Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2026-04-08 17:13:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed Apr 8 17:13:46 2026 rev:156 rq:1344979 version:1.9.17p2 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2025-09-16 18:18:02.094175650 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.21863/sudo.changes 2026-04-08 17:14:10.388079365 +0200 @@ -1,0 +2,9 @@ +Tue Apr 7 08:31:13 UTC 2026 - Simon Lees <[email protected]> + +- CVE-2026-35535: potential privilege escalation when running + the mailer (bsc#1261420) + * fix-CVE-2026-35535.patch +- Move tests under /usr/share for transactional system support + (jsc#PED-14830) + +------------------------------------------------------------------- New: ---- fix-CVE-2026-35535.patch ----------(New B)---------- New: the mailer (bsc#1261420) * fix-CVE-2026-35535.patch - Move tests under /usr/share for transactional system support ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.KXzR5S/_old 2026-04-08 17:14:11.380120151 +0200 +++ /var/tmp/diff_new_pack.KXzR5S/_new 2026-04-08 17:14:11.384120315 +0200 @@ -1,7 +1,7 @@ # # spec file for package sudo # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,8 @@ %define confmode 0440 %endif +%define testsuitedir %{_datadir}/sudo/tests + Name: sudo Version: 1.9.17p2 Release: 0 @@ -44,6 +46,7 @@ Source10: system-group-sudo.conf # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch +Patch1: fix-CVE-2026-35535.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -223,9 +226,9 @@ %find_lang sudoers cat sudoers.lang >> %{name}.lang # tests -install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo -install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo -install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo +install -d -m 755 %{buildroot}%{testsuitedir} +install -m 755 %{SOURCE6} %{buildroot}%{testsuitedir} +install -m 755 %{SOURCE7} %{buildroot}%{testsuitedir} install -d %{buildroot}%{_licensedir}/%{name} rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md @@ -324,7 +327,8 @@ %{_libexecdir}/%{name}/*.la %files test -%{_localstatedir}/lib/tests +%{_datadir}/%{name} +%{testsuitedir} %files policy-wheel-auth-self %attr(0440,root,root) %{confdir}/sudoers.d/50-wheel-auth-self ++++++ fix-CVE-2026-35535.patch ++++++ >From 3e474c2f201484be83d994ae10a4e20e8c81bb69 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" <[email protected]> Date: Sat, 8 Nov 2025 15:34:02 -0700 Subject: [PATCH] exec_mailer: Set group as well as uid when running the mailer Also make a setuid(), setgid() or setgroups() failure fatal. Found by the ZeroPath AI Security Engineer <https://zeropath.com> --- include/sudo_eventlog.h | 3 ++- lib/eventlog/eventlog.c | 21 +++++++++++++++++---- lib/eventlog/eventlog_conf.c | 4 +++- plugins/sudoers/logging.c | 2 +- plugins/sudoers/policy.c | 2 +- 5 files changed, 24 insertions(+), 8 deletions(-) Index: sudo-1.9.17p1/include/sudo_eventlog.h =================================================================== --- sudo-1.9.17p1.orig/include/sudo_eventlog.h +++ sudo-1.9.17p1/include/sudo_eventlog.h @@ -80,6 +80,7 @@ struct eventlog_config { int syslog_rejectpri; int syslog_alertpri; uid_t mailuid; + gid_t mailgid; bool omit_hostname; const char *logpath; const char *time_fmt; @@ -151,7 +152,7 @@ void eventlog_set_syslog_rejectpri(int p void eventlog_set_syslog_alertpri(int pri); void eventlog_set_syslog_maxlen(size_t len); void eventlog_set_file_maxlen(size_t len); -void eventlog_set_mailuid(uid_t uid); +void eventlog_set_mailuser(uid_t uid, gid_t gid); void eventlog_set_omit_hostname(bool omit_hostname); void eventlog_set_logpath(const char *path); void eventlog_set_time_fmt(const char *fmt); Index: sudo-1.9.17p1/lib/eventlog/eventlog.c =================================================================== --- sudo-1.9.17p1.orig/lib/eventlog/eventlog.c +++ sudo-1.9.17p1/lib/eventlog/eventlog.c @@ -304,15 +304,13 @@ exec_mailer(int pipein) syslog(LOG_ERR, _("unable to dup stdin: %m")); // -V618 sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to dup stdin: %s", strerror(errno)); - sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); - _exit(127); + goto bad; } /* Build up an argv based on the mailer path and flags */ if ((mflags = strdup(evl_conf->mailerflags)) == NULL) { syslog(LOG_ERR, _("unable to allocate memory")); // -V618 - sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); - _exit(127); + goto bad; } argv[0] = sudo_basename(mpath); @@ -331,11 +329,23 @@ exec_mailer(int pipein) if (setuid(ROOT_UID) != 0) { sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", ROOT_UID); + goto bad; + } + if (setgid(evl_conf->mailgid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u", + (unsigned int)evl_conf->mailgid); + goto bad; + } + if (setgroups(1, &evl_conf->mailgid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u", + (unsigned int)evl_conf->mailgid); + goto bad; } if (evl_conf->mailuid != ROOT_UID) { if (setuid(evl_conf->mailuid) != 0) { sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u", (unsigned int)evl_conf->mailuid); + goto bad; } } sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); @@ -347,6 +357,9 @@ exec_mailer(int pipein) sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s", mpath, strerror(errno)); _exit(127); +bad: + sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys); + _exit(127); } /* Send a message to the mailto user */ Index: sudo-1.9.17p1/lib/eventlog/eventlog_conf.c =================================================================== --- sudo-1.9.17p1.orig/lib/eventlog/eventlog_conf.c +++ sudo-1.9.17p1/lib/eventlog/eventlog_conf.c @@ -70,6 +70,7 @@ static struct eventlog_config evl_conf = MAXSYSLOGLEN, /* syslog_maxlen */ 0, /* file_maxlen */ ROOT_UID, /* mailuid */ + ROOT_GID, /* mailgid */ false, /* omit_hostname */ _PATH_SUDO_LOGFILE, /* logpath */ "%h %e %T", /* time_fmt */ @@ -151,9 +152,10 @@ eventlog_set_file_maxlen(size_t len) } void -eventlog_set_mailuid(uid_t uid) +eventlog_set_mailuser(uid_t uid, gid_t gid) { evl_conf.mailuid = uid; + evl_conf.mailgid = gid; } void Index: sudo-1.9.17p1/plugins/sudoers/logging.c =================================================================== --- sudo-1.9.17p1.orig/plugins/sudoers/logging.c +++ sudo-1.9.17p1/plugins/sudoers/logging.c @@ -1157,7 +1157,7 @@ init_eventlog_config(void) eventlog_set_syslog_alertpri(def_syslog_badpri); eventlog_set_syslog_maxlen(def_syslog_maxlen); eventlog_set_file_maxlen(def_loglinelen); - eventlog_set_mailuid(ROOT_UID); + eventlog_set_mailuser(ROOT_UID, ROOT_GID); eventlog_set_omit_hostname(!def_log_host); eventlog_set_logpath(def_logfile); eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T"); Index: sudo-1.9.17p1/plugins/sudoers/policy.c =================================================================== --- sudo-1.9.17p1.orig/plugins/sudoers/policy.c +++ sudo-1.9.17p1/plugins/sudoers/policy.c @@ -639,7 +639,7 @@ sudoers_policy_deserialize_info(struct s } #ifdef NO_ROOT_MAILER - eventlog_set_mailuid(ctx->user.uid); + eventlog_set_mailuser(ctx->user.uid, ctx->user.gid); #endif /* Dump settings and user info (XXX - plugin args) */
