkgdocdir}/sudoers2ldif
+
+# Don't package LICENSE as a doc
+rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
+
+# Remove examples; Examples can be found in man pages too.
+rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
 
 %find_lang sudo
 %find_lang sudoers
@@ -114,6 +124,7 @@ account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
+session    include      system-auth
 EOF
 
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
@@ -122,7 +133,7 @@ auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
-session    required     pam_limits.so
+session    include      sudo
 EOF
 
 
@@ -140,17 +151,25 @@ rm -rf $RPM_BUILD_ROOT
 %attr(4111,root,root) %{_bindir}/sudoedit
 %attr(0111,root,root) %{_bindir}/sudoreplay
 %attr(0755,root,root) %{_sbindir}/visudo
-%attr(0755,root,root) %{_libexecdir}/sesh
-%attr(0644,root,root) %{_libexecdir}/sudo_noexec.so
-%attr(0644,root,root) %{_libexecdir}/sudoers.so
+%dir %{_libexecdir}/sudo
+%attr(0755,root,root) %{_libexecdir}/sudo/sesh
+%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
+%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
+%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.*
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
+%{_mandir}/man5/sudo.conf.5*
 %{_mandir}/man8/sudo.8*
 %{_mandir}/man8/sudoedit.8*
 %{_mandir}/man8/sudoreplay.8*
 %{_mandir}/man8/visudo.8*
-%dir %{_docdir}/sudo-%{version}
-%{_docdir}/sudo-%{version}/*
+%dir %{_pkgdocdir}/
+%{_pkgdocdir}/*
+%{!?_licensedir:%global license %%doc}
+%license doc/LICENSE
+%exclude %{_pkgdocdir}/ChangeLog
 
 
 # Make sure permissions are ok even if we're updating
@@ -162,8 +181,81 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
+%attr(0644,root,root) %{_libexecdir}/sudo/*.la
 
 %changelog
+* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12
+- update to 1.8.12
+- fixes CVE-2014-9680
+
+* Mon Nov  3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1
+- update to 1.8.11p2
+- added patch to fix upstream bug #671 -- exiting immediately
+  when audit is disabled
+
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
+- update to 1.8.11
+- major changes & fixes:
+  - when running a command in the background, sudo will now forward
+    SIGINFO to the command
+  - the passwords in ldap.conf and ldap.secret may now be encoded in base64. 
+  - SELinux role changes are now audited. For sudoedit, we now audit
+    the actual editor being run, instead of just the sudoedit command. 
+  - it is now possible to match an environment variable's value as well as
+    its name using env_keep and env_check
+  - new files created via sudoedit as a non-root user now have the proper group id
+  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
+  - it is now possible to disable network interface probing in sudo.conf by
+    changing the value of the probe_interfaces setting
+  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
+    for the user's password even if the targetpw, rootpw or runaspw options are set.
+  - the new use_netgroups sudoers option can be used to explicitly enable or disable
+    netgroups support
+  - visudo can now export a sudoers file in JSON format using the new -x flag
+- added patch to read ldap.conf more closely to nss_ldap
+- require /usr/bin/vi instead of vim-minimal
+- include pam.d/system-auth in PAM session phase from pam.d/sudo
+- include pam.d/sudo in PAM session phase from pam.d/sudo-i
+
+* Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-5
+- fix license handling
+
+* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.8-4
+- Drop ChangeLog, we ship NEWS
+
+* Mon Mar 10 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-3
+- remove bundled copy of zlib before compilation
+- drop the requiretty Defaults setting from sudoers
+
+* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.8.8-2
+- Own the %%{_libexecdir}/sudo dir.
+
+* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1
+- update to 1.8.8
+- major changes & fixes:
+  - LDAP SASL support now works properly with Kerberos
+  - root may no longer change its SELinux role without entering a password
+  - user messages are now always displayed in the user's locale, even when
+    the same message is being logged or mailed in a different locale.
+  - log files created by sudo now explicitly have the group set to group
+    ID 0 rather than relying on BSD group semantics
+  - sudo now stores its libexec files in a sudo subdirectory instead of in
+    libexec itself
+  - system_group and group_file sudoers group provider plugins are now
+    installed by default
+  - the paths to ldap.conf and ldap.secret may now be specified as arguments
+    to the sudoers plugin in the sudo.conf file
+  - ...and many new features and settings. See the upstream ChangeLog for the
+    full list.
+- several sssd support fixes
+- added patch to make uid/gid specification parsing more strict (don't accept
+  an invalid number as uid/gid)
+- use the _pkgdocdir macro
+  (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)
+- fixed several bugs found by the clang static analyzer
+- added %%post dependency on chmod
+
 * Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild