Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2022-08-25 15:32:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Thu Aug 25 15:32:59 2022 rev:132 rq:998921 version:1.9.11p3 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2022-08-22 11:04:59.037682040 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.2083/sudo.changes 2022-08-25 15:33:01.559915181 +0200 @@ -1,0 +2,81 @@ +Sat Aug 20 02:04:06 UTC 2022 - Jason Sikes <jsi...@suse.com> + +- Update to 1.9.11p3: + * Changes in Sudo 1.9.11 + * Fixed a crash in the Python module with Python 3.9.10 on some systems. + Additionally, make check now passes for Python 3.9.10. + * Error messages sent via email now include more details, including the file + name and the line number and column of the error. Multiple errors are sent in + a single message. Previously, only the first error was included. + * Fixed logging of parse errors in JSON format. Previously, the JSON logger would + not write entries unless the command and runuser were set. These may not be + known at the time a parse error is encountered. + * Fixed a potential crash parsing sudoers lines larger than twice the value of + LINE_MAX on systems that lack the getdelim() function. + * The tests run by make check now unset the LANGUAGE environment variable. + Otherwise, localization strings will not match if LANGUAGE is set to a + non-English locale. Bug #1025. + * The ???starttime??? test now passed when run under Debian faketime. Bug #1026. + * The Kerberos authentication module now honors the custom password prompt if one + has been specified. + * The embedded copy of zlib has been updated to version 1.2.12. + * Updated the version of libtool used by sudo to version 2.4.7. + * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the + header files (currently only GNU libc). This is required to allow the use of + 64-bit time values on some 32-bit systems. + * Sudo???s intercept and log_subcmds options no longer force the command to run in + its own pseudo-terminal. It is now also possible to intercept the system(3) function. + * Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit + point messages sent by the server were incorrect if the command was suspended + or received a window size change event. + * Fixed a potential crash in sudo_logsrvd when the tls_dhparams configuration + setting was used. + * The intercept and log_subcmds functionality can now use ptrace(2) on Linux + systems that support seccomp(2) filtering. This has the advantage of working + for both static and dynamic binaries and can work with sudo???s SELinux RBAC mode. + The following architectures are currently supported: i386, x86_64, aarch64, arm, + mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use + ptrace(2) where possible; the new intercept_type sudoers setting can be used + to explicitly set the type. + * New Georgian translation from translationproject.org. + * Fixed creating packages on CentOS Stream. + * Fixed a bug in the intercept and log_subcmds support where the execve(2) + wrapper was using the current environment instead of the passed environment + pointer. Bug #1030. + * Added AppArmor integration for Linux. A sudoers rule can now specify an + APPARMOR_PROFILE option to run a command confined by the named AppArmor profile. + * Fixed parsing of the server_log setting in sudo_logsrvd.conf. Non-paths were + being treated as paths and an actual path was treated as an error. + + * Changes in Sudo 1.9.11p1: + * Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on + some systems when piping a large amount of data through sudo, such as via rsync. + Bug #963. + * Changes to avoid implementation or unspecified behavior when bit shifting signed + values in the protobuf library. + * Fixed a compilation error on Linux/aarch64. + * Fixed the configure check for seccomp(2) support on Linux. + * Corrected the EBNF specification for tags in the sudoers manual page. + GitHub issue #153. + + * Changes in Sudo 1.9.11p2: + * Fixed a compilation error on Linux/x86_64 with the x32 ABI. + * Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to + sudo_logsrvd if the command returned no output. + + * Changes in Sudo 1.9.11p3: + * Fixed ???connection reset??? errors on AIX when running shell scripts with the intercept + or log_subcmds sudoers options enabled. Bug #1034. + * Fixed very slow execution of shell scripts when the intercept or log_subcmds sudoers + options are set on systems that enable Nagle???s algorithm on the loopback device, + such as AIX. Bug #1034. + + * Modified sudo-sudoers.patch + +- Added sudo-1.9.10-update_sudouser_to_utf8.patch + * [bsc#1197998] + * Enable sudouser LDAP schema to use UTF-8 encodings. + * Sourced from https://github.com/sudo-project/sudo/pull/163 + * Credit to William Brown, william.br...@suse.com + +------------------------------------------------------------------- Old: ---- sudo-1.9.10.tar.gz sudo-1.9.10.tar.gz.sig New: ---- sudo-1.9.10-update_sudouser_to_utf8.patch sudo-1.9.11p3.tar.gz sudo-1.9.11p3.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.yIB1kq/_old 2022-08-25 15:33:02.275916744 +0200 +++ /var/tmp/diff_new_pack.yIB1kq/_new 2022-08-25 15:33:02.279916753 +0200 @@ -17,7 +17,7 @@ Name: sudo -Version: 1.9.10 +Version: 1.9.11p3 Release: 0 Summary: Execute some commands as root License: ISC @@ -33,6 +33,7 @@ Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch +Patch1: sudo-1.9.10-update_sudouser_to_utf8.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff @@ -235,13 +236,13 @@ %{_tmpfilesdir}/sudo.conf %files plugin-python -%{_mandir}/man8/sudo_plugin_python.8%{?ext_man} +%{_mandir}/man5/sudo_plugin_python.5%{?ext_man} %{_libexecdir}/%{name}/%{name}/python_plugin.so %files devel %doc plugins/sample/sample_plugin.c %{_includedir}/sudo_plugin.h -%{_mandir}/man8/sudo_plugin.8%{?ext_man} +%{_mandir}/man5/sudo_plugin.5%{?ext_man} %attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so %{_libexecdir}/%{name}/sudo/*.la %{_libexecdir}/%{name}/*.la ++++++ sudo-1.9.10-update_sudouser_to_utf8.patch ++++++ >From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001 From: William Brown <wbr...@suse.de> Date: Mon, 25 Jul 2022 15:21:39 +1000 Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas In most unix-style LDAP servers, uid is a utf8 string defined by OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant that sudoUser could only represent a subset of possible values. In some cases when using sudoers.ldap, the uid from the machine which was utf8 was fed back into sudo which would then issue a search for sudoUsers. If this uid contained utf8 characters, the ldap server would refuse to match into sudoUsers because these were limited to IA5. This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning that this change will not impact existing deployments and their rules. --- docs/schema.OpenLDAP | 14 +++++++------- docs/schema.iPlanet | 6 +++--- docs/schema.olcSudo | 14 +++++++------- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP index e1d525f84..451c5250a 100644 --- a/docs/schema.OpenLDAP +++ b/docs/schema.OpenLDAP @@ -7,9 +7,9 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' @@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5 attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet index e51286436..56ad02bc0 100644 --- a/docs/schema.iPlanet +++ b/docs/schema.iPlanet @@ -1,11 +1,11 @@ dn: cn=schema -attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) -attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) -attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) +attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo index 8748dfc2a..8948ca4ae 100644 --- a/docs/schema.olcSudo +++ b/docs/schema.olcSudo @@ -9,9 +9,9 @@ cn: sudoschema olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' @@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5 olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) # olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.yIB1kq/_old 2022-08-25 15:33:02.367916945 +0200 +++ /var/tmp/diff_new_pack.yIB1kq/_new 2022-08-25 15:33:02.371916954 +0200 @@ -1,7 +1,7 @@ -Index: sudo-1.9.9/plugins/sudoers/sudoers.in -=================================================================== ---- sudo-1.9.9.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.9/plugins/sudoers/sudoers.in +diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in +index 5efda5d..ddd311a 100644 +--- a/plugins/sudoers/sudoers.in ++++ b/plugins/sudoers/sudoers.in @@ -32,30 +32,23 @@ ## ## Defaults specification @@ -50,12 +50,13 @@ ## Uncomment to use a hard-coded PATH instead of the user's to find commands # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ## -@@ -66,9 +59,15 @@ - ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +@@ -68,10 +61,16 @@ + ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output + # Defaults maxseq = 1000 +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly @@ -67,7 +68,7 @@ ## ## Runas alias specification ## -@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL +@@ -87,13 +86,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
