Pullup ticket #6133 - requested by taca security/sudo: security fix Revisions pulled up: - security/sudo/Makefile 1.174-1.178 - security/sudo/distinfo 1.107-1.109 - security/sudo/patches/patch-Makefile.in 1.2 - security/sudo/patches/patch-configure 1.2 - security/sudo/patches/patch-include_sudo__compat.h deleted - security/sudo/patches/patch-include_sudo__event.h deleted - security/sudo/patches/patch-lib_util_sig2str.c deleted - security/sudo/patches/patch-lib_util_str2sig.c deleted - security/sudo/patches/patch-plugins_sudoers_Makefile.in 1.3 - security/sudo/patches/patch-plugins_sudoers_logging.c deleted - security/sudo/patches/patch-plugins_sudoers_starttime.c deleted - security/sudo/patches/patch-plugins_sudoers_sudoers.c deleted - security/sudo/patches/patch-src_Makefile.in 1.4 - security/sudo/patches/patch-src_limits.c deleted --- Module Name: pkgsrc Committed By: kim Date: Sat Dec 28 20:43:56 UTC 2019 Modified Files: pkgsrc/security/sudo: Makefile distinfo pkgsrc/security/sudo/patches: patch-Makefile.in patch-configure patch-plugins_sudoers_Makefile.in patch-src_Makefile.in Removed Files: pkgsrc/security/sudo/patches: patch-include_sudo__compat.h patch-include_sudo__event.h patch-lib_util_sig2str.c patch-lib_util_str2sig.c patch-plugins_sudoers_logging.c patch-plugins_sudoers_starttime.c patch-plugins_sudoers_sudoers.c patch-src_limits.c Log Message: Update to sudo 1.8.30beta3 * Portability fixes from pkgsrc have been merged upstream * Add runas_check_shell flag to require a runas user to have a valid shell. Not enabled by default. * Add a new flag "allow_unknown_runas_id" to control matching of unknown IDs. Previous, sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. With this change, the admin must explicitly enable support for unknown IDs. * Transparently handle the "sudo sudoedit" problem. Some admin are confused about how to give users sudoedit permission and many users try to run sudoedit via sudo instead of directly. If the user runs "sudo sudoedit" sudo will now treat it as plain "sudoedit" after issuing a warning. If the admin has specified a fully-qualified path for sudoedit in sudoers, sudo will treat it as just "sudoedit" and match accordingly. In visudo (but not sudo), a fully-qualified path for sudoedit is now treated as an error. * When restoring old resource limits, try to recover if we receive EINVAL. On NetBSD, setrlimit(2) can return EINVAL if the new soft limit is lower than the current resource usage. This can be a problem when restoring the old stack limit if sudo has raised it. * Restore resource limits before executing the askpass program. Linux with docker seems to have issues executing a program when the stack size is unlimited. Bug #908 * macOS does not allow rlim_cur to be set to RLIM_INFINITY for RLIMIT_NOFILE. We need to use OPEN_MAX instead as per the macOS setrlimit manual. Bug #904 * Use 64-bit resource limits on AIX. --- Module Name: pkgsrc Committed By: kim Date: Wed Jan 1 01:47:29 UTC 2020 Modified Files: pkgsrc/security/sudo: Makefile distinfo Log Message: Update to sudo 1.8.30 Notable changes: * The version string no longer has the word "beta" in it. --- Module Name: pkgsrc Committed By: jperkin Date: Sat Jan 18 21:51:16 UTC 2020 Modified Files: pkgsrc/security/sudo: Makefile Log Message: *: Recursive revision bump for openssl 1.1.1. --- Module Name: pkgsrc Committed By: triaxx Date: Thu Jan 30 21:08:00 UTC 2020 Modified Files: pkgsrc/security/sudo: Makefile Log Message: sudo: update master site TW Aren FTP server seems down and the fetching step hangs for hours. --- Module Name: pkgsrc Committed By: kim Date: Mon Feb 3 07:47:56 UTC 2020 Modified Files: pkgsrc/security/sudo: Makefile distinfo Log Message: Update to sudo 1.8.31 What's new: * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback" sudoers option is enabled on systems with uni-directional pipes. * The "sudoedit_checkdir" option now treats a user-owned directory as writable, even if it does not have the write bit set at the time of check. Symbolic links will no longer be followed by sudoedit in any user-owned directory. Bug #912 * Fixed sudoedit on macOS 10.15 and above where the root file system is mounted read-only. Bug #913. * Fixed a crash introduced in sudo 1.8.30 when suspending sudo at the password prompt. Bug #914. * Fixed compilation on systems where the mmap MAP_ANON flag is not available. Bug #915.

(bsiegert)

 @@ -1,18 +1,10 @@
-$NetBSD: distinfo,v 1.106 2019/12/19 16:59:44 kim Exp $
+$NetBSD: distinfo,v 1.106.4.1 2020/02/09 19:21:38 bsiegert Exp $
-SHA1 (sudo-1.8.29.tar.gz) = fdce342856f1803478eb549479190370001dca95
+SHA1 (sudo-1.8.31.tar.gz) = 24222b6fb644354c944bc024a0f77548b289410d
-RMD160 (sudo-1.8.29.tar.gz) = 706c7c8ec2a90b2e464e138384335b7de91d1c25
+RMD160 (sudo-1.8.31.tar.gz) = 8f67e551df2f528983f675cda6c9c908f9f1950b
-SHA512 (sudo-1.8.29.tar.gz) = ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340
+SHA512 (sudo-1.8.31.tar.gz) = b9e408a322938c7a712458e9012d8a5f648fba5b23a5057cf5d8372c7f931262595f1575c32c32b9cb1a04af670ff4611e7df48d197e5c4cc038d6b65439a28a
-Size (sudo-1.8.29.tar.gz) = 3338260 bytes
+Size (sudo-1.8.31.tar.gz) = 3350674 bytes
-SHA1 (patch-Makefile.in) = 279c7ad0f7f85ea7bc2d4beb5aa21abdf6237a7c
+SHA1 (patch-Makefile.in) = e8813e1aa208d9ef6304038328504a5402341560
-SHA1 (patch-configure) = 460b9575346c263b944535aa8e2408e959840c77
+SHA1 (patch-configure) = 906a90a8e8f5397693d9f410b7715439cf029508
-SHA1 (patch-include_sudo__compat.h) = 4f9b021ebdd507949f13e289deabdb6090ab334c
+SHA1 (patch-plugins_sudoers_Makefile.in) = 730193c6437197a7114dd31886050cecdcba6772
-SHA1 (patch-include_sudo__event.h) = 4d0787a45c2c7d4a7d3ae3111ccb3a4a4b84d083
+SHA1 (patch-src_Makefile.in) = 8959049bc428f592f84de1cad1a898c07c6e6b39
 SHA1 (patch-lib_util_sig2str.c) = e5636d9e414fc9354cd238751fa4a00026320dd3
 SHA1 (patch-lib_util_str2sig.c) = e04aa67cab901e1be10d59bd1b0ee740aa1295b8
 SHA1 (patch-plugins_sudoers_Makefile.in) = 46bbee9c51664357099dc6d6871341de3e3fcc6f
 SHA1 (patch-plugins_sudoers_logging.c) = 700ac9540a82bea4f3106cea941b785e5bd31203
 SHA1 (patch-plugins_sudoers_starttime.c) = acec2f8a96041381582acff4928233568411f2c6
 SHA1 (patch-plugins_sudoers_sudoers.c) = b5aa8a91da50d4b12ea47cd92e29d25ea325b52c
 SHA1 (patch-src_Makefile.in) = cc6398a810dc394d8e4b50f2b2412cda839c0ca9
 SHA1 (patch-src_limits.c) = 790c64fed4a4f406ce07b3d0e806866095c0a5ca

 @@ -1,132 +1,132 @@
-$NetBSD: patch-configure,v 1.1 2018/08/14 13:18:38 adam Exp $
+$NetBSD: patch-configure,v 1.1.14.1 2020/02/09 19:21:38 bsiegert Exp $
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
 * When specified "--with-kerb5" option, test existence of several functions
   even if there is krb5-config.  krb5-config dosen't give all definitions for
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
---- configure.orig	2017-05-29 20:33:06.000000000 +0000
+--- configure.orig	2019-12-26 06:24:43.000000000 +0200
-+++ configure
++++ configure	2019-12-28 21:41:28.049372280 +0200
-@@ -865,6 +865,7 @@ with_libpath
+@@ -869,6 +869,7 @@
  with_libraries
  with_efence
  with_csops
 +with_nbsdops
  with_passwd
  with_skey
  with_opie
-@@ -1571,7 +1572,7 @@ Fine tuning of the installation director
+@@ -1581,7 +1582,7 @@
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
 -  --sysconfdir=DIR        read-only single-machine data [/etc]
 +  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --libdir=DIR            object code libraries [EPREFIX/lib]
-@@ -1674,6 +1675,7 @@ Optional Packages:
+@@ -1694,6 +1695,7 @@
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
 +  --with-nbsdops          add NetBSD standard opt ions
    --without-passwd        don't use passwd/shadow file for authentication
    --with-skey[=DIR]       enable S/Key support
    --with-opie[=DIR]       enable OPIE support
-@@ -4746,6 +4748,23 @@ fi
+@@ -4797,6 +4799,23 @@
 +# Check whether --with-nbsdops was given.
 +if test "${with_nbsdops+set}" = set; then :
 +  withval=$with_nbsdops; case $with_nbsdops in
 +    yes)       echo 'Adding NetBSD standard options'
 +               CHECKSIA=false
 +               with_ignore_dot=yes
 +               with_env_editor=yes
 +               with_tty_tickets=yes
 +               ;;
 +    no)                ;;
 +    *)         echo "Ignoring unknown argument to --with-nbsdops: $with_nbsdops"
 +               ;;
 +esac
 +fi
++
++
++
  # Check whether --with-passwd was given.
  if test "${with_passwd+set}" = set; then :
    withval=$with_passwd; case $with_passwd in
-@@ -15770,7 +15789,7 @@ fi
+@@ -15925,7 +15944,7 @@
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
 -    *-*-linux*|*-*-k*bsd*-gnu)
 +    *-*-linux*|*-*-k*bsd*-gnu|*-*-gnukfreebsd)
  		shadow_funcs="getspnam"
  		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
  		# Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
-@@ -17995,7 +18014,7 @@ if test "x$ac_cv_header_login_cap_h" = x
+@@ -18163,7 +18182,7 @@
  _ACEOF
   LOGINCAP_USAGE='[-c class] '; LCMAN=1
  	case "$OS" in
 -	    freebsd|netbsd)
 +	    dragonfly*|freebsd|netbsd)
  		SUDO_LIBS="${SUDO_LIBS} -lutil"
  		SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
  		;;
-@@ -22483,10 +22502,9 @@ if test ${with_pam-"no"} != "no"; then
+@@ -22993,10 +23012,9 @@
      # Check for pam_start() in libpam first, then for pam_appl.h.
+     #
      found_pam_lib=no
 -    as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
 +    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
  $as_echo_n "checking for pam_start in -lpam... " >&6; }
 -if eval \${$as_ac_Lib+:} false; then :
 +if ${ac_cv_lib_pam_pam_start+:} false; then :
    $as_echo_n "(cached) " >&6
  else
    ac_check_lib_save_LIBS=$LIBS
-@@ -22510,18 +22528,17 @@ return pam_start ();
+@@ -23020,18 +23038,17 @@
+ }
  _ACEOF
  if ac_fn_c_try_link "$LINENO"; then :
 -  eval "$as_ac_Lib=yes"
 +  ac_cv_lib_pam_pam_start=yes
  else
 -  eval "$as_ac_Lib=no"
 +  ac_cv_lib_pam_pam_start=no
  fi
  rm -f core conftest.err conftest.$ac_objext \
      conftest$ac_exeext conftest.$ac_ext
  LIBS=$ac_check_lib_save_LIBS
  fi
 -eval ac_res=\$$as_ac_Lib
 -	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
 -$as_echo "$ac_res" >&6; }
 -if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
 +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5
 +$as_echo "$ac_cv_lib_pam_pam_start" >&6; }
 +if test "x$ac_cv_lib_pam_pam_start" = xyes; then :
    found_pam_lib=yes
  fi
-@@ -23256,6 +23273,8 @@ fi
+@@ -23766,6 +23783,8 @@
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  	AUTH_OBJS="$AUTH_OBJS kerb5.lo"
      fi
 +fi
 +if test ${with_kerb5-'no'} != "no"; then
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDOERS_LIBS}"
      for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -26426,7 +26445,6 @@ test "$datarootdir" = '${prefix}/share'
+@@ -27026,7 +27045,6 @@
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
 -test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
  if test X"$INIT_SCRIPT" != X""; then
      ac_config_files="$ac_config_files init.d/$INIT_SCRIPT"

 @@ -1,22 +1,21 @@
-# $NetBSD: Makefile,v 1.173 2019/12/19 16:59:44 kim Exp $
+# $NetBSD: Makefile,v 1.173.4.1 2020/02/09 19:21:38 bsiegert Exp $
-DISTNAME=	sudo-1.8.29
+DISTNAME=	sudo-1.8.31
 PKGREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	https://www.sudo.ws/dist/
 MASTER_SITES+=	ftp://ftp.sudo.ws/pub/sudo/
 MASTER_SITES+=	ftp://ftp.uwsg.indiana.edu/pub/security/sudo/
-MASTER_SITES+=	ftp://ftp.twaren.net/Unix/Security/Sudo/
+MASTER_SITES+=	http://ftp.twaren.net/Unix/Security/Sudo/
 MASTER_SITES+=	http://ftp.tux.org/pub/security/sudo/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	https://www.sudo.ws/
 COMMENT=	Allow others to run commands as root
 LICENSE=	isc AND modified-bsd
 USE_LIBTOOL=		yes
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--disable-path-info
 CONFIGURE_ARGS+=	--disable-root-mailer
 CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--with-exampledir=${PREFIX}/${EGDIR}

 @@ -1,25 +1,25 @@
-$NetBSD: patch-Makefile.in,v 1.1 2018/08/14 13:18:38 adam Exp $
+$NetBSD: patch-Makefile.in,v 1.1.14.1 2020/02/09 19:21:38 bsiegert Exp $
 Don't setuid here.
---- Makefile.in.orig	2015-10-31 23:35:07.000000000 +0000
+--- Makefile.in.orig	2019-10-28 15:51:30.000000000 +0200
-+++ Makefile.in
++++ Makefile.in	2019-12-28 21:41:28.028886752 +0200
-@@ -63,7 +63,8 @@ SHELL = @SHELL@
+@@ -64,7 +64,8 @@
  SED = @SED@
  INSTALL = $(SHELL) $(top_srcdir)/install-sh -c
 -INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
 +#INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
 +INSTALL_OWNER =
  ECHO_N = @ECHO_N@
  ECHO_C = @ECHO_C@
-@@ -129,7 +130,7 @@ install-doc: config.status ChangeLog
+@@ -165,7 +166,7 @@
  	    exit $$?; \
  	done
 -install: config.status ChangeLog pre-install install-nls
 +install: config.status ChangeLog install-nls
  	for d in $(SUBDIRS); do \
  	    (cd $$d && exec $(MAKE) "INSTALL_OWNER=$(INSTALL_OWNER)" $@) && continue; \
  	    exit $$?; \

 @@ -1,15 +1,15 @@
-$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.2 2019/12/15 18:42:10 adam Exp $
+$NetBSD: patch-plugins_sudoers_Makefile.in,v 1.2.4.1 2020/02/09 19:21:38 bsiegert Exp $
 Do not install the sudoers file to etc.
---- plugins/sudoers/Makefile.in.orig	2019-10-28 12:28:53.000000000 +0000
+--- plugins/sudoers/Makefile.in.orig	2019-12-25 21:21:05.000000000 +0200
-+++ plugins/sudoers/Makefile.in
++++ plugins/sudoers/Makefile.in	2019-12-28 22:01:00.540953438 +0200
-@@ -394,7 +394,7 @@ pre-install:
+@@ -396,7 +396,7 @@
- 	    ./visudo -c -f $(sudoersdir)/sudoers; \
+ 	    fi; \
  	fi
 -install: install-plugin install-binaries install-sudoers install-doc
 +install: install-plugin install-binaries install-doc
  install-dirs:
  	$(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir) \

 @@ -1,15 +1,15 @@
-$NetBSD: patch-src_Makefile.in,v 1.3 2018/03/07 09:17:06 adam Exp $
+$NetBSD: patch-src_Makefile.in,v 1.3.18.1 2020/02/09 19:21:38 bsiegert Exp $
 * install the suid sudo without write-bits
---- src/Makefile.in.orig	2015-10-31 23:35:25.000000000 +0000
+--- src/Makefile.in.orig	2019-12-10 15:11:46.000000000 +0200
-+++ src/Makefile.in
++++ src/Makefile.in	2019-12-28 21:51:27.794734242 +0200
-@@ -198,7 +198,7 @@ install-rc: install-dirs
+@@ -219,7 +219,7 @@
  	fi
  install-binaries: install-dirs $(PROGS)
 -	INSTALL_BACKUP='$(INSTALL_BACKUP)' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m 04755 sudo $(DESTDIR)$(bindir)/sudo
 +	INSTALL_BACKUP='$(INSTALL_BACKUP)' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m 04555 sudo $(DESTDIR)$(bindir)/sudo
  	rm -f $(DESTDIR)$(bindir)/sudoedit
  	ln -s sudo $(DESTDIR)$(bindir)/sudoedit
  	if [ -f sesh ]; then \