Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sudo for openSUSE:Factory checked in
at 2023-03-01 16:13:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
and /work/SRC/openSUSE:Factory/.sudo.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo"
Wed Mar 1 16:13:33 2023 rev:143 rq:1068081 version:1.9.13p2
Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2023-02-25
19:54:26.679019926 +0100
+++ /work/SRC/openSUSE:Factory/.sudo.new.31432/sudo.changes 2023-03-01
16:13:37.202465752 +0100
@@ -1,0 +2,12 @@
+Tue Feb 28 01:40:48 UTC 2023 - Jason Sikes <jsi...@suse.com>
+
+- Update to 1.9.13p2:
+
+ Fixed the --enable-static-sudoers option, broken in sudo 1.9.13.
+ GitHub issue #245.
+
+ Fixed a potential double-free bug when matching a sudoers rule
+ that contains a per-command chroot directive (CHROOT=dir).
+ This bug was introduced in sudo 1.9.8. [bsc#1208595]
+
+-------------------------------------------------------------------
Old:
----
sudo-1.9.13p1.tar.gz
sudo-1.9.13p1.tar.gz.sig
New:
----
sudo-1.9.13p2.tar.gz
sudo-1.9.13p2.tar.gz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.f3TL50/_old 2023-03-01 16:13:37.946469600 +0100
+++ /var/tmp/diff_new_pack.f3TL50/_new 2023-03-01 16:13:37.950469620 +0100
@@ -17,7 +17,7 @@
Name: sudo
-Version: 1.9.13p1
+Version: 1.9.13p2
Release: 0
Summary: Execute some commands as root
License: ISC
++++++ sudo-1.9.13p1.tar.gz -> sudo-1.9.13p2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/ChangeLog new/sudo-1.9.13p2/ChangeLog
--- old/sudo-1.9.13p1/ChangeLog 2023-02-16 19:46:48.000000000 +0100
+++ new/sudo-1.9.13p2/ChangeLog 2023-02-25 19:26:12.000000000 +0100
@@ -1,8 +1,48 @@
+2023-02-25 Todd C. Miller <todd.mil...@sudo.ws>
+
+ * .hgtags:
+ Added tag SUDO_1_9_13p2 for changeset 2db7cee1cb77
+ [b0af73801130] [tip] <1.9>
+
+ * NEWS, configure, configure.ac:
+ Sudo 1.9.13p2.
+ [2db7cee1cb77] [SUDO_1_9_13p2] <1.9>
+
+2023-02-23 Todd C. Miller <todd.mil...@sudo.ws>
+
+ * lib/util/lbuf.c:
+ Add missing include of errno.h.
+ [65ddd70d0c18] <1.9>
+
+ * lib/util/lbuf.c:
+ sudo_lbuf_expand: check for overflow when rounding to the nearest
+ power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers
+ fuzzer.
+ [9357396fdaa0] <1.9>
+
+ * src/load_plugins.c:
+ Fix --enable-static-sudoers, broken in sudo 1.9.13.
+ sudo_qualify_plugin() should not try to fully-qualify the path to a
+ statically-compiled plugin. GitHub issue #245
+ [eca5f1f6555e] <1.9>
+
+2023-02-21 Todd C. Miller <todd.mil...@sudo.ws>
+
+ * MANIFEST, plugins/sudoers/match_command.c,
+ plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
+ plugins/sudoers/regress/testsudoers/test20.out.ok,
+ plugins/sudoers/regress/testsudoers/test20.sh,
+ plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
+ Fix potential double free for rules that include a CHROOT= option.
+ If a rule with a CHROOT= option matches the user, host and runas,
+ the user_cmnd variable could be freed twice.
+ [2c1477233f48] <1.9>
+
2023-02-16 Todd C. Miller <todd.mil...@sudo.ws>
* .hgtags:
Added tag SUDO_1_9_13p1 for changeset 49e64402924f
- [97ae12488007] [tip] <1.9>
+ [97ae12488007] <1.9>
* NEWS, configure, configure.ac:
Merge sudo 1.9.13p1 from tip.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/MANIFEST new/sudo-1.9.13p2/MANIFEST
--- old/sudo-1.9.13p1/MANIFEST 2023-02-14 17:53:02.000000000 +0100
+++ new/sudo-1.9.13p2/MANIFEST 2023-02-25 19:21:47.000000000 +0100
@@ -1052,6 +1052,8 @@
plugins/sudoers/regress/testsudoers/test2.inc
plugins/sudoers/regress/testsudoers/test2.out.ok
plugins/sudoers/regress/testsudoers/test2.sh
+plugins/sudoers/regress/testsudoers/test20.out.ok
+plugins/sudoers/regress/testsudoers/test20.sh
plugins/sudoers/regress/testsudoers/test3.out.ok
plugins/sudoers/regress/testsudoers/test3.sh
plugins/sudoers/regress/testsudoers/test4.out.ok
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/NEWS new/sudo-1.9.13p2/NEWS
--- old/sudo-1.9.13p1/NEWS 2023-02-16 19:43:30.000000000 +0100
+++ new/sudo-1.9.13p2/NEWS 2023-02-25 19:24:29.000000000 +0100
@@ -1,3 +1,12 @@
+What's new in Sudo 1.9.13p2
+
+ * Fixed the --enable-static-sudoers option, broken in sudo 1.9.13.
+ GitHub issue #245.
+
+ * Fixed a potential double-free bug when matching a sudoers rule
+ that contains a per-command chroot directive (CHROOT=dir). This
+ bug was introduced in sudo 1.9.8.
+
What's new in Sudo 1.9.13p1
* Fixed a typo in the configure script that resulted in a line
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/configure new/sudo-1.9.13p2/configure
--- old/sudo-1.9.13p1/configure 2023-02-16 19:43:30.000000000 +0100
+++ new/sudo-1.9.13p2/configure 2023-02-25 19:24:29.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72a for sudo 1.9.13p1.
+# Generated by GNU Autoconf 2.72a for sudo 1.9.13p2.
#
# Report bugs to <https://bugzilla.sudo.ws/>.
#
@@ -614,8 +614,8 @@
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.9.13p1'
-PACKAGE_STRING='sudo 1.9.13p1'
+PACKAGE_VERSION='1.9.13p2'
+PACKAGE_STRING='sudo 1.9.13p2'
PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
PACKAGE_URL=''
@@ -1636,7 +1636,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-'configure' configures sudo 1.9.13p1 to adapt to many kinds of systems.
+'configure' configures sudo 1.9.13p2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1702,7 +1702,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.9.13p1:";;
+ short | recursive ) echo "Configuration of sudo 1.9.13p2:";;
esac
cat <<\_ACEOF
@@ -1993,7 +1993,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.9.13p1
+sudo configure 1.9.13p2
generated by GNU Autoconf 2.72a
Copyright (C) 2023 Free Software Foundation, Inc.
@@ -2671,7 +2671,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.9.13p1, which was
+It was created by sudo $as_me 1.9.13p2, which was
generated by GNU Autoconf 2.72a. Invocation command line was
$ $0$ac_configure_args_raw
@@ -24806,40 +24806,9 @@
;;
*)
-
-if test ${LIBTLS+y}
-then :
-
- case " $LIBTLS " in #(
- *" $f "*) :
- { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains
\$f"; } >&5
- (: LIBTLS already contains $f) 2>&5
- ac_status=$?
- printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; } ;; #(
- *) :
-
- as_fn_append LIBTLS " $f"
- { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; }
>&5
- (: LIBTLS="$LIBTLS") 2>&5
- ac_status=$?
- printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }
- ;;
-esac
-
-else case e in #(
- e)
- LIBTLS=$f
- { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
- (: LIBTLS="$LIBTLS") 2>&5
- ac_status=$?
- printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }
- ;;
-esac
-fi
-
+ # Do not use AX_APPEND_FLAG as it will break static
builds by removing
+ # duplicates such as -lz or -latomic which are needed
by -lssl and -lcrypto
+ LIBTLS="$LIBTLS $f"
;;
esac
done
@@ -36027,7 +35996,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.9.13p1, which was
+This file was extended by sudo $as_me 1.9.13p2, which was
generated by GNU Autoconf 2.72a. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -36095,7 +36064,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-sudo config.status 1.9.13p1
+sudo config.status 1.9.13p2
configured by $0, generated by GNU Autoconf 2.72a,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/configure.ac
new/sudo-1.9.13p2/configure.ac
--- old/sudo-1.9.13p1/configure.ac 2023-02-16 19:43:30.000000000 +0100
+++ new/sudo-1.9.13p2/configure.ac 2023-02-25 19:24:29.000000000 +0100
@@ -18,7 +18,7 @@
dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
dnl
AC_PREREQ([2.69])
-AC_INIT([sudo], [1.9.13p1], [https://bugzilla.sudo.ws/], [sudo])
+AC_INIT([sudo], [1.9.13p2], [https://bugzilla.sudo.ws/], [sudo])
AC_CONFIG_HEADERS([config.h pathnames.h])
AC_CONFIG_SRCDIR([src/sudo.c])
AC_CONFIG_AUX_DIR([scripts])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/lib/util/lbuf.c
new/sudo-1.9.13p2/lib/util/lbuf.c
--- old/sudo-1.9.13p1/lib/util/lbuf.c 2023-02-14 17:53:02.000000000 +0100
+++ new/sudo-1.9.13p2/lib/util/lbuf.c 2023-02-23 17:14:45.000000000 +0100
@@ -26,6 +26,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <errno.h>
#include "sudo_compat.h"
#include "sudo_debug.h"
@@ -70,6 +71,7 @@
debug_decl(sudo_lbuf_expand, SUDO_DEBUG_UTIL);
if (lbuf->len + extra + 1 <= lbuf->len) {
+ errno = ENOMEM;
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"integer overflow updating lbuf->len");
lbuf->error = 1;
@@ -80,6 +82,13 @@
unsigned int new_size = sudo_pow2_roundup(lbuf->len + extra + 1);
char *new_buf;
+ if (new_size < lbuf->size) {
+ errno = ENOMEM;
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "integer overflow updating lbuf->size");
+ lbuf->error = 1;
+ debug_return_bool(false);
+ }
if (new_size < 1024)
new_size = 1024;
if ((new_buf = realloc(lbuf->buf, new_size)) == NULL) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/plugins/sudoers/match_command.c
new/sudo-1.9.13p2/plugins/sudoers/match_command.c
--- old/sudo-1.9.13p1/plugins/sudoers/match_command.c 2023-02-14
17:53:02.000000000 +0100
+++ new/sudo-1.9.13p2/plugins/sudoers/match_command.c 2023-02-25
19:22:35.000000000 +0100
@@ -818,12 +818,16 @@
/* Rule-specific runchroot, reset user_cmnd and user_stat. */
int status;
+ /* Save old user_cmnd first, set_cmnd_path() will free it. */
saved_user_cmnd = user_cmnd;
+ user_cmnd = NULL;
if (user_stat != NULL)
saved_user_stat = *user_stat;
status = set_cmnd_path(runchroot);
- if (status != FOUND)
+ if (status != FOUND) {
+ user_cmnd = saved_user_cmnd;
saved_user_cmnd = NULL;
+ }
if (info != NULL)
info->status = status;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sudo-1.9.13p1/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
new/sudo-1.9.13p2/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
--- old/sudo-1.9.13p1/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
2023-02-14 17:53:02.000000000 +0100
+++ new/sudo-1.9.13p2/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
2023-02-25 19:21:47.000000000 +0100
@@ -45,6 +45,9 @@
static int fuzz_printf(int msg_type, const char *fmt, ...);
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+/* For set_cmnd_path() */
+static const char *orig_cmnd;
+
/* Required to link with parser. */
struct sudo_user sudo_user;
struct passwd *list_pw;
@@ -104,8 +107,13 @@
int
set_cmnd_path(const char *runchroot)
{
- /* Cannot return FOUND without also setting user_cmnd to a new value. */
- return NOT_FOUND;
+ /* Reallocate user_cmnd to catch bugs in command_matches(). */
+ char *new_cmnd = strdup(orig_cmnd);
+ if (new_cmnd == NULL)
+ return NOT_FOUND_ERROR;
+ free(user_cmnd);
+ user_cmnd = new_cmnd;
+ return FOUND;
}
/* STUB */
@@ -277,11 +285,12 @@
/* The minimum needed to perform matching (user_cmnd must be dynamic). */
user_host = user_shost = user_runhost = user_srunhost = (char
*)"localhost";
- user_cmnd = strdup("/usr/bin/id");
+ orig_cmnd = (char *)"/usr/bin/id";
+ user_cmnd = strdup(orig_cmnd);
if (user_cmnd == NULL)
goto done;
user_args = (char *)"-u";
- user_base = (char *)"id";
+ user_base = sudo_basename(user_cmnd);
/* Add a fake network interfaces. */
interfaces = get_interfaces();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sudo-1.9.13p1/plugins/sudoers/regress/testsudoers/test20.out.ok
new/sudo-1.9.13p2/plugins/sudoers/regress/testsudoers/test20.out.ok
--- old/sudo-1.9.13p1/plugins/sudoers/regress/testsudoers/test20.out.ok
1970-01-01 01:00:00.000000000 +0100
+++ new/sudo-1.9.13p2/plugins/sudoers/regress/testsudoers/test20.out.ok
2023-02-25 19:21:47.000000000 +0100
@@ -0,0 +1,15 @@
+Parses OK
+
+Entries for user root:
+
+ALL = CHROOT=/ /bin/ls
+ host matched
+ runas matched
+ cmnd allowed
+
+ALL = CWD=/ /bin/pwd
+ host matched
+ runas matched
+ cmnd allowed
+
+Command allowed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sudo-1.9.13p1/plugins/sudoers/regress/testsudoers/test20.sh
new/sudo-1.9.13p2/plugins/sudoers/regress/testsudoers/test20.sh
--- old/sudo-1.9.13p1/plugins/sudoers/regress/testsudoers/test20.sh
1970-01-01 01:00:00.000000000 +0100
+++ new/sudo-1.9.13p2/plugins/sudoers/regress/testsudoers/test20.sh
2023-02-25 19:21:47.000000000 +0100
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Verify CHROOT and CWD support
+# This will catch an unpatched double-free in set_cmnd_path() under ASAN.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+# Exercise double free of user_cmnd in set_cmnd_path() under ASAN.
+# We need more than one rule where the last rule matches and has CHROOT.
+$TESTSUDOERS root /bin/ls <<'EOF'
+root ALL = CWD=/ /bin/pwd
+root ALL = CHROOT=/ /bin/ls
+EOF
+
+exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/plugins/sudoers/testsudoers.c
new/sudo-1.9.13p2/plugins/sudoers/testsudoers.c
--- old/sudo-1.9.13p1/plugins/sudoers/testsudoers.c 2023-02-14
17:53:02.000000000 +0100
+++ new/sudo-1.9.13p2/plugins/sudoers/testsudoers.c 2023-02-25
19:21:47.000000000 +0100
@@ -82,6 +82,7 @@
*/
struct sudo_user sudo_user;
struct passwd *list_pw;
+static const char *orig_cmnd;
static char *runas_group, *runas_user;
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
@@ -203,14 +204,18 @@
if (!dflag)
usage();
user_name = argc ? *argv++ : (char *)"root";
- user_cmnd = user_base = (char *)"true";
+ orig_cmnd = "true";
argc = 0;
} else {
user_name = *argv++;
- user_cmnd = *argv++;
- user_base = sudo_basename(user_cmnd);
+ orig_cmnd = *argv++;
argc -= 2;
}
+ user_cmnd = strdup(orig_cmnd);
+ if (user_cmnd == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ user_base = sudo_basename(user_cmnd);
+
if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL)
sudo_fatalx(U_("unknown user %s"), user_name);
@@ -509,8 +514,13 @@
int
set_cmnd_path(const char *runchroot)
{
- /* Cannot return FOUND without also setting user_cmnd to a new value. */
- return NOT_FOUND;
+ /* Reallocate user_cmnd to catch bugs in command_matches(). */
+ char *new_cmnd = strdup(orig_cmnd);
+ if (new_cmnd == NULL)
+ return NOT_FOUND_ERROR;
+ free(user_cmnd);
+ user_cmnd = new_cmnd;
+ return FOUND;
}
static bool
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/plugins/sudoers/visudo.c
new/sudo-1.9.13p2/plugins/sudoers/visudo.c
--- old/sudo-1.9.13p1/plugins/sudoers/visudo.c 2023-02-14 17:53:06.000000000
+0100
+++ new/sudo-1.9.13p2/plugins/sudoers/visudo.c 2023-02-25 19:21:47.000000000
+0100
@@ -260,7 +260,9 @@
}
/* Mock up a fake sudo_user struct. */
- user_cmnd = user_base = (char *)"";
+ user_cmnd = user_base = strdup("true");
+ if (user_cmnd == NULL)
+ sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
if (geteuid() == 0) {
const char *user = getenv("SUDO_USER");
if (user != NULL && *user != '\0')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sudo-1.9.13p1/src/load_plugins.c
new/sudo-1.9.13p2/src/load_plugins.c
--- old/sudo-1.9.13p1/src/load_plugins.c 2023-02-14 17:53:02.000000000
+0100
+++ new/sudo-1.9.13p2/src/load_plugins.c 2023-02-23 17:09:38.000000000
+0100
@@ -55,6 +55,8 @@
errno = ENAMETOOLONG;
goto bad;
}
+ /* Plugin is static, do not fully-qualify. */
+ debug_return_bool(true);
}
#endif /* STATIC_SUDOERS_PLUGIN */
