update to 1.8.15

- fixes CVE-2015-5602

.gitignore

@@ -12,3 +12,7 @@ sudo-1.7.2p2-sudoers
 /sudo-1.8.6p7.tar.gz
 /sudo-1.8.8.tar.gz
 /sudo-1.8.8-sudoers
+/sudo-1.8.11.tar.gz
+/sudo-1.8.11p2.tar.gz
+/sudo-1.8.12.tar.gz
+/sudo-1.8.15.tar.gz

sources

@@ -1,2 +1,2 @@
-fc4f074090afd56d9ff4ff4e97321971  sudo-1.8.8.tar.gz
 775b863cdff3a2ee2a26c2d53b51aff5  sudo-1.8.8-sudoers
+7cf6b9b76d0478a572432bed481dd7b5  sudo-1.8.15.tar.gz

sudo-1.8.11p2-auditfix.patch

@@ -0,0 +1,17 @@
+diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c
+--- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix	2014-11-03 12:44:53.674230966 +0100
++++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c	2014-11-03 12:45:13.407021599 +0100
+@@ -57,10 +57,10 @@ linux_audit_open(void)
+     au_fd = audit_open();
+     if (au_fd == -1) {
+ 	/* Kernel may not have audit support. */
+-	if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
+-	    sudo_warn(U_("unable to open audit system"));
++	if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
+ 	    au_fd = AUDIT_NOT_CONFIGURED;
+-	}
++	else
++	    sudo_warn(U_("unable to open audit system"));
+     } else {
+ 	(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
+     }

sudo-1.8.14p1-ldapconfpatch.patch

@@ -0,0 +1,55 @@
+diff -up sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.14b3/plugins/sudoers/ldap.c
+--- sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch	2015-07-07 18:51:11.000000000 +0200
++++ sudo-1.8.14b3/plugins/sudoers/ldap.c	2015-07-09 11:03:25.686645581 +0200
+@@ -1922,6 +1922,33 @@ sudo_check_krb5_ccname(const char *ccnam
+ }
+ #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+ 
++/*
++ * Read a line of input, remove whole line comments and strip off leading
++ * and trailing spaces.  Returns static storage that is reused.
++ */
++static char *
++sudo_ldap_parseln(fp)
++    FILE *fp;
++{
++    size_t len;
++    char *cp = NULL;
++    static char buf[LINE_MAX];
++
++    if (fgets(buf, sizeof(buf), fp) != NULL) {
++	/* Remove comments */
++	if (*buf == '#')
++	    *buf = '\0';
++
++	/* Trim leading and trailing whitespace/newline */
++	len = strlen(buf);
++	while (len > 0 && isspace((unsigned char)buf[len - 1]))
++	    buf[--len] = '\0';
++	for (cp = buf; isblank(*cp); cp++)
++	    continue;
++    }
++    return(cp);
++}
++
+ static bool
+ sudo_ldap_read_config(void)
+ {
+@@ -1955,7 +1982,7 @@ sudo_ldap_read_config(void)
+     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
+ 	debug_return_bool(false);
+ 
+-    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
++    while ((line = sudo_ldap_parseln(fp)) != NULL) {
+ 	if (*line == '\0')
+ 	    continue;		/* skip empty line */
+ 
+@@ -1975,7 +2002,7 @@ sudo_ldap_read_config(void)
+ 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
+ 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
+     }
+-    free(line);
++
+     fclose(fp);
+ 
+     if (!ldap_conf.host) {

sudo.spec

@@ -1,14 +1,15 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.8
-Release: 5%{?dist}
+Version: 1.8.15
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
 Source1: sudo-1.8.8-sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
 Requires(post): /bin/chmod
 
 BuildRequires: pam-devel
@@ -25,14 +26,8 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# configure.in fix
-Patch2: sudo-1.7.2p1-envdebug.patch
-# Fix several issues in the sssd code
-Patch3: sudo-1.8.8-sssdfixes.patch
-# Don't accept invalid number in uid/gid specifications
-Patch4: sudo-1.8.8-strictuidgid.patch
-# Fix several issues found by the clang static analyzer
-Patch5: sudo-1.8.8-clangbugs.patch
+# Patch to read ldap.conf more closely to nss_ldap
+Patch2: sudo-1.8.14p1-ldapconfpatch.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -58,10 +53,7 @@ plugins that use %{name}.
 %setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .envdebug
-%patch3 -p1 -b .sssdfixes
-%patch4 -p1 -b .strictuidgid
-%patch5 -p1 -b .clangbugs
+%patch2 -p1 -b .ldapconfpatch
 
 %build
 # Remove bundled copy of zlib
@@ -112,6 +104,15 @@ chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%fil
 # Remove execute permission on this script so we don't pull in perl deps
 chmod -x $RPM_BUILD_ROOT%{_pkgdocdir}/sudoers2ldif
 
+# Don't package LICENSE as a doc
+rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
+
+# Remove examples; Examples can be found in man pages too.
+rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
+
+#Remove all .la files
+find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+
 %find_lang sudo
 %find_lang sudoers
 
@@ -126,6 +127,7 @@ account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
+session    include      system-auth
 EOF
 
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
@@ -134,7 +136,7 @@ auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
-session    required     pam_limits.so
+session    include      sudo
 EOF
 
 
@@ -147,9 +149,10 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0750,root,root) %dir /etc/sudoers.d/
 %config(noreplace) /etc/pam.d/sudo
 %config(noreplace) /etc/pam.d/sudo-i
+%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
 %dir /var/db/sudo
 %attr(4111,root,root) %{_bindir}/sudo
-%attr(4111,root,root) %{_bindir}/sudoedit
+%{_bindir}/sudoedit
 %attr(0111,root,root) %{_bindir}/sudoreplay
 %attr(0755,root,root) %{_sbindir}/visudo
 %dir %{_libexecdir}/sudo
@@ -158,6 +161,8 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
+%{_libexecdir}/sudo/libsudo_util.so.?
 %{_mandir}/man5/sudoers.5*
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man5/sudo.conf.5*
@@ -167,6 +172,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/visudo.8*
 %dir %{_pkgdocdir}/
 %{_pkgdocdir}/*
+%{!?_licensedir:%global license %%doc}
+%license doc/LICENSE
 %exclude %{_pkgdocdir}/ChangeLog
 
 
@@ -179,8 +186,49 @@ rm -rf $RPM_BUILD_ROOT
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
 %{_mandir}/man8/sudo_plugin.8*
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Thu Nov  5 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.15-1
+- update to 1.8.15
+- fixes CVE-2015-5602
+
+* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12
+- update to 1.8.12
+- fixes CVE-2014-9680
+
+* Mon Nov  3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1
+- update to 1.8.11p2
+- added patch to fix upstream bug #671 -- exiting immediately
+  when audit is disabled
+
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
+- update to 1.8.11
+- major changes & fixes:
+  - when running a command in the background, sudo will now forward
+    SIGINFO to the command
+  - the passwords in ldap.conf and ldap.secret may now be encoded in base64. 
+  - SELinux role changes are now audited. For sudoedit, we now audit
+    the actual editor being run, instead of just the sudoedit command. 
+  - it is now possible to match an environment variable's value as well as
+    its name using env_keep and env_check
+  - new files created via sudoedit as a non-root user now have the proper group id
+  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
+  - it is now possible to disable network interface probing in sudo.conf by
+    changing the value of the probe_interfaces setting
+  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
+    for the user's password even if the targetpw, rootpw or runaspw options are set.
+  - the new use_netgroups sudoers option can be used to explicitly enable or disable
+    netgroups support
+  - visudo can now export a sudoers file in JSON format using the new -x flag
+- added patch to read ldap.conf more closely to nss_ldap
+- require /usr/bin/vi instead of vim-minimal
+- include pam.d/system-auth in PAM session phase from pam.d/sudo
+- include pam.d/sudo in PAM session phase from pam.d/sudo-i
+
+* Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
+- fix license handling
+
 * Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild