Name: sudo
Version: 1.9.8p2
Release: 12
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/

Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: sudoers
Source2: sudo
Source3: sudo-i

Patch0: backport-0001-CVE-2022-37434.patch
Patch1: backport-0002-CVE-2022-37434.patch
Patch2: backport-CVE-2022-33070.patch
Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch
Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
Patch12: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
Patch17: backport-CVE-2023-22809.patch
Patch18: backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch
Patch19: backport-CVE-2023-27320.patch
Patch20: backport-CVE-2023-28486_CVE-2023-28487.patch
Patch21: Fix-compilation-error-on-sw64-arch.patch

Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
Recommends: vim-minimal
Requires(post): coreutils

BuildRequires: pam-devel groff openldap-devel flex bison automake autoconf libtool
BuildRequires: audit-libs-devel libcap-devel libselinux-devel sendmail gettext zlib-devel
BuildRequires: chrpath git

%description
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity.  The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.

%package        devel
Summary:        Development files for %{name}
Requires:       %{name} = %{version}-%{release}

%description    devel
The %{name}-devel package contains header files developing sudo
plugins that use %{name}.

%package_help

%prep
%autosetup -n %{name}-%{version} -S git

%build
autoreconf -I m4 -fv --install
export CFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
%configure \
        --prefix=%{_prefix} \
        --sbindir=%{_sbindir} \
        --libdir=%{_libdir} \
        --docdir=%{_pkgdocdir} \
        --disable-root-mailer \
        --disable-intercept \
        --disable-log-server \
        --disable-log-client \
        --with-logging=syslog \
        --with-logfac=authpriv \
        --with-pam \
        --with-pam-login \
        --with-editor=/bin/vi \
        --with-env-editor \
        --with-ignore-dot \
        --with-tty-tickets \
        --with-ldap \
        --with-selinux \
        --with-passprompt="[sudo] password for %p: " \
        --with-linux-audit \
        --with-sssd

%make_build

%check
make check

%install
rm -rf $RPM_BUILD_ROOT
%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/

touch sudo.conf
echo sudo > sudo.conf
install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
rm -f sudo.conf

chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so

rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo

%delete_la

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist

chrpath -d $RPM_BUILD_ROOT%{_bindir}/sudo
chrpath -d $RPM_BUILD_ROOT%{_bindir}/sudoreplay
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/visudo
chrpath -d $RPM_BUILD_ROOT%{_bindir}/cvtsudoers
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/sesh
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/sudoers.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/group_file.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/system_group.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/audit_json.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/sample_approval.so
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "/usr/libexec/sudo" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf

%find_lang sudo
%find_lang sudoers

mkdir -p $RPM_BUILD_ROOT/etc/pam.d
install -p -c -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i

%post
/bin/chmod 0440 /etc/sudoers || :
/sbin/ldconfig || :

%postun -p /sbin/ldconfig

%files -f sudo.lang -f sudoers.lang
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
%attr(4111,root,root) %{_bindir}/sudo
%attr(0111,root,root) %{_bindir}/sudoreplay
%{_bindir}/sudoedit
%{_bindir}/cvtsudoers
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
%dir /var/db/sudo
%dir /var/db/sudo/lectured
%dir %{_libexecdir}/sudo
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%config(noreplace) /etc/ld.so.conf.d/*
%license doc/LICENSE

%files devel
%{_includedir}/sudo_plugin.h

%files help
%dir %{_pkgdocdir}/
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_mandir}/man1/*
%{_pkgdocdir}/*
%doc plugins/sample/sample_plugin.c
%exclude %{_pkgdocdir}/ChangeLog

%changelog
* Wed Apr 12 2023 wangyu <wangyu283@huawei.com> - 1.9.8p2-12
- Fix compilation error on sw64 arch.

* Tue Mar 28 2023 wangcheng <wangcheng156@huawei.com> - 1.9.8p2-11
- Fix CVE-2023-28486 and CVE-2023-28487

* Tue Mar 07 2023 wangyu <wangyu283@huawei.com> - 1.9.8p2-10
- Fix CVE-2023-27320.

* Wed Feb 01 2023 wangyu <wangyu283@huawei.com> - 1.9.8p2-9
- For "sudo ALL" a non-existent command is not an error.

* Thu Jan 19 2023 houmingyong<houmingyong@huawei.com> - 1.9.8p2-8
- Fix CVE-2023-22809

* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-7
- Backport patches from upstream community

* Fri Nov 25 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-6
- Backport patches from upstream community

* Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-5
- Backport patches from upstream community

* Sat Nov 05 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-4
- Fix CVE-2022-43995

* Sat Sep 03 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-3
- Fix CVE-2022-37434 and CVE-2022-33070

* Mon Mar 7 2022 panxiaohe <panxh.life@foxmail.com> - 1.9.8p2-2
- remove rpath and runpath of exec files and libraries

* Tue Dec 14 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.8p2-1
- Update to 1.9.8p2

* Thu Sep 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.9.5p2-2
- DESC: treat stack exhaustion like memory allocation failure

* Wed Jul 7 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.5p2-1
- Update to 1.9.5p2

* Fri Jan 29 2021 zoulin <zoulin13@huawei.com> - 1.9.2-3
- Fix runstatedir handling for distros that do not support it

* Wed Jan 27 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-2
- fix CVE-2021-23239 CVE-2021-23240 CVE-2021-3156

* Wed Jul 29 2020 zhangxingliang <zhangxingliang3@huawei.com> - 1.9.2-1
- update to 1.9.2

* Fri Apr 17 2020 Anakin Zhang <nbztx@126.com> - 1.8.27-5
- Read drop-in files from /etc/sudoers.d

* Mon Jan 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-4
- fix CVE-2019-19232 and CVE-2019-19234

* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-3
- clean code

* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-2
- Fix CVE-2019-14287

* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-1
- Package init