diff --git a/build/sudo/build.sh b/build/sudo/build.sh index fbaec45066..edd9c82f0e 100755 --- a/build/sudo/build.sh +++ b/build/sudo/build.sh @@ -28,7 +28,7 @@ . ../../lib/functions.sh PROG=sudo -VER=1.8.7 +VER=1.8.20p2 VERHUMAN=$VER PKG=security/sudo SUMMARY="$PROG - authority delegation tool" @@ -43,7 +43,7 @@ CFLAGS="$CFLAGS -fno-stack-protector" CONFIGURE_OPTS=" --with-ldap --with-project - --with-timedir=/var/run/sudo + --with-rundir=/var/run/sudo --with-pam --with-pam-login --with-tty-tickets --without-insults @@ -62,6 +62,7 @@ make_install64() { logcmd rm -rf $DESTDIR/usr/bin/amd64 logcmd rm -rf $DESTDIR/usr/sbin/amd64 logcmd rm -rf $DESTDIR/usr/include/amd64 + logcmd rm -rf $DESTDIR/var/db } init diff --git a/build/sudo/patches/Makefile.in.patch b/build/sudo/patches/Makefile.in.patch new file mode 100644 index 0000000000..6f4e3d18a9 --- /dev/null +++ b/build/sudo/patches/Makefile.in.patch @@ -0,0 +1,10 @@ +--- sudo-1.8.20p2/Makefile.in Wed May 10 17:38:43 2017 ++++ sudo-1.8.20p2/Makefile.in Sun Jul 9 17:06:55 2017 +@@ -63,7 +63,6 @@ + SED = @SED@ + + INSTALL = $(SHELL) $(top_srcdir)/install-sh -c +-INSTALL_OWNER = -o $(install_uid) -g $(install_gid) + + ECHO_N = @ECHO_N@ + ECHO_C = @ECHO_C@ diff --git a/build/sudo/patches/audit-event.patch b/build/sudo/patches/audit-event.patch index c2a8f16644..4a3cd99961 100644 --- a/build/sudo/patches/audit-event.patch +++ b/build/sudo/patches/audit-event.patch @@ -1,14 +1,34 @@ ---- sudo-1.8.4p1/plugins/sudoers/bsm_audit.c Mon Jan 9 17:37:13 2012 -+++ sudo-1.8.4p1/plugins/sudoers/bsm_audit.c Sun Feb 26 15:55:55 2012 -@@ -31,9 +31,10 @@ - #include - - #include "gettext.h" --#include "error.h" - #include "sudo_debug.h" -+#include "error.h" +--- sudo-1.8.20p2/plugins/sudoers/bsm_audit.c Sun Jul 9 12:35:16 2017 ++++ sudo-1.8.20p2/plugins/sudoers/bsm_audit.c Sun Jul 9 12:34:08 2017 +@@ -34,6 +34,7 @@ + + #include "sudoers.h" #include "bsm_audit.h" -+#define AUE_sudo 6650 - ++#define AUE_sudo 6650 + /* * Solaris auditon() returns EINVAL if BSM audit not configured. +@@ -163,11 +164,7 @@ + debug_return_int(-1); + } + au_write(aufd, tok); +-#ifdef __sun +- if (au_close(aufd, 1, sudo_audit_event, 0) == -1) +-#else + if (au_close(aufd, 1, sudo_audit_event) == -1) +-#endif + { + sudo_warn(U_("unable to commit audit record")); + debug_return_int(-1); +@@ -251,11 +248,7 @@ + debug_return_int(-1); + } + au_write(aufd, tok); +-#ifdef __sun +- if (au_close(aufd, 1, sudo_audit_event, PAD_FAILURE) == -1) +-#else + if (au_close(aufd, 1, sudo_audit_event) == -1) +-#endif + { + sudo_warn(U_("unable to commit audit record")); + debug_return_int(-1); diff --git a/build/sudo/patches/gettext.patch b/build/sudo/patches/gettext.patch index c9011745cd..2579b576ea 100644 --- a/build/sudo/patches/gettext.patch +++ b/build/sudo/patches/gettext.patch @@ -1,11 +1,10 @@ -diff -bur sudo-1.8.7.pristine/config.h.in sudo-1.8.7/config.h.in ---- sudo-1.8.7.pristine/config.h.in 2013-06-04 09:49:25.000000000 +0000 -+++ sudo-1.8.7/config.h.in 2013-11-13 19:20:29.015909468 +0000 -@@ -1025,4 +1025,7 @@ - # define BSD_COMP - #endif /* __svr4__ */ - +--- sudo-1.8.20p2/config.h.in Wed May 31 17:13:28 2017 ++++ sudo-1.8.20p2/config.h.in Sun Jul 9 16:59:22 2017 +@@ -1257,4 +1257,7 @@ + # define NO_LEAKS + #endif + +#include +#define _(String) gettext(String) + - #endif /* _SUDO_CONFIG_H */ + #endif /* SUDO_CONFIG_H */ diff --git a/build/sudo/patches/libs.patch b/build/sudo/patches/libs.patch deleted file mode 100644 index b4b94bbafc..0000000000 --- a/build/sudo/patches/libs.patch +++ /dev/null @@ -1,55 +0,0 @@ ---- sudo-1.8.7/src/Makefile.in.orig 2013-06-04 09:49:25.000000000 +0000 -+++ sudo-1.8.7/src/Makefile.in 2013-09-27 15:41:26.700037447 +0000 -@@ -117,7 +117,7 @@ - $(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) - - libsudo_noexec.la: sudo_noexec.lo -- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) -+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ sudo_noexec.lo -avoid-version @LIBS@ -rpath $(noexecdir) - - sesh: $(SESH_OBJS) @LIBINTL@ $(LT_LIBS) - $(LIBTOOL) --mode=link $(CC) -o $@ $(SESH_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) @LIBINTL@ $(LIBS) ---- sudo-1.8.7/plugins/group_file/Makefile.in.orig 2013-06-04 09:49:25.000000000 +0000 -+++ sudo-1.8.7/plugins/group_file/Makefile.in 2013-09-27 15:42:13.330188598 +0000 -@@ -103,7 +103,7 @@ - @sed 's/^/+e /' $(shlib_exp) > $@ - - group_file.la: $(OBJS) $(LT_LIBS) @LT_LDDEP@ -- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir) -+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version @LIBS@ -rpath $(plugindir) - - pre-install: - ---- sudo-1.8.7/plugins/sample/Makefile.in.orig 2013-06-04 09:48:28.000000000 +0000 -+++ sudo-1.8.7/plugins/sample/Makefile.in 2013-09-27 15:41:26.700325769 +0000 -@@ -34,7 +34,7 @@ - INSTALL = $(SHELL) $(top_srcdir)/install-sh -c - - # Libraries --LIBS = $(LIBOBJDIR)/libreplace.la -+LIBS = $(LIBOBJDIR)/libreplace.la @LIBS@ - - # C preprocessor flags - CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(top_srcdir) @CPPFLAGS@ ---- sudo-1.8.7/plugins/sudoers/Makefile.in.orig 2013-06-04 09:49:25.000000000 +0000 -+++ sudo-1.8.7/plugins/sudoers/Makefile.in 2013-09-27 15:41:26.701009790 +0000 -@@ -47,7 +47,7 @@ - - # Libraries - LT_LIBS = $(top_builddir)/common/libcommon.la $(LIBOBJDIR)libreplace.la --LIBS = $(LT_LIBS) @LIBINTL@ -+LIBS = $(LT_LIBS) @LIBINTL@ @LIBS@ - NET_LIBS = @NET_LIBS@ - SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) @ZLIB@ - REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@ ---- sudo-1.8.7/plugins/system_group/Makefile.in.orig 2013-06-04 09:48:31.000000000 +0000 -+++ sudo-1.8.7/plugins/system_group/Makefile.in 2013-09-27 15:41:26.701271848 +0000 -@@ -103,7 +103,7 @@ - @sed 's/^/+e /' $(shlib_exp) > $@ - - system_group.la: $(OBJS) $(LT_LIBS) @LT_LDDEP@ -- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir) -+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version @LIBS@ -rpath $(plugindir) - - pre-install: - diff --git a/build/sudo/patches/printflike.patch b/build/sudo/patches/printflike.patch index 619f25b68c..89f410851d 100644 --- a/build/sudo/patches/printflike.patch +++ b/build/sudo/patches/printflike.patch @@ -4,7 +4,7 @@ #ifndef _SUDO_DEBUG_H #define _SUDO_DEBUG_H -+#include "missing.h" ++#include "sudo_compat.h" #include /* diff --git a/build/sudo/patches/series b/build/sudo/patches/series index f0c92aa16a..c6fb57f37d 100644 --- a/build/sudo/patches/series +++ b/build/sudo/patches/series @@ -1,6 +1,5 @@ audit-event.patch printflike.patch -libs.patch -ssp.patch gettext.patch -tz1.patch +sudo_edit.c.patch +Makefile.in.patch diff --git a/build/sudo/patches/ssp.patch b/build/sudo/patches/ssp.patch deleted file mode 100644 index e89dd15f03..0000000000 --- a/build/sudo/patches/ssp.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -bur sudo-1.8.7.clean/configure sudo-1.8.7/configure ---- sudo-1.8.7.clean/configure 2013-06-04 09:53:13.000000000 +0000 -+++ sudo-1.8.7/configure 2013-11-12 21:51:24.599624559 +0000 -@@ -21252,8 +21252,8 @@ - $as_echo "$ax_cv_check_ldflags___fstack_protector_all" >&6; } - if test x"$ax_cv_check_ldflags___fstack_protector_all" = xyes; then : - -- SSP_CFLAGS="-fstack-protector-all" -- SSP_LDFLAGS="-Wc,-fstack-protector-all" -+ SSP_CFLAGS="-lintl" -+ SSP_LDFLAGS="-lintl" - - else - : -@@ -21328,8 +21328,8 @@ - $as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; } - if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then : - -- SSP_CFLAGS="-fstack-protector" -- SSP_LDFLAGS="-Wc,-fstack-protector" -+ SSP_CFLAGS="-lintl" -+ SSP_LDFLAGS="-lintl" - - else - : diff --git a/build/sudo/patches/sudo_edit.c.patch b/build/sudo/patches/sudo_edit.c.patch new file mode 100644 index 0000000000..b24badf4de --- /dev/null +++ b/build/sudo/patches/sudo_edit.c.patch @@ -0,0 +1,14 @@ +--- sudo-1.8.20p2/src/sudo_edit.c Sat Jan 14 05:30:15 2017 ++++ sudo-1.8.20p2/src/sudo_edit.c Sun Jul 9 15:19:35 2017 +@@ -377,9 +377,9 @@ + * Directory open flags for use with openat(2). + * Use O_SEARCH/O_PATH and/or O_DIRECTORY where possible. + */ +-#if defined(O_SEARCH) ++#if defined(O_SEARCH) && defined(O_DIRECTORY) + # define DIR_OPEN_FLAGS (O_SEARCH|O_DIRECTORY) +-#elif defined(O_PATH) ++#elif defined(O_PATH) && defined(O_DIRECTORY) + # define DIR_OPEN_FLAGS (O_PATH|O_DIRECTORY) + #elif defined(O_DIRECTORY) + # define DIR_OPEN_FLAGS (O_RDONLY|O_DIRECTORY) diff --git a/build/sudo/patches/tz1.patch b/build/sudo/patches/tz1.patch deleted file mode 100644 index fe1b9f5182..0000000000 --- a/build/sudo/patches/tz1.patch +++ /dev/null @@ -1,89 +0,0 @@ ---- sudo-1.8.7/plugins/sudoers/env.c.orig Wed Mar 05 14:30:59 2014 -0700 -+++ sudo-1.8.7/plugins/sudoers/env.c Mon Feb 09 16:34:06 2015 -0700 -@@ -211,6 +211,7 @@ - "LC_*", - "LINGUAS", - "TERM", -+ "TZ", - NULL - }; - -@@ -226,7 +227,6 @@ - "PATH", - "PS1", - "PS2", -- "TZ", - "XAUTHORITY", - "XAUTHORIZATION", - NULL -@@ -564,6 +564,56 @@ - } - - /* -+ * Sanity-check the TZ environment variable. -+ * On many systems it is possible to set this to a pathname. -+ */ -+/* Hardwired for illumos & OmniOS */ -+#define _PATH_ZONEINFO "/usr/share/lib/zoneinfo" -+static int -+tz_is_sane(tzval) -+ const char *tzval; -+{ -+ const char *cp; -+ char lastch; -+ -+ /* tzcode treats a value beginning with a ':' as a path. */ -+ if (tzval[0] == ':') -+ tzval++; -+ -+ /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */ -+ if (tzval[0] == '/') { -+#ifdef _PATH_ZONEINFO -+ if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 || -+ tzval[sizeof(_PATH_ZONEINFO) - 1] != '/') -+ return 0; -+#else -+ /* Assume the worst. */ -+ return 0; -+#endif -+ } -+ -+ /* -+ * Make sure TZ only contains printable non-space characters -+ * and does not contain a '..' path element. -+ */ -+ lastch = '/'; -+ for (cp = tzval; *cp != '\0'; cp++) { -+ if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp)) -+ return 0; -+ if (lastch == '/' && cp[0] == '.' && cp[1] == '.' && -+ (cp[2] == '/' || cp[2] == '\0')) -+ return 0; -+ lastch = *cp; -+ } -+ -+ /* Reject extra long TZ values (even if not a path). */ -+ if ((size_t)(cp - tzval) >= PATH_MAX) -+ return 0; -+ -+ return 1; -+} -+ -+/* - * Apply the env_check list. - * Returns TRUE if the variable is allowed, FALSE if denied - * or -1 if no match. -@@ -586,7 +636,12 @@ - iswild = FALSE; - if (strncmp(cur->value, var, len) == 0 && - (iswild || var[len] == '=')) { -- keepit = !strpbrk(var, "/%"); -+ if (strncmp(var, "TZ=", 3) == 0) { -+ /* Special case for TZ */ -+ keepit = tz_is_sane(var + 3); -+ } else { -+ keepit = !strpbrk(var, "/%"); -+ } - break; - } - }