From 6163122a67772a42f678e074b078cba81df14abf Mon Sep 17 00:00:00 2001 From: taca Date: Mon, 20 Feb 2023 13:36:42 +0000 Subject: [PATCH] security/sudo: update to 1.9.13p1 pkgsrc change: avoid use empty in options.mk. What's new in Sudo 1.9.13 (2023-02-14) * Fixed a bug running relative commands via sudo when "log_subcmds" is enabled. GitHub issue #194. * Fixed a signal handling bug when running sudo commands in a shell script. Signals were not being forwarded to the command when the sudo process was not run in its own process group. * Fixed a bug in cvtsudoers' LDIF parsing when the file ends without a newline and a backslash is the last character of the file. * Fixed a potential use-after-free bug with cvtsudoers filtering. GitHub issue #198. * Added a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. * Fixed potential memory leaks in error paths. GitHub issues #199, #202. * Fixed potential NULL dereferences on memory allocation failure. GitHub issues #204, #211. * Sudo now uses C23-style attributes in function prototypes instead of gcc-style attributes if supported. * Added a new "list" pseudo-command in sudoers to allow a user to list another user's privileges. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. This also includes a fix to the log entry when a user lacks permission to run "sudo -U otheruser -l command". Previously, the logs would indicate that the user tried to run the actual command, now the log entry includes the list operation. * JSON logging now escapes control characters if they happen to appear in the command or environment. * New Albanian translation from translationproject.org. * Regular expressions in sudoers or logsrvd.conf may no longer contain consecutive repetition operators. This is implementation- specific behavior according to POSIX, but some implementations will allocate excessive amounts of memory. This mainly affects the fuzzers. * Sudo now builds AIX-style shared libraries and dynamic shared objects by default instead of svr4-style. This means that the default sudo plugins are now .a (archive) files that contain a .so shared object file instead of bare .so files. This was done to improve compatibility with the AIX Freeware ecosystem, specifically, the AIX Freeware build of OpenSSL. Sudo will still load svr4-style .so plugins and if a .so file is requested, either via sudo.conf or the sudoers file, and only the .a file is present, sudo will convert the path from plugin.so to plugin.a(plugin.so) when loading it. This ensures compatibility with existing configurations. To restore the old, pre-1.9.13 behavior, run configure using the --with-aix-soname=svr4 option. * Sudo no longer checks the ownership and mode of the plugins that it loads. Plugins are configured via either the sudo.conf or sudoers file which are trusted configuration files. These checks suffered from time-of-check vs. time-of-use race conditions and complicate loading plugins that are not simple paths. Ownership and mode checks are still performed when loading the sudo.conf and sudoers files, which do not suffer from race conditions. The sudo.conf "developer_mode" setting is no longer used. * Control characters in sudo log messages and "sudoreplay -l" output are now escaped in octal format. Space characters in the command path are also escaped. Command line arguments that contain spaces are surrounded by single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. * Improved support for DragonFly BSD which uses a different struct procinfo than either FreeBSD or 4.4BSD. * Fixed a compilation error on Linux arm systems running older kernels that may not define EM_ARM in linux/elf-em.h. GitHub issue #232. * Fixed a compilation error when LDFLAGS contains -Wl,--no-undefined. Sudo will now link using -Wl,--no-undefined by default if possible. GitHub issue #234. * Fixed a bug executing a command with a very long argument vector when "log_subcmds" or "intercept" is enabled on a system where "intercept_type" is set to "trace". GitHub issue #194. * When sudo is configured to run a command in a pseudo-terminal but the standard input is not connected to a terminal, the command will now be run as a background process. This works around a problem running sudo commands in the background from a shell script where changing the terminal to raw mode could interfere with the interactive shell that ran the script. GitHub issue #237. * A missing include file in sudoers is no longer a fatal error unless the error_recovery plugin argument has been set to false. What's new in Sudo 1.9.13p1 (2023-02-17) * Fixed a typo in the configure script that resulted in a line like "]: command not found" in the output. GitHub issue #238. * Corrected the order of the C23 [[noreturn]] attribute in function prototypes. This fixes a build error with GCC 13. GitHub issue #239. * The "check" make target misbehaved when there was more than one version of the UTF-8 C locale in the output of "locale -a". GitHub issue #241. * Removed a dependency on the AC_SYS_YEAR2038 macro in configure.ac. This was added in autoconf 2.72 but sudo's configure.ac only required autoconf 2.70. * Relaxed the autoconf version requirement to version 2.69. --- security/sudo/Makefile | 4 +-- security/sudo/PLIST | 4 ++- security/sudo/distinfo | 10 +++---- security/sudo/options.mk | 12 ++++----- security/sudo/patches/patch-configure | 38 ++++++++++----------------- 5 files changed, 30 insertions(+), 38 deletions(-) diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 028b757d98ff..948f1419786a 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.194 2023/02/06 14:35:32 taca Exp $ +# $NetBSD: Makefile,v 1.195 2023/02/20 13:36:42 taca Exp $ -DISTNAME= sudo-1.9.12p2 +DISTNAME= sudo-1.9.13p1 CATEGORIES= security MASTER_SITES= https://www.sudo.ws/dist/ MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/ diff --git a/security/sudo/PLIST b/security/sudo/PLIST index aff37c104759..e4820465a4c3 100644 --- a/security/sudo/PLIST +++ b/security/sudo/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.23 2022/10/24 10:29:19 adam Exp $ +@comment $NetBSD: PLIST,v 1.24 2023/02/20 13:36:42 taca Exp $ bin/cvtsudoers bin/sudo bin/sudoedit @@ -82,6 +82,7 @@ ${PLIST.nls}share/locale/it/LC_MESSAGES/sudoers.mo ${PLIST.nls}share/locale/ja/LC_MESSAGES/sudo.mo ${PLIST.nls}share/locale/ja/LC_MESSAGES/sudoers.mo ${PLIST.nls}share/locale/ka/LC_MESSAGES/sudo.mo +${PLIST.nls}share/locale/ka/LC_MESSAGES/sudoers.mo ${PLIST.nls}share/locale/ko/LC_MESSAGES/sudo.mo ${PLIST.nls}share/locale/ko/LC_MESSAGES/sudoers.mo ${PLIST.nls}share/locale/lt/LC_MESSAGES/sudoers.mo @@ -104,6 +105,7 @@ ${PLIST.nls}share/locale/sk/LC_MESSAGES/sudo.mo ${PLIST.nls}share/locale/sk/LC_MESSAGES/sudoers.mo ${PLIST.nls}share/locale/sl/LC_MESSAGES/sudo.mo ${PLIST.nls}share/locale/sl/LC_MESSAGES/sudoers.mo +${PLIST.nls}share/locale/sq/LC_MESSAGES/sudo.mo ${PLIST.nls}share/locale/sr/LC_MESSAGES/sudo.mo ${PLIST.nls}share/locale/sr/LC_MESSAGES/sudoers.mo ${PLIST.nls}share/locale/sv/LC_MESSAGES/sudo.mo diff --git a/security/sudo/distinfo b/security/sudo/distinfo index 156c1708a80f..f47f74f9f6ca 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.126 2023/02/06 14:35:32 taca Exp $ +$NetBSD: distinfo,v 1.127 2023/02/20 13:36:42 taca Exp $ -BLAKE2s (sudo-1.9.12p2.tar.gz) = cb2f434ec3754978898471bba89a2f4ffa8e342ab9d8ad4b8a32995fb0c53f37 -SHA512 (sudo-1.9.12p2.tar.gz) = 5e035246137d5820691f7ddfc13faec3886e3cf1563ed56633667d86ab4f1306f34cc0e27808f56790b6c6a4614826e54c5b7e47b31eb009b96dde3e52170c45 -Size (sudo-1.9.12p2.tar.gz) = 4909431 bytes +BLAKE2s (sudo-1.9.13p1.tar.gz) = 86072cd188bf529e089ebb53d491179b6c6521b5d0fea0c3c9fc0bb965b831af +SHA512 (sudo-1.9.13p1.tar.gz) = 4d19f06c4a592dac9a1a7feca6cc751093151af32313d9d579e2485fc6530a4340ec29cc2892b29dedf2a6aca3e91fb0bbf94bbfb6530f249c58430b83139044 +Size (sudo-1.9.13p1.tar.gz) = 5096455 bytes SHA1 (patch-Makefile.in) = 1a83c55d27829013e2e23073046c5c39b020fafe -SHA1 (patch-configure) = da1f0d89f7dc5d56734fc69f190189ccdfc8b043 +SHA1 (patch-configure) = 0f73f860ae4fd9a0031aa8b0c22a93df776e7ad6 SHA1 (patch-examples_Makefile.in) = a20967ecd88eb5e4a8b47e6a3b80bc18be713409 SHA1 (patch-lib_logsrv_Makefile.in) = 301c317c806edeee8ce7b44a5431cd38defb3a54 SHA1 (patch-lib_protobuf-c_Makefile.in) = 122e432fb0da36b998778a1b71130f0c3785f575 diff --git a/security/sudo/options.mk b/security/sudo/options.mk index 237e682f8dc0..a0af4af28747 100644 --- a/security/sudo/options.mk +++ b/security/sudo/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.23 2019/11/04 21:13:03 rillig Exp $ +# $NetBSD: options.mk,v 1.24 2023/02/20 13:36:42 taca Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.sudo PKG_SUPPORTED_OPTIONS= ldap nls @@ -15,7 +15,7 @@ PKG_SUGGESTED_OPTIONS.Darwin= pam PLIST_VARS+= ldap nls -.if !empty(PKG_OPTIONS:Mnls) +.if ${PKG_OPTIONS:Mnls} . include "../../devel/gettext-lib/buildlink3.mk" CONFIGURE_ARGS+= --enable-nls PLIST.nls= yes @@ -23,7 +23,7 @@ PLIST.nls= yes CONFIGURE_ARGS+= --disable-nls .endif -.if !empty(PKG_OPTIONS:Mpam) +.if ${PKG_OPTIONS:Mpam} . include "../../mk/pam.buildlink3.mk" DL_AUTO_VARS= yes CONFIGURE_ARGS+= --with-pam @@ -31,7 +31,7 @@ CONFIGURE_ARGS+= --with-pam CONFIGURE_ARGS+= --without-pam .endif -.if !empty(PKG_OPTIONS:Mkerberos) +.if ${PKG_OPTIONS:Mkerberos} . include "../../mk/krb5.buildlink3.mk" CONFIGURE_ARGS+= --without-kerb4 CONFIGURE_ARGS+= --with-kerb5 @@ -39,7 +39,7 @@ CONFIGURE_ARGS+= --with-kerb5 CONFIGURE_ARGS+= --without-kerb5 .endif -.if !empty(PKG_OPTIONS:Mldap) +.if ${PKG_OPTIONS:Mldap} . include "../../databases/openldap-client/buildlink3.mk" . include "../../security/cyrus-sasl/buildlink3.mk" DL_AUTO_VARS= yes @@ -48,7 +48,7 @@ CONFIGURE_ARGS+= --with-ldap-conf-file=${PKG_SYSCONFDIR}/ldap.conf PLIST.ldap= yes .endif -.if !empty(PKG_OPTIONS:Mskey) +.if ${PKG_OPTIONS:Mskey} CONFIGURE_ARGS+= --with-skey .else CONFIGURE_ARGS+= --without-skey diff --git a/security/sudo/patches/patch-configure b/security/sudo/patches/patch-configure index 3137199d5c13..2f7d86cdfbb5 100644 --- a/security/sudo/patches/patch-configure +++ b/security/sudo/patches/patch-configure @@ -1,15 +1,14 @@ -$NetBSD: patch-configure,v 1.9 2022/07/05 11:01:38 adam Exp $ +$NetBSD: patch-configure,v 1.10 2023/02/20 13:36:42 taca Exp $ * Add "--with-nbsdops" option, NetBSD standard options. -* Link with util(3) in the case of DragonFly, too. * When specified "--with-kerb5" option, test existence of several functions even if there is krb5-config. krb5-config dosen't give all definitions for functions (HAVE_KRB5_*). * Remove setting sysconfdir to "/etc". ---- configure.orig 2022-06-20 22:58:38.000000000 +0000 +--- configure.orig 2023-02-16 18:43:30.000000000 +0000 +++ configure -@@ -940,6 +940,7 @@ with_incpath +@@ -935,6 +935,7 @@ with_incpath with_libpath with_libraries with_csops @@ -17,7 +16,7 @@ $NetBSD: patch-configure,v 1.9 2022/07/05 11:01:38 adam Exp $ with_passwd with_skey with_opie -@@ -1677,7 +1678,7 @@ Fine tuning of the installation director +@@ -1673,7 +1674,7 @@ Fine tuning of the installation director --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] @@ -26,7 +25,7 @@ $NetBSD: patch-configure,v 1.9 2022/07/05 11:01:38 adam Exp $ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] -@@ -1805,6 +1806,7 @@ Optional Packages: +@@ -1802,6 +1803,7 @@ Optional Packages: --with-libpath additional places to look for libraries --with-libraries additional libraries to link with --with-csops add CSOps standard options @@ -34,7 +33,7 @@ $NetBSD: patch-configure,v 1.9 2022/07/05 11:01:38 adam Exp $ --without-passwd don't use passwd/shadow file for authentication --with-skey[=DIR] enable S/Key support --with-opie[=DIR] enable OPIE support -@@ -5230,6 +5232,23 @@ fi +@@ -5290,6 +5292,23 @@ fi @@ -58,7 +57,7 @@ $NetBSD: patch-configure,v 1.9 2022/07/05 11:01:38 adam Exp $ # Check whether --with-passwd was given. if test ${with_passwd+y} then : -@@ -17818,7 +17837,7 @@ fi +@@ -18196,7 +18215,7 @@ fi : ${mansectform='4'} : ${mansectmisc='5'} ;; @@ -67,29 +66,20 @@ $NetBSD: patch-configure,v 1.9 2022/07/05 11:01:38 adam Exp $ shadow_funcs="getspnam" test -z "$with_pam" && AUTH_EXCL_DEF="PAM" # Check for SECCOMP_MODE_FILTER in linux/seccomp.h -@@ -19760,7 +19779,7 @@ then : - LOGINCAP_USAGE='[-c class] '; LCMAN=1 - with_logincap=yes - case "$OS" in -- freebsd*|netbsd*) -+ dragonfly*|freebsd*|netbsd*) - SUDO_LIBS="${SUDO_LIBS} -lutil" - SUDOERS_LIBS="${SUDOERS_LIBS} -lutil" - ;; -@@ -27964,6 +27983,8 @@ fi - rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext - AUTH_OBJS="$AUTH_OBJS kerb5.lo" - fi +@@ -29486,6 +29505,8 @@ rm -f core conftest.err conftest.$ac_obj + ;; + esac + fi +fi +if test ${with_kerb5-'no'} != "no"; then _LIBS="$LIBS" LIBS="${LIBS} ${SUDOERS_LIBS}" ac_fn_c_check_func "$LINENO" "krb5_verify_user" "ac_cv_func_krb5_verify_user" -@@ -32536,7 +32557,6 @@ test "$docdir" = '${datarootdir}/doc/${P +@@ -35492,7 +35513,6 @@ test "$docdir" = '${datarootdir}/doc/${P test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale' test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var' test "$runstatedir" = '${localstatedir}/run' && runstatedir='$(localstatedir)/run' -test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc' - if test X"$INIT_SCRIPT" != X""; then - ac_config_files="$ac_config_files etc/init.d/$INIT_SCRIPT" + if test X"$INIT_SCRIPT" != X"" + then :