diff -Nru sudo-1.8.9p4/ChangeLog sudo-1.8.9p5/ChangeLog --- sudo-1.8.9p4/ChangeLog 2014-01-15 13:21:07.000000000 +0000 +++ sudo-1.8.9p5/ChangeLog 2014-02-04 13:47:35.000000000 +0000 @@ -1,3 +1,38 @@ +2014-02-04 Todd C. Miller + + * NEWS, configure, configure.ac: + Update for sudo 1.8.9p5 + [3ee678307ef4] <1.8> + + * src/preserve_fds.c: + When the closefrom limit is greater than any of the preserved fds, + the pfds list will be non-empty but lastfd will be -1 triggering an + ecalloc(0) assertion. Instead, test for lastfd being -1 and make + sure we always update it, even if dup() fails. Also restore initial + value of lowfd after we are done relocating. Fixes bug #633 + [a11206a31f28] + +2014-01-30 Todd C. Miller + + * common/atomode.c: + Zero out errstr when there is no error; fixes bug #632 + [74950ef1a0dc] + +2014-01-24 Todd C. Miller + + * include/missing.h: + Fix typo, ULONG_MAX vs. ULLONG_MAX + [5d274daa9fb1] + + * plugins/sudoers/sudo_nss.c: + Fix typo in the AIX case. + [ee531c950fce] + + * plugins/sudoers/sudo_nss.c: + Size pointer for sudo_parseln() should be size_t not ssize_t. This + was already correct for the nsswitch.conf case. + [cfaf895c1db4] + 2014-01-15 Todd C. Miller * NEWS, configure, configure.ac: diff -Nru sudo-1.8.9p4/NEWS sudo-1.8.9p5/NEWS --- sudo-1.8.9p4/NEWS 2014-01-15 13:02:28.000000000 +0000 +++ sudo-1.8.9p5/NEWS 2014-02-04 13:37:48.000000000 +0000 @@ -1,3 +1,12 @@ +What's new in Sudo 1.8.9p5? + + * Fixed a compilation error on AIX when LDAP support is enabled. + + * Fixed parsing of the "umask" defaults setting in sudoers. Bug #632. + + * Fixed a failed assertion when the "closefrom_override" defaults + setting is enabled in sudoers and sudo's -C flag is used. Bug #633. + What's new in Sudo 1.8.9p4? * Fixed a bug where sudo could consume large amounts of CPU while diff -Nru sudo-1.8.9p4/common/atomode.c sudo-1.8.9p5/common/atomode.c --- sudo-1.8.9p4/common/atomode.c 2014-01-07 18:08:50.000000000 +0000 +++ sudo-1.8.9p5/common/atomode.c 2014-01-30 20:41:00.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 Todd C. Miller + * Copyright (c) 2013-2014 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -62,5 +62,7 @@ errno = ERANGE; debug_return_int(0); } + if (errstr != NULL) + *errstr = NULL; debug_return_int((int)lval); } diff -Nru sudo-1.8.9p4/configure sudo-1.8.9p5/configure --- sudo-1.8.9p4/configure 2014-01-15 13:02:29.000000000 +0000 +++ sudo-1.8.9p5/configure 2014-02-04 13:38:35.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.9p4. +# Generated by GNU Autoconf 2.69 for sudo 1.8.9p5. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.9p4' -PACKAGE_STRING='sudo 1.8.9p4' +PACKAGE_VERSION='1.8.9p5' +PACKAGE_STRING='sudo 1.8.9p5' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1498,7 +1498,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.9p4 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.9p5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1563,7 +1563,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.9p4:";; + short | recursive ) echo "Configuration of sudo 1.8.9p5:";; esac cat <<\_ACEOF @@ -1793,7 +1793,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.9p4 +sudo configure 1.8.9p5 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2502,7 +2502,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.9p4, which was +It was created by sudo $as_me 1.8.9p5, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -22766,7 +22766,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.9p4, which was +This file was extended by sudo $as_me 1.8.9p5, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22832,7 +22832,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.9p4 +sudo config.status 1.8.9p5 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru sudo-1.8.9p4/configure.ac sudo-1.8.9p5/configure.ac --- sudo-1.8.9p4/configure.ac 2014-01-15 13:02:29.000000000 +0000 +++ sudo-1.8.9p5/configure.ac 2014-02-04 13:38:14.000000000 +0000 @@ -4,7 +4,7 @@ dnl Copyright (c) 1994-1996,1998-2014 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.9p4], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.9p5], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl diff -Nru sudo-1.8.9p4/debian/changelog sudo-1.8.9p5/debian/changelog --- sudo-1.8.9p4/debian/changelog 2014-02-03 20:41:28.000000000 +0000 +++ sudo-1.8.9p5/debian/changelog 2014-02-10 18:45:19.000000000 +0000 @@ -1,3 +1,34 @@ +sudo (1.8.9p5-1ubuntu1) trusty; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/rules: + + compile with --without-lecture --with-tty-tickets --enable-admin-flag + + install man/man8/sudo_root.8 in both flavours + + install apport hooks + - debian/sudoers: + + also grant admin group sudo access + - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs: + + add usr/share/apport/package-hooks + - debian/sudo.pam: + + Use pam_env to read /etc/environment and /etc/default/locale + environment files. Reading ~/.pam_environment is not permitted due to + security reasons. + - debian/control: + + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command + - Remaining patches: + + keep_home_by_default.patch: Keep HOME in the default environment + + actually-use-buildflags: Pass LDFLAGS everywhere + + add_probe_interfaces_setting.diff: option to disable network inf probe + * add_probe_interfaces_setting.diff: fix to not modify NEWS file. + + -- Chris J Arges Mon, 10 Feb 2014 12:21:53 -0600 + +sudo (1.8.9p5-1) unstable; urgency=low + + * new upstream release, closes: #735328 + + -- Bdale Garbee Tue, 04 Feb 2014 11:46:19 -0700 + sudo (1.8.9p4-1ubuntu2) trusty; urgency=medium * Enable and refresh: actually-use-buildflags: Pass LDFLAGS everywhere @@ -1424,98 +1455,54 @@ -- Bdale Garbee Thu, 29 Aug 1996 11:44:22 +0200 Tue Mar 5 09:36:41 MET 1996 Michael Meskes - sudo (1.4.1-1): - * hard code SECURE_PATH to: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - * enable ENV_EDITOR - * enabled EXEMPTGROUP "sudo" - * moved timestamp dir to /var/log/sudo - * changed parser to check for long and short filenames (Bug#1162) - Wed Apr 17 13:03:31 MET DST 1996 Michael Meskes - sudo (1.4.2-1): - * New upstream source - * Fixed postinst script (thanks to Peter Tobis ) - * Removed special shadow binary. This version works with and without shadow password file. - Mon May 20 09:35:22 MET DST 1996 Michael Meskes - sudo (1.4.2-2): - * Corrected editor path to /bin/ae (Bug#3062) - * Set file permission to 4755 for sudo and 755 for visudo (Bug#3063) - Mon Jun 17 12:06:41 MET DST 1996 Michael Meskes - sudo (1.4.3-1): - * New upstream version - * Changed sudoers permission to 440 (owner root, group root) to make sudo usable via NFS - Wed Jun 19 10:56:54 MET DST 1996 Michael Meskes - sudo (1.4.3-2): - * Applied upstream patch 1 - Thu Jun 20 09:02:57 MET DST 1996 Michael Meskes - sudo (1.4.3-3): - * Applied upstream patch 2 - Fri Jun 28 12:49:40 MET DST 1996 Michael Meskes - sudo (1.4.3-4): - * Applied upstream patch 3 (fixes problems with an NFS-mounted sudoers file) - - Sun Jun 30 13:02:44 MET DST 1996 Michael Meskes - sudo (1.4.3-5): - * Corrected postinst to use /usr/bin/perl instead of /bin/perl [Reported by jdassen@wi.leidenuniv.nl (J.H.M.Dassen)] - Wed Jul 10 12:44:33 MET DST 1996 Michael Meskes - sudo (1.4.3-6): - * Applied upstream patch 4 (fixes several bugs) - * Changed priority to optional - Thu Jul 11 19:23:52 MET DST 1996 Michael Meskes - sudo (1.4.3-7): - * Corrected postinst to create correct permission for /etc/sudoers (Bug#3749) - Fri Aug 2 10:50:53 MET DST 1996 Michael Meskes - sudo (1.4.4-1): - * New upstream version - - sudo (1.4.4-2) admin; urgency=HIGH * Fixed major security bug reported by Peter Tobias @@ -1526,3 +1513,4 @@ * New upstream version * Minor changes to debian.rules + diff -Nru sudo-1.8.9p4/debian/patches/add_probe_interfaces_setting.diff sudo-1.8.9p5/debian/patches/add_probe_interfaces_setting.diff --- sudo-1.8.9p4/debian/patches/add_probe_interfaces_setting.diff 2014-01-28 11:03:14.000000000 +0000 +++ sudo-1.8.9p5/debian/patches/add_probe_interfaces_setting.diff 2014-02-10 18:22:35.000000000 +0000 @@ -7,19 +7,6 @@ It is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting. -diff -r 1559c301caec -r e9dc28c7db60 NEWS ---- a/NEWS Wed Jan 22 20:48:49 2014 -0700 -+++ b/NEWS Thu Jan 23 14:52:54 2014 -0700 -@@ -1,3 +1,9 @@ -+What's new in Sudo 1.8.10? -+ -+ * It is now possible to disable network interface probing in -+ sudo.conf by changing the value of the probe_interfaces -+ setting. -+ - What's new in Sudo 1.8.9p4? - - * Fixed a bug where sudo could consume large amounts of CPU while diff -r 1559c301caec -r e9dc28c7db60 common/sudo_conf.c --- a/common/sudo_conf.c Wed Jan 22 20:48:49 2014 -0700 +++ b/common/sudo_conf.c Thu Jan 23 14:52:54 2014 -0700 diff -Nru sudo-1.8.9p4/include/missing.h sudo-1.8.9p5/include/missing.h --- sudo-1.8.9p4/include/missing.h 2014-01-07 18:08:51.000000000 +0000 +++ sudo-1.8.9p5/include/missing.h 2014-01-30 20:40:53.000000000 +0000 @@ -140,7 +140,7 @@ # endif #endif -#ifndef ULONG_MAX +#ifndef ULLONG_MAX # if defined(UQUAD_MAX) # define ULLONG_MAX UQUAD_MAX # else diff -Nru sudo-1.8.9p4/plugins/sudoers/sudo_nss.c sudo-1.8.9p5/plugins/sudoers/sudo_nss.c --- sudo-1.8.9p4/plugins/sudoers/sudo_nss.c 2014-01-07 18:08:54.000000000 +0000 +++ sudo-1.8.9p5/plugins/sudoers/sudo_nss.c 2014-01-30 20:40:47.000000000 +0000 @@ -137,7 +137,7 @@ { FILE *fp; char *cp, *ep, *line = NULL; - ssize_t linesize = 0; + size_t linesize = 0; #ifdef HAVE_SSSD bool saw_sss = false; #endif @@ -212,7 +212,7 @@ nomatch: /* Default to files only if no matches */ if (TAILQ_EMPTY(&snl)) - TAILQ_INSERT_TAIL(&snl, &sudo_nss_files, entries); + TAILQ_INSERT_TAIL(&snl, &sudo_nss_file, entries); debug_return_ptr(&snl); } diff -Nru sudo-1.8.9p4/src/preserve_fds.c sudo-1.8.9p5/src/preserve_fds.c --- sudo-1.8.9p4/src/preserve_fds.c 2014-01-15 13:02:18.000000000 +0000 +++ sudo-1.8.9p5/src/preserve_fds.c 2014-02-04 13:27:56.000000000 +0000 @@ -111,12 +111,15 @@ if (pfd->highfd < startfd) continue; fd = dup(pfd->highfd); - if (fd < pfd->highfd) { - if (fd == -1) { - if (errno == EBADF) - TAILQ_REMOVE(pfds, pfd, entries); + if (fd == -1) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, + "dup %d", pfd->highfd); + if (errno == EBADF) { + TAILQ_REMOVE(pfds, pfd, entries); continue; } + /* NOTE: still need to adjust lastfd below with unchanged lowfd. */ + } else if (fd < pfd->highfd) { pfd->lowfd = fd; fd = pfd->highfd; if (fd == debug_fd) @@ -124,13 +127,14 @@ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, "dup %d -> %d", pfd->highfd, pfd->lowfd); } - (void) close(fd); + if (fd != -1) + (void) close(fd); if (pfd->lowfd > lastfd) lastfd = pfd->lowfd; /* highest (relocated) preserved fd */ } - if (TAILQ_EMPTY(pfds)) { + if (lastfd == -1) { /* No fds to preserve. */ sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, "closefrom(%d)", startfd); @@ -146,7 +150,6 @@ /* * Close any unpreserved fds [startfd,lastfd] - * NOTE: this could relocate the debug fd, breaking the debug subsystem. */ for (fd = startfd; fd <= lastfd; fd++) { if (!FD_ISSET(fd, fdsp)) { @@ -189,6 +192,7 @@ if (pfd->lowfd == debug_fd) debug_fd = sudo_debug_fd_set(pfd->highfd); (void) close(pfd->lowfd); + pfd->lowfd = pfd->highfd; } } debug_return;