Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1496160896108190"
MIME-Version: 1.0
Date: Tue, 30 May 2017 16:14:56 +0000
From: "Maya Rashish" <maya@netbsd.org>
Subject: CVS commit: pkgsrc/security/sudo
To: pkgsrc-changes@NetBSD.org
Reply-To: maya@netbsd.org
Message-Id: <20170530161456.E00A4FBEE@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1496160896108190
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	maya
Date:		Tue May 30 16:14:56 UTC 2017

Modified Files:
	pkgsrc/security/sudo: Makefile distinfo
	pkgsrc/security/sudo/patches: patch-af patch-ag patch-src_Makefile.in
Added Files:
	pkgsrc/security/sudo/patches: patch-include_sudo__event.h

Log Message:
sudo: update to 1.8.20p1.
Fixes CVE-2017-1000367, local privilege escalation on linux.

What's new in Sudo 1.8.20p1

 * Fixed "make check" when using OpenSSL or GNU crypt.
   Bug #787.

 * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux
   when the process name contains spaces.  Since the user has control
   over the command name, this could potentially be used by a user
   with sudo access to overwrite an arbitrary file on systems with
   SELinux enabled.  Also stop performing a breadth-first traversal
   of /dev when looking for the device; only a hard-coded list of
   directories are checked,

What's new in Sudo 1.8.20

 * Added support for SASL_MECH in ldap.conf. Bug #764

 * Added support for digest matching when the command is a glob-style
   pattern or a directory. Previously, only explicit path matches
   supported digest checks.

 * New "fdexec" Defaults option to control whether a command
   is executed by path or by open file descriptor.

 * The embedded copy of zlib has been upgraded to version 1.2.11.

 * Fixed a bug that prevented sudoers include files with a relative
   path starting with the letter 'i' from being opened.  Bug #776.

 * Added support for command timeouts in sudoers.  The command will
   be terminated if the timeout expires.

 * The SELinux role and type are now displayed in the "sudo -l"
   output for the LDAP and SSSD backends, just as they are in the
   sudoers backend.

 * A new command line option, -T, can be used to specify a command
   timeout as long as the user-specified timeout is not longer than
   the timeout specified in sudoers.  This option may only be
   used when the "user_command_timeouts" flag is enabled in sudoers.

 * Added NOTBEFORE and NOTAFTER command options to the sudoers
   backend similar to what is already available in the LDAP backend.

 * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
   crypt instead of the SHA2 implementation bundled with sudo.

 * Fixed a compilation error on systems without the stdbool.h header
   file.  Bug #778.

 * Fixed a compilation error in the standalone Kerberos V authentication
   module.  Bug #777.

 * Added the iolog_flush flag to sudoers which causes I/O log data
   to be written immediately to disk instead of being buffered.

 * I/O log files are now created with group ID 0 by default unless
   the "iolog_user" or "iolog_group" options are set in sudoers.

 * It is now possible to store I/O log files on an NFS-mounted
   file system where uid 0 is remapped to an unprivileged user.
   The "iolog_user" option must be set to a non-root user and the
   top-level I/O log directory must exist and be owned by that user.

 * Added the restricted_env_file setting to sudoers which is similar
   to env_file but its contents are subject to the same restrictions
   as variables in the invoking user's environment.

 * Fixed a use after free bug in the SSSD backend when the fqdn
   sudoOption is enabled and no hostname value is present in
   /etc/sssd/sssd.conf.

 * Fixed a typo that resulted in a compilation error on systems
   where the killpg() function is not found by configure.

 * Fixed a compilation error with the included version of zlib
   when sudo was built outside the source tree.

 * Fixed the exit value of sudo when the command is terminated by
   a signal other than SIGINT.  This was broken in sudo 1.8.15 by
   the fix for Bug #722.  Bug #784.

 * Fixed a regression introduced in sudo 1.8.18 where the "lecture"
   option could not be used in a positive boolean context, only
   a negative one.

 * Fixed an issue where sudo would consume stdin if it was not
   connected to a tty even if log_input is not enabled in sudoers.
   Bug #786.

 * Clarify in the sudoers manual that the #includedir directive
   diverts control to the files in the specified directory and,
   when parsing of those files is complete, returns control to the
   original file.  Bug #775.

What's new in Sudo 1.8.19p2

 * Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address
   or network is used in a host-based Defaults entry.  Bug #766

 * Added a missing check for the ignore_iolog_errors flag when
   the sudoers plugin generates the I/O log file path name.

 * Fixed a typo in sudo's vsyslog() replacement that resulted in
   garbage being logged to syslog.

What's new in Sudo 1.8.19p1

 * Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong
   syslog priority and facility being used.

What's new in Sudo 1.8.19

 * New "syslog_maxlen" Defaults option to control the maximum size of
   syslog messages generated by sudo.

 * Sudo has been run against PVS-Studio and any issues that were
   not false positives have been addressed.

 * I/O log files are now created with the same group ID as the
   parent directory and not the invoking user's group ID.

 * I/O log permissions and ownership are now configurable via the
   "iolog_mode", "iolog_user" and "iolog_group" sudoers Defaults
   variables.

 * Fixed configuration of the sudoers I/O log plugin debug subsystem.
   Previously, I/O log information was not being written to the
   sudoers debug log.

 * Fixed a bug in visudo that broke editing of files in an include
   dir that have a syntax error.  Normally, visudo does not edit
   those files, but if a syntax error is detected in one, the user
   should get a chance to fix it.

 * Warnings about unknown or unparsable sudoers Defaults entries now
   include the file and line number of the problem.

 * Visudo will now use the file and line number information about an
   unknown or unparsable Defaults entry to go directly to the file
   with the problem.

 * Fixed a bug in the sudoers LDAP back-end where a negated sudoHost
   entry would prevent other sudoHost entries following it from matching.

 * Warnings from visudo about a cycle in an Alias entry now include the
   file and line number of the problem.

 * In strict mode, visudo will now use the file and line number
   information about a cycle in an Alias entry to go directly to the
   file with the problem.

 * The sudo_noexec.so file is now linked with -ldl on systems that
   require it for the wordexp() wrapper.

 * Fixed linking of sudo_noexec.so on macOS systems where it must be
   a dynamic library and not a module.

 * Sudo's "make check" now includes a test for sudo_noexec.so
   working.

 * The sudo front-end now passes the user's umask to the plugin.
   Previously the plugin had to determine this itself.

 * Sudoreplay can now display the stdin and ttyin streams when they
   are explicitly added to the filter list.

 * Fixed a bug introduced in sudo 1.8.17 where the "all" setting
   for verifypw and listpw was not being honored.  Bug #762.

 * The syslog priority (syslog_goodpri and syslog_badpri) can now
   be negated or set to "none" to disable logging of successful or
   unsuccessful sudo attempts via syslog.

What's new in Sudo 1.8.18p1

 * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
   if the wordexp() function is called.  This prevents commands
   from being run via wordexp() without disabling it entirely.

 * On Linux systems, sudo_noexec.so now uses a seccomp filter to
   disable execute access if the kernel supports seccomp.  This is
   more robust than the traditional method of using stub functions
   that return an error.

What's new in Sudo 1.8.18

 * The sudoers locale is now set before parsing the sudoers file.
   If sudoers_locale is set in sudoers, it is applied before
   evaluating other Defaults entries.  Previously, sudoers_locale
   was used when evaluating sudoers but not during the inital parse.
   Bug #748.

 * A missing or otherwise invalid #includedir is now ignored instead
   of causing a parse error.

 * During "make install", backup files are only used on HP-UX where
   it is not possible to unlink a shared object that is in use.
   This works around a bug in ldconfig on Linux which could create
   links to the backup shared library file instead of the current
   one.

 * Fixed a bug introduced in 1.8.17 where sudoers entries with long
   commands lines could be truncated, preventing a match.  Bug #752.

 * The fqdn, runas_default and sudoers_locale Defaults settings are
   now applied before any other Defaults settings since they can
   change how other Defaults settings are parsed.

 * On systems without the O_NOFOLLOW open(2) flag, when the NOFOLLOW
   flag is set, sudoedit now checks whether the file is a symbolic link
   before opening it as well as after the open.  Bug #753.

 * Sudo will now only resolve a user's group IDs to group names
   when sudoers includes group-based permissions.  Group lookups
   can be expensive on some systems where the group database is
   not local.

 * If the file system holding the sudo log file is full, allow
   the command to run unless the new ignore_logfile_errors Defaults
   option is disabled.  Bug #751.

 * The ignore_audit_errors and ignore_iolog_errors Defaults options
   have been added to control sudo's behavior when it is unable to
   write to the audit and I/O logs.

 * Fixed a bug introduced in 1.8.17 where the SIGPIPE signal handler
   was not being restored when sudo directly executes the command.

 * Fixed a bug where "sudo -l command" would indicate that a command
   was runnable even when denied by sudoers when using the LDAP or
   SSSD backends.

 * The match_group_by_gid Defaults option has been added to allow
   sites where group name resolution is slow and where sudoers only
   contains a small number of groups to match groups by group ID
   instead of by group name.

 * Fixed a bug on Linux where a 32-bit sudo binary could fail with
   an "unable to allocate memory" error when run on a 64-bit system.
   Bug #755

 * When parsing ldap.conf, sudo will now only treat a '#' character
   as the start of a comment when it is at the beginning of the
   line.

 * Fixed a potential crash when auditing is enabled and the audit
   function fails with an error.  Bug #756

 * Norwegian Nynorsk translation for sudo from translationproject.org.

 * Fixed a typo that broke short host name matching when the fqdn
   flag is enabled in sudoers.  Bug #757

 * Negated sudoHost attributes are now supported by the LDAP and
   SSSD backends.

 * Fixed matching entries in the LDAP and SSSD backends when a
   RunAsGroup is specified but no RunAsUser is present.

 * Fixed "sudo -l" output in the LDAP and SSSD backends when a
   RunAsGroup is specified but no RunAsUser is present.


To generate a diff of this commit:
cvs rdiff -u -r1.153 -r1.154 pkgsrc/security/sudo/Makefile
cvs rdiff -u -r1.88 -r1.89 pkgsrc/security/sudo/distinfo
cvs rdiff -u -r1.33 -r1.34 pkgsrc/security/sudo/patches/patch-af
cvs rdiff -u -r1.24 -r1.25 pkgsrc/security/sudo/patches/patch-ag
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/sudo/patches/patch-include_sudo__event.h
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/sudo/patches/patch-src_Makefile.in

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1496160896108190
Content-Disposition: inline
Content-Length: 12987
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/sudo/Makefile
diff -u pkgsrc/security/sudo/Makefile:1.153 pkgsrc/security/sudo/Makefile:1.154
--- pkgsrc/security/sudo/Makefile:1.153	Thu Jan 19 18:52:24 2017
+++ pkgsrc/security/sudo/Makefile	Tue May 30 16:14:56 2017
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.153 2017/01/19 18:52:24 agc Exp $
+# $NetBSD: Makefile,v 1.154 2017/05/30 16:14:56 maya Exp $
 
-DISTNAME=	sudo-1.8.17p1
+DISTNAME=	sudo-1.8.20p1
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/dist/
 MASTER_SITES+=	ftp://ftp.sudo.ws/pub/sudo/

Index: pkgsrc/security/sudo/distinfo
diff -u pkgsrc/security/sudo/distinfo:1.88 pkgsrc/security/sudo/distinfo:1.89
--- pkgsrc/security/sudo/distinfo:1.88	Fri Sep 16 11:50:37 2016
+++ pkgsrc/security/sudo/distinfo	Tue May 30 16:14:56 2017
@@ -1,13 +1,14 @@
-$NetBSD: distinfo,v 1.88 2016/09/16 11:50:37 jperkin Exp $
+$NetBSD: distinfo,v 1.89 2017/05/30 16:14:56 maya Exp $
 
-SHA1 (sudo-1.8.17p1.tar.gz) = e9bb729513cd15e99def42019c35917bc9a73536
-RMD160 (sudo-1.8.17p1.tar.gz) = c3af867a6047c21614c4550534fa2566d6540913
-SHA512 (sudo-1.8.17p1.tar.gz) = e9facd2d5578d4effb516931322b5f4f9578baa779cba281d36a3d0995b1fd9d085d6b141544b3dc698569fa294163bbad9f779166a05a0f18f4ad81a630b954
-Size (sudo-1.8.17p1.tar.gz) = 2786618 bytes
+SHA1 (sudo-1.8.20p1.tar.gz) = 2138fca8c91c0504579aaf57fc39cee95486efd1
+RMD160 (sudo-1.8.20p1.tar.gz) = 1dbf71b6d22e9c75f57942c026be40dc02774859
+SHA512 (sudo-1.8.20p1.tar.gz) = b7d4c07a550da917029e31d15e734d9462f3565ee43eb5f6fd19463b54a2fa3f444381f0999d6d1ba643b65832056dd9177dad4452fa9f87f2542c223b13f258
+Size (sudo-1.8.20p1.tar.gz) = 2930394 bytes
 SHA1 (patch-aa) = 63c89e6d4e530ab92b7452f4025fbbf2a45dad65
-SHA1 (patch-af) = 19c7cb41432404050c2452c3c53f2e4f588b3ab1
-SHA1 (patch-ag) = cb03a0a7daf4b5ef203f23726ad3a335b712a718
+SHA1 (patch-af) = db54ce780c174129e2a25a87f3e3a926596c68b2
+SHA1 (patch-ag) = b80c3051f990a9e71c169ed8dbfd187556d22dac
+SHA1 (patch-include_sudo__event.h) = 6aaf60cfcac89267c55d8578d2bb8785a3c67e0c
 SHA1 (patch-plugins_sudoers_Makefile.in) = d8612ac7bf2f5a892d9720c4df91810ca807f4ed
 SHA1 (patch-plugins_sudoers_logging.c) = a42e54af2b6057804aecb3b6a48c565e8ac4df82
-SHA1 (patch-src_Makefile.in) = 43f7266d3d106fca69003ee040342c3b201fd262
+SHA1 (patch-src_Makefile.in) = fc2b7ea0835d7fe3192fb12cac8ab2eac61bf132
 SHA1 (patch-src_sudo__edit.c) = ef411520ccefbd36bb4adf3329e6144e54647372

Index: pkgsrc/security/sudo/patches/patch-af
diff -u pkgsrc/security/sudo/patches/patch-af:1.33 pkgsrc/security/sudo/patches/patch-af:1.34
--- pkgsrc/security/sudo/patches/patch-af:1.33	Mon Sep 12 17:12:24 2016
+++ pkgsrc/security/sudo/patches/patch-af	Tue May 30 16:14:56 2017
@@ -1,4 +1,4 @@
-$NetBSD: patch-af,v 1.33 2016/09/12 17:12:24 taca Exp $
+$NetBSD: patch-af,v 1.34 2017/05/30 16:14:56 maya Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -9,11 +9,11 @@ $NetBSD: patch-af,v 1.33 2016/09/12 17:1
 
 --- configure.ac.orig	2016-06-22 16:36:23.000000000 +0000
 +++ configure.ac
-@@ -439,6 +439,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
+@@ -447,6 +447,20 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
  		;;
  esac])
  
-++AC_ARG_WITH(nbsdops, [AS_HELP_STRING([--with-nbsdops], [add NetBSD standard opt
++AC_ARG_WITH(nbsdops, [AS_HELP_STRING([--with-nbsdops], [add NetBSD standard opt
 +ions])],
 +[case $with_nbsdops in
 +    yes)       echo 'Adding NetBSD standard options'
@@ -30,7 +30,7 @@ $NetBSD: patch-af,v 1.33 2016/09/12 17:1
  AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])],
  [case $with_passwd in
      yes|no)	AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
-@@ -1951,7 +1965,7 @@ case "$host" in
+@@ -1971,7 +1985,7 @@ case "$host" in
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -38,8 +38,8 @@ $NetBSD: patch-af,v 1.33 2016/09/12 17:1
 +    *-*-linux*|*-*-k*bsd*-gnu|*-*-gnukfreebsd)
  		shadow_funcs="getspnam"
  		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
- 		;;
-@@ -2299,7 +2313,7 @@ SUDO_MAILDIR
+ 		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+@@ -2329,7 +2343,7 @@ SUDO_MAILDIR
  if test ${with_logincap-'no'} != "no"; then
      AC_CHECK_HEADERS([login_cap.h], [LOGINCAP_USAGE='[[-c class]] '; LCMAN=1
  	case "$OS" in
@@ -48,7 +48,7 @@ $NetBSD: patch-af,v 1.33 2016/09/12 17:1
  		SUDO_LIBS="${SUDO_LIBS} -lutil"
  		SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
  		;;
-@@ -3381,6 +3395,8 @@ if test ${with_kerb5-'no'} != "no"; then
+@@ -3441,6 +3455,8 @@ if test ${with_kerb5-'no'} != "no"; then
  	])
  	AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
@@ -57,7 +57,7 @@ $NetBSD: patch-af,v 1.33 2016/09/12 17:1
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
      AC_CHECK_FUNCS([krb5_verify_user krb5_init_secure_context])
-@@ -4220,7 +4236,7 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -4292,7 +4308,7 @@ test "$datarootdir" = '${prefix}/share' 
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'

Index: pkgsrc/security/sudo/patches/patch-ag
diff -u pkgsrc/security/sudo/patches/patch-ag:1.24 pkgsrc/security/sudo/patches/patch-ag:1.25
--- pkgsrc/security/sudo/patches/patch-ag:1.24	Mon Sep 12 17:12:24 2016
+++ pkgsrc/security/sudo/patches/patch-ag	Tue May 30 16:14:56 2017
@@ -1,4 +1,4 @@
-$NetBSD: patch-ag,v 1.24 2016/09/12 17:12:24 taca Exp $
+$NetBSD: patch-ag,v 1.25 2017/05/30 16:14:56 maya Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,17 @@ $NetBSD: patch-ag,v 1.24 2016/09/12 17:1
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.orig	2016-06-22 16:36:22.000000000 +0000
+--- configure.orig	2017-05-29 20:33:06.000000000 +0000
 +++ configure
-@@ -1562,7 +1562,7 @@ Fine tuning of the installation director
+@@ -865,6 +865,7 @@ with_libpath
+ with_libraries
+ with_efence
+ with_csops
++with_nbsdops
+ with_passwd
+ with_skey
+ with_opie
+@@ -1571,7 +1572,7 @@ Fine tuning of the installation director
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
@@ -18,38 +26,39 @@ $NetBSD: patch-ag,v 1.24 2016/09/12 17:1
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --libdir=DIR            object code libraries [EPREFIX/lib]
-@@ -1661,6 +1661,7 @@ Optional Packages:
+@@ -1674,6 +1675,7 @@ Optional Packages:
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
-+  --with-nbsdops          add NetBSD standard options
++  --with-nbsdops          add NetBSD standard opt ions
    --without-passwd        don't use passwd/shadow file for authentication
    --with-skey[=DIR]       enable S/Key support
    --with-opie[=DIR]       enable OPIE support
-@@ -4499,6 +4500,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn
- esac
- fi
+@@ -4746,6 +4748,23 @@ fi
  
-+# Check whether --with-nbsdops or --without-nbsdops was given.
-+if test "${with_nbsdops+set}" = set; then
-+  withval="$with_nbsdops"
-+  case $with_nbsdops in
-+    yes)	echo 'Adding NetBSD standard options'
-+		CHECKSIA=false
-+		with_ignore_dot=yes
-+		with_env_editor=yes
-+		with_tty_tickets=yes
-+		;;
-+    no)		;;
-+    *)		echo "Ignoring unknown argument to --with-nbsdops: $with_nbsdops"
-+		;;
-+esac
-+fi;
-+
  
  
++# Check whether --with-nbsdops was given.
++if test "${with_nbsdops+set}" = set; then :
++  withval=$with_nbsdops; case $with_nbsdops in
++    yes)       echo 'Adding NetBSD standard options'
++               CHECKSIA=false
++               with_ignore_dot=yes
++               with_env_editor=yes
++               with_tty_tickets=yes
++               ;;
++    no)                ;;
++    *)         echo "Ignoring unknown argument to --with-nbsdops: $with_nbsdops"
++               ;;
++esac
++fi
++
++
++
  # Check whether --with-passwd was given.
-@@ -15209,7 +15226,7 @@ fi
+ if test "${with_passwd+set}" = set; then :
+   withval=$with_passwd; case $with_passwd in
+@@ -15770,7 +15789,7 @@ fi
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -57,8 +66,8 @@ $NetBSD: patch-ag,v 1.24 2016/09/12 17:1
 +    *-*-linux*|*-*-k*bsd*-gnu|*-*-gnukfreebsd)
  		shadow_funcs="getspnam"
  		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
- 		;;
-@@ -17228,7 +17245,7 @@ if test "x$ac_cv_header_login_cap_h" = x
+ 		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
+@@ -17995,7 +18014,7 @@ if test "x$ac_cv_header_login_cap_h" = x
  _ACEOF
   LOGINCAP_USAGE='[-c class] '; LCMAN=1
  	case "$OS" in
@@ -67,7 +76,20 @@ $NetBSD: patch-ag,v 1.24 2016/09/12 17:1
  		SUDO_LIBS="${SUDO_LIBS} -lutil"
  		SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
  		;;
-@@ -21839,6 +21856,8 @@ fi
+@@ -22483,10 +22502,9 @@ if test ${with_pam-"no"} != "no"; then
+     # Check for pam_start() in libpam first, then for pam_appl.h.
+     #
+     found_pam_lib=no
+-    as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
++    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
+ $as_echo_n "checking for pam_start in -lpam... " >&6; }
+-if eval \${$as_ac_Lib+:} false; then :
++if ${ac_cv_lib_pam_pam_start+:} false; then :
+   $as_echo_n "(cached) " >&6
+ else
+   ac_check_lib_save_LIBS=$LIBS
+@@ -23256,6 +23273,8 @@ fi
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  	AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
@@ -76,12 +98,11 @@ $NetBSD: patch-ag,v 1.24 2016/09/12 17:1
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
      for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -24341,7 +24360,7 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -26426,7 +26445,6 @@ test "$datarootdir" = '${prefix}/share' 
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
 -test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
-+# test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
  
  if test X"$INIT_SCRIPT" != X""; then
      ac_config_files="$ac_config_files init.d/$INIT_SCRIPT"

Index: pkgsrc/security/sudo/patches/patch-src_Makefile.in
diff -u pkgsrc/security/sudo/patches/patch-src_Makefile.in:1.1 pkgsrc/security/sudo/patches/patch-src_Makefile.in:1.2
--- pkgsrc/security/sudo/patches/patch-src_Makefile.in:1.1	Fri Jan  1 17:00:49 2016
+++ pkgsrc/security/sudo/patches/patch-src_Makefile.in	Tue May 30 16:14:56 2017
@@ -1,15 +1,15 @@
-$NetBSD: patch-src_Makefile.in,v 1.1 2016/01/01 17:00:49 spz Exp $
+$NetBSD: patch-src_Makefile.in,v 1.2 2017/05/30 16:14:56 maya Exp $
 
 * install the suid sudo without write-bits
 
 --- ./src/Makefile.in.orig	2015-10-31 23:35:25.000000000 +0000
 +++ ./src/Makefile.in
-@@ -173,7 +174,7 @@ install-rc: install-dirs
+@@ -198,7 +198,7 @@ install-rc: install-dirs
  	fi
  
  install-binaries: install-dirs $(PROGS)
--	INSTALL_BACKUP='~' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m 04755 sudo $(DESTDIR)$(bindir)/sudo
-+	INSTALL_BACKUP='~' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m 04555 sudo $(DESTDIR)$(bindir)/sudo
+-	INSTALL_BACKUP='$(INSTALL_BACKUP)' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m 04755 sudo $(DESTDIR)$(bindir)/sudo
++	INSTALL_BACKUP='$(INSTALL_BACKUP)' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m 04555 sudo $(DESTDIR)$(bindir)/sudo
  	rm -f $(DESTDIR)$(bindir)/sudoedit
  	ln -s sudo $(DESTDIR)$(bindir)/sudoedit
  	if [ -f sesh ]; then \

Added files:

Index: pkgsrc/security/sudo/patches/patch-include_sudo__event.h
diff -u /dev/null pkgsrc/security/sudo/patches/patch-include_sudo__event.h:1.1
--- /dev/null	Tue May 30 16:14:56 2017
+++ pkgsrc/security/sudo/patches/patch-include_sudo__event.h	Tue May 30 16:14:56 2017
@@ -0,0 +1,16 @@
+$NetBSD: patch-include_sudo__event.h,v 1.1 2017/05/30 16:14:56 maya Exp $
+
+Missing include, fixes build error:
+error: field 'timeout' has incomplete type
+struct timeval timeout; /* for SUDO_EV_TIMEOUT */
+
+--- include/sudo_event.h.orig	2017-01-14 04:30:15.000000000 +0000
++++ include/sudo_event.h
+@@ -18,6 +18,7 @@
+ #define SUDO_EVENT_H
+ 
+ #include "sudo_queue.h"
++#include <sys/time.h> /* timeval */
+ 
+ /* Event types */
+ #define SUDO_EV_TIMEOUT		0x01	/* fire after timeout */


--_----------=_1496160896108190--