Sat Sep 19 14:04:29 2020 UTC ()
security/sudo: update to 1.8.31p2

Update sudo package to 1.8.31p2.

What's new in Sudo 1.8.31p2

 * Sudo command line options that take a value may only be specified
   once.  This is to help guard against problems caused by poorly
   written scripts that invoke sudo with user-controlled input.
   Bug #924.

 * When running a command in a pty, sudo will no longer try to
   suspend itself if the user's tty has been revoked (for instance
   when the parent ssh daemon is killed).  This fixes a bug where
   sudo would continuously suspend the command (which would succeed),
   then suspend itself (which would fail due to the missing tty)
   and then resume the command.

 * If sudo's event loop fails due to the tty being revoked, remove
   the user's tty events and restart the event loop (once).  This
   fixes a problem when running "sudo reboot" in a pty on some
   systems.  When the event loop exited unexpectedly, sudo would
   kill the command running in the pty, which in the case of "reboot",
   could lead to the system being in a half-rebooted state.

 * Fixed a regression introduced in sudo 1.8.23 in the LDAP and
   SSSD back-ends where a missing sudoHost attribute was treated
   as an "ALL" wildcard value.  A sudoRole with no sudoHost attribute
   is now ignored as it was prior to version 1.8.23.


(taca)
diff -r1.179 -r1.180 pkgsrc/security/sudo/Makefile
diff -r1.110 -r1.111 pkgsrc/security/sudo/distinfo
diff -r1.2 -r1.3 pkgsrc/security/sudo/patches/patch-configure
cvs diff -r1.179 -r1.180 pkgsrc/security/sudo/Makefile (expand / switch to unified diff)

--- pkgsrc/security/sudo/Makefile 2020/04/28 05:29:18 1.179
+++ pkgsrc/security/sudo/Makefile 2020/09/19 14:04:29 1.180
@@ -1,16 +1,16 @@ @@ -1,16 +1,16 @@
1# $NetBSD: Makefile,v 1.179 2020/04/28 05:29:18 taca Exp $ 1# $NetBSD: Makefile,v 1.180 2020/09/19 14:04:29 taca Exp $
2 2
3DISTNAME= sudo-1.8.31p1 3DISTNAME= sudo-1.8.31p2
4CATEGORIES= security 4CATEGORIES= security
5MASTER_SITES= https://www.sudo.ws/dist/ 5MASTER_SITES= https://www.sudo.ws/dist/
6MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/ 6MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/
7MASTER_SITES+= ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ 7MASTER_SITES+= ftp://ftp.uwsg.indiana.edu/pub/security/sudo/
8MASTER_SITES+= http://ftp.twaren.net/Unix/Security/Sudo/ 8MASTER_SITES+= http://ftp.twaren.net/Unix/Security/Sudo/
9MASTER_SITES+= http://ftp.tux.org/pub/security/sudo/ 9MASTER_SITES+= http://ftp.tux.org/pub/security/sudo/
10 10
11MAINTAINER= pkgsrc-users@NetBSD.org 11MAINTAINER= pkgsrc-users@NetBSD.org
12HOMEPAGE= https://www.sudo.ws/ 12HOMEPAGE= https://www.sudo.ws/
13COMMENT= Allow others to run commands as root 13COMMENT= Allow others to run commands as root
14LICENSE= isc AND modified-bsd 14LICENSE= isc AND modified-bsd
15 15
16USE_LIBTOOL= yes 16USE_LIBTOOL= yes
cvs diff -r1.110 -r1.111 pkgsrc/security/sudo/distinfo (expand / switch to unified diff)

--- pkgsrc/security/sudo/distinfo 2020/04/28 05:29:18 1.110
+++ pkgsrc/security/sudo/distinfo 2020/09/19 14:04:29 1.111
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.110 2020/04/28 05:29:18 taca Exp $ 1$NetBSD: distinfo,v 1.111 2020/09/19 14:04:29 taca Exp $
2 2
3SHA1 (sudo-1.8.31p1.tar.gz) = b959be78c815e37d893c5c481975b9793f9ed227 3SHA1 (sudo-1.8.31p2.tar.gz) = 53a6dfa90f78bc10615b83b7026bf3ba206c69e9
4RMD160 (sudo-1.8.31p1.tar.gz) = ace03e181e4240fde407f5353b363f28a72900c1 4RMD160 (sudo-1.8.31p2.tar.gz) = 5ffd8e785095c19c26ad8e3b3d5768669951f777
5SHA512 (sudo-1.8.31p1.tar.gz) = 9344fd1d8a8445e8afb9c5628cdc832fe32ea29199f071f35fb6ec694371801556df560f4382afec199f468b1f3264ad5e3a89e964612e571b8d911f823724cc 5SHA512 (sudo-1.8.31p2.tar.gz) = ad1bbbde74d3ab6e947071c6f21e436ebabcf5af11ecc75cde8f0c01ca0b8c6ae1cce2ff42f21612816c636e96722a2a14daa57757644ceab6577091f82242be
6Size (sudo-1.8.31p1.tar.gz) = 3351312 bytes 6Size (sudo-1.8.31p2.tar.gz) = 3353538 bytes
7SHA1 (patch-Makefile.in) = e8813e1aa208d9ef6304038328504a5402341560 7SHA1 (patch-Makefile.in) = e8813e1aa208d9ef6304038328504a5402341560
8SHA1 (patch-configure) = 906a90a8e8f5397693d9f410b7715439cf029508 8SHA1 (patch-configure) = 498b1040fceb317c239d050b59b3d1a180598441
9SHA1 (patch-plugins_sudoers_Makefile.in) = 730193c6437197a7114dd31886050cecdcba6772 9SHA1 (patch-plugins_sudoers_Makefile.in) = 730193c6437197a7114dd31886050cecdcba6772
10SHA1 (patch-src_Makefile.in) = 8959049bc428f592f84de1cad1a898c07c6e6b39 10SHA1 (patch-src_Makefile.in) = 8959049bc428f592f84de1cad1a898c07c6e6b39
cvs diff -r1.2 -r1.3 pkgsrc/security/sudo/patches/patch-configure (expand / switch to unified diff)

--- pkgsrc/security/sudo/patches/patch-configure 2019/12/28 20:43:56 1.2
+++ pkgsrc/security/sudo/patches/patch-configure 2020/09/19 14:04:29 1.3
@@ -1,132 +1,132 @@ @@ -1,132 +1,132 @@
1$NetBSD: patch-configure,v 1.2 2019/12/28 20:43:56 kim Exp $ 1$NetBSD: patch-configure,v 1.3 2020/09/19 14:04:29 taca Exp $
2 2
3* Add "--with-nbsdops" option, NetBSD standard options. 3* Add "--with-nbsdops" option, NetBSD standard options.
4* Link with util(3) in the case of DragonFly, too. 4* Link with util(3) in the case of DragonFly, too.
5* When specified "--with-kerb5" option, test existence of several functions 5* When specified "--with-kerb5" option, test existence of several functions
6 even if there is krb5-config. krb5-config dosen't give all definitions for 6 even if there is krb5-config. krb5-config dosen't give all definitions for
7 functions (HAVE_KRB5_*). 7 functions (HAVE_KRB5_*).
8* Remove setting sysconfdir to "/etc". 8* Remove setting sysconfdir to "/etc".
9 9
10--- configure.orig 2019-12-26 06:24:43.000000000 +0200 10--- configure.orig 2020-06-12 13:15:11.000000000 +0000
11+++ configure 2019-12-28 21:41:28.049372280 +0200 11+++ configure
12@@ -869,6 +869,7 @@ 12@@ -870,6 +870,7 @@ with_libpath
13 with_libraries 13 with_libraries
14 with_efence 14 with_efence
15 with_csops 15 with_csops
16+with_nbsdops 16+with_nbsdops
17 with_passwd 17 with_passwd
18 with_skey 18 with_skey
19 with_opie 19 with_opie
20@@ -1581,7 +1582,7 @@ 20@@ -1592,7 +1593,7 @@ Fine tuning of the installation director
21 --bindir=DIR user executables [EPREFIX/bin] 21 --bindir=DIR user executables [EPREFIX/bin]
22 --sbindir=DIR system admin executables [EPREFIX/sbin] 22 --sbindir=DIR system admin executables [EPREFIX/sbin]
23 --libexecdir=DIR program executables [EPREFIX/libexec] 23 --libexecdir=DIR program executables [EPREFIX/libexec]
24- --sysconfdir=DIR read-only single-machine data [/etc] 24- --sysconfdir=DIR read-only single-machine data [/etc]
25+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc] 25+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
26 --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] 26 --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
27 --localstatedir=DIR modifiable single-machine data [PREFIX/var] 27 --localstatedir=DIR modifiable single-machine data [PREFIX/var]
28 --libdir=DIR object code libraries [EPREFIX/lib] 28 --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
29@@ -1694,6 +1695,7 @@ 29@@ -1706,6 +1707,7 @@ Optional Packages:
30 --with-libraries additional libraries to link with 30 --with-libraries additional libraries to link with
31 --with-efence link with -lefence for malloc() debugging 31 --with-efence link with -lefence for malloc() debugging
32 --with-csops add CSOps standard options 32 --with-csops add CSOps standard options
33+ --with-nbsdops add NetBSD standard opt ions 33+ --with-nbsdops add NetBSD standard opt ions
34 --without-passwd don't use passwd/shadow file for authentication 34 --without-passwd don't use passwd/shadow file for authentication
35 --with-skey[=DIR] enable S/Key support 35 --with-skey[=DIR] enable S/Key support
36 --with-opie[=DIR] enable OPIE support 36 --with-opie[=DIR] enable OPIE support
37@@ -4797,6 +4799,23 @@ 37@@ -4809,6 +4811,23 @@ fi
38  38
39  39
40  40
41+# Check whether --with-nbsdops was given. 41+# Check whether --with-nbsdops was given.
42+if test "${with_nbsdops+set}" = set; then : 42+if test "${with_nbsdops+set}" = set; then :
43+ withval=$with_nbsdops; case $with_nbsdops in 43+ withval=$with_nbsdops; case $with_nbsdops in
44+ yes) echo 'Adding NetBSD standard options' 44+ yes) echo 'Adding NetBSD standard options'
45+ CHECKSIA=false 45+ CHECKSIA=false
46+ with_ignore_dot=yes 46+ with_ignore_dot=yes
47+ with_env_editor=yes 47+ with_env_editor=yes
48+ with_tty_tickets=yes 48+ with_tty_tickets=yes
49+ ;; 49+ ;;
50+ no) ;; 50+ no) ;;
51+ *) echo "Ignoring unknown argument to --with-nbsdops: $with_nbsdops" 51+ *) echo "Ignoring unknown argument to --with-nbsdops: $with_nbsdops"
52+ ;; 52+ ;;
53+esac 53+esac
54+fi 54+fi
55+ 55+
56+ 56+
57+ 57+
58 # Check whether --with-passwd was given. 58 # Check whether --with-passwd was given.
59 if test "${with_passwd+set}" = set; then : 59 if test "${with_passwd+set}" = set; then :
60 withval=$with_passwd; case $with_passwd in 60 withval=$with_passwd; case $with_passwd in
61@@ -15925,7 +15944,7 @@ 61@@ -15937,7 +15956,7 @@ fi
62 : ${mansectsu='1m'} 62 : ${mansectsu='1m'}
63 : ${mansectform='4'} 63 : ${mansectform='4'}
64 ;; 64 ;;
65- *-*-linux*|*-*-k*bsd*-gnu) 65- *-*-linux*|*-*-k*bsd*-gnu)
66+ *-*-linux*|*-*-k*bsd*-gnu|*-*-gnukfreebsd) 66+ *-*-linux*|*-*-k*bsd*-gnu|*-*-gnukfreebsd)
67 shadow_funcs="getspnam" 67 shadow_funcs="getspnam"
68 test -z "$with_pam" && AUTH_EXCL_DEF="PAM" 68 test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
69 # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h 69 # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
70@@ -18163,7 +18182,7 @@ 70@@ -18175,7 +18194,7 @@ if test "x$ac_cv_header_login_cap_h" = x
71 _ACEOF 71 _ACEOF
72 LOGINCAP_USAGE='[-c class] '; LCMAN=1 72 LOGINCAP_USAGE='[-c class] '; LCMAN=1
73 case "$OS" in 73 case "$OS" in
74- freebsd|netbsd) 74- freebsd|netbsd)
75+ dragonfly*|freebsd|netbsd) 75+ dragonfly*|freebsd|netbsd)
76 SUDO_LIBS="${SUDO_LIBS} -lutil" 76 SUDO_LIBS="${SUDO_LIBS} -lutil"
77 SUDOERS_LIBS="${SUDOERS_LIBS} -lutil" 77 SUDOERS_LIBS="${SUDOERS_LIBS} -lutil"
78 ;; 78 ;;
79@@ -22993,10 +23012,9 @@ 79@@ -23018,10 +23037,9 @@ if test ${with_pam-"no"} != "no"; then
80 # Check for pam_start() in libpam first, then for pam_appl.h. 80 # Check for pam_start() in libpam first, then for pam_appl.h.
81 # 81 #
82 found_pam_lib=no 82 found_pam_lib=no
83- as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh` 83- as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
84-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 84-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
85+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 85+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
86 $as_echo_n "checking for pam_start in -lpam... " >&6; } 86 $as_echo_n "checking for pam_start in -lpam... " >&6; }
87-if eval \${$as_ac_Lib+:} false; then : 87-if eval \${$as_ac_Lib+:} false; then :
88+if ${ac_cv_lib_pam_pam_start+:} false; then : 88+if ${ac_cv_lib_pam_pam_start+:} false; then :
89 $as_echo_n "(cached) " >&6 89 $as_echo_n "(cached) " >&6
90 else 90 else
91 ac_check_lib_save_LIBS=$LIBS 91 ac_check_lib_save_LIBS=$LIBS
92@@ -23020,18 +23038,17 @@ 92@@ -23045,18 +23063,17 @@ return pam_start ();
93 } 93 }
94 _ACEOF 94 _ACEOF
95 if ac_fn_c_try_link "$LINENO"; then : 95 if ac_fn_c_try_link "$LINENO"; then :
96- eval "$as_ac_Lib=yes" 96- eval "$as_ac_Lib=yes"
97+ ac_cv_lib_pam_pam_start=yes 97+ ac_cv_lib_pam_pam_start=yes
98 else 98 else
99- eval "$as_ac_Lib=no" 99- eval "$as_ac_Lib=no"
100+ ac_cv_lib_pam_pam_start=no 100+ ac_cv_lib_pam_pam_start=no
101 fi 101 fi
102 rm -f core conftest.err conftest.$ac_objext \ 102 rm -f core conftest.err conftest.$ac_objext \
103 conftest$ac_exeext conftest.$ac_ext 103 conftest$ac_exeext conftest.$ac_ext
104 LIBS=$ac_check_lib_save_LIBS 104 LIBS=$ac_check_lib_save_LIBS
105 fi 105 fi
106-eval ac_res=\$$as_ac_Lib 106-eval ac_res=\$$as_ac_Lib
107- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 107- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
108-$as_echo "$ac_res" >&6; } 108-$as_echo "$ac_res" >&6; }
109-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then : 109-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
110+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5 110+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5
111+$as_echo "$ac_cv_lib_pam_pam_start" >&6; } 111+$as_echo "$ac_cv_lib_pam_pam_start" >&6; }
112+if test "x$ac_cv_lib_pam_pam_start" = xyes; then : 112+if test "x$ac_cv_lib_pam_pam_start" = xyes; then :
113 found_pam_lib=yes 113 found_pam_lib=yes
114 fi 114 fi
115  115
116@@ -23766,6 +23783,8 @@ 116@@ -23791,6 +23808,8 @@ fi
117 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext 117 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
118 AUTH_OBJS="$AUTH_OBJS kerb5.lo" 118 AUTH_OBJS="$AUTH_OBJS kerb5.lo"
119 fi 119 fi
120+fi 120+fi
121+if test ${with_kerb5-'no'} != "no"; then 121+if test ${with_kerb5-'no'} != "no"; then
122 _LIBS="$LIBS" 122 _LIBS="$LIBS"
123 LIBS="${LIBS} ${SUDOERS_LIBS}" 123 LIBS="${LIBS} ${SUDOERS_LIBS}"
124 for ac_func in krb5_verify_user krb5_init_secure_context 124 for ac_func in krb5_verify_user krb5_init_secure_context
125@@ -27026,7 +27045,6 @@ 125@@ -27051,7 +27070,6 @@ test "$datarootdir" = '${prefix}/share'
126 test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)' 126 test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
127 test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' 127 test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
128 test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' 128 test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
129-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' 129-test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
130  130
131 if test X"$INIT_SCRIPT" != X""; then 131 if test X"$INIT_SCRIPT" != X""; then
132 ac_config_files="$ac_config_files init.d/$INIT_SCRIPT" 132 ac_config_files="$ac_config_files init.d/$INIT_SCRIPT"