packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sudo/sudo.spec
fly_fzc 2158f6ac41 Backport patch from upstream community
2024-01-31 15:11:19 +08:00

277 lines
9.8 KiB
RPMSpec
Raw Blame History

Name: sudo
Version: 1.9.8p2
Release: 17
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: sudoers
Source2: sudo
Source3: sudo-i
Patch0: backport-0001-CVE-2022-37434.patch
Patch1: backport-0002-CVE-2022-37434.patch
Patch2: backport-CVE-2022-33070.patch
Patch3: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
Patch4: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
Patch5: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
Patch6: backport-Fix-issue-protobuf-c-499-unsigned-integer-overflow.patch
Patch7: backport-Fix-regression-with-zero-length-messages-introduced-.patch
Patch8: backport-Fix-typo-we-should-define-SSIZE_MAX-if-it-is-not-def.patch
Patch9: backport-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
Patch10: backport-Fix-potential-signed-integer-overflow-on-32-bit-CPUs.patch
Patch11: backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch
Patch12: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
Patch13: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
Patch14: backport-Fix-memory-leak-of-pass-in-converse.patch
Patch15: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
Patch16: backport-sudo_rcstr_dup-Fix-potential-NULL-pointer-deref.patch
Patch17: backport-CVE-2023-22809.patch
Patch18: backport-Fix-a-NOPASSWD-issue-with-a-non-existent-command-whe.patch
Patch19: backport-CVE-2023-27320.patch
Patch20: backport-CVE-2023-28486_CVE-2023-28487.patch
Patch21: Fix-compilation-error-on-sw64-arch.patch
Patch22: backport-Reinstall-the-event-handler-if-we-get-EAGAIN-from-re.patch
Patch23: backport-sudoers_main-defer-setting-return-value-until-the-en.patch
Patch24: backport-sudo_putenv_nodebug-require-that-the-environment-str.patch
Patch25: backport-Linux-execve-2-allows-argv-or-envp-to-be-NULL.patch
Patch26: backport-Fix-potential-NULL-pointer-deference-found-by-clang-.patch
Patch27: backport-Set-command_info-to-NULL-once-it-is-freed.patch
Patch28: backport-sudoers_parse_ldif-do-not-free-parse_tree-before-usi.patch
Patch29: backport-Do-not-rely-on-the-definition-of-ALLOW-DENY-being-tr.patch
Patch30: backport-CVE-2023-42465.patch
Patch31: backport-Make-all-match-functions-return-ALLOW-DENY-.patch
Patch32: backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
Recommends: vim-minimal
Requires(post): coreutils
BuildRequires: pam-devel groff openldap-devel flex bison automake autoconf libtool
BuildRequires: audit-libs-devel libcap-devel libselinux-devel sendmail gettext zlib-devel
BuildRequires: chrpath git
%description
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity. The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.
%package devel
Summary: Development files for %{name}
Requires: %{name} = %{version}-%{release}
%description devel
The %{name}-devel package contains header files developing sudo
plugins that use %{name}.
%package_help
%prep
%autosetup -n %{name}-%{version} -S git
%build
autoreconf -I m4 -fv --install
export CFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
%configure \
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
--docdir=%{_pkgdocdir} \
--disable-root-mailer \
--disable-intercept \
--disable-log-server \
--disable-log-client \
--with-logging=syslog \
--with-logfac=authpriv \
--with-pam \
--with-pam-login \
--with-editor=/bin/vi \
--with-env-editor \
--with-ignore-dot \
--with-tty-tickets \
--with-ldap \
--with-selinux \
--with-passprompt="[sudo] password for %p: " \
--with-linux-audit \
--with-sssd
%make_build
%check
make check
%install
rm -rf $RPM_BUILD_ROOT
%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
touch sudo.conf
echo sudo > sudo.conf
install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
rm -f sudo.conf
chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
%delete_la
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist
chrpath -d $RPM_BUILD_ROOT%{_bindir}/sudo
chrpath -d $RPM_BUILD_ROOT%{_bindir}/sudoreplay
chrpath -d $RPM_BUILD_ROOT%{_sbindir}/visudo
chrpath -d $RPM_BUILD_ROOT%{_bindir}/cvtsudoers
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/sesh
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/sudoers.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/group_file.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/system_group.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/audit_json.so
chrpath -d $RPM_BUILD_ROOT%{_libexecdir}/sudo/sample_approval.so
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "/usr/libexec/sudo" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%find_lang sudo
%find_lang sudoers
mkdir -p $RPM_BUILD_ROOT/etc/pam.d
install -p -c -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%post
/bin/chmod 0440 /etc/sudoers || :
/sbin/ldconfig || :
%postun -p /sbin/ldconfig
%files -f sudo.lang -f sudoers.lang
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
%attr(4111,root,root) %{_bindir}/sudo
%attr(0111,root,root) %{_bindir}/sudoreplay
%{_bindir}/sudoedit
%{_bindir}/cvtsudoers
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
%dir /var/db/sudo
%dir /var/db/sudo/lectured
%dir %{_libexecdir}/sudo
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%config(noreplace) /etc/ld.so.conf.d/*
%license doc/LICENSE
%files devel
%{_includedir}/sudo_plugin.h
%files help
%dir %{_pkgdocdir}/
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_mandir}/man1/*
%{_pkgdocdir}/*
%doc plugins/sample/sample_plugin.c
%exclude %{_pkgdocdir}/ChangeLog
%changelog
* Wed Jan 31 2024 fuanan <fuanan3@h-partners.com> - 1.9.8p2-17
- Backport patch from upstream community
* Wed Jan 10 2024 wangqingsan <wangqingsan@huawei.com> - 1.9.8p2-16
- fix CVE-2023-42465
* Tue Nov 28 2023 zhangruifang <zhangruifang1@h-partners.com> - 1.9.8p2-15
- Backport patches from upstream community
* Mon Aug 07 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 1.9.8p2-14
- Backport patche from upstream community
* Tue Jun 13 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 1.9.8p2-13
- Backport patches from upstream community
* Wed Apr 12 2023 wangyu <wangyu283@huawei.com> - 1.9.8p2-12
- Fix compilation error on sw64 arch.
* Tue Mar 28 2023 wangcheng <wangcheng156@huawei.com> - 1.9.8p2-11
- Fix CVE-2023-28486 and CVE-2023-28487
* Tue Mar 07 2023 wangyu <wangyu283@huawei.com> - 1.9.8p2-10
- Fix CVE-2023-27320.
* Wed Feb 01 2023 wangyu <wangyu283@huawei.com> - 1.9.8p2-9
- For "sudo ALL" a non-existent command is not an error.
* Thu Jan 19 2023 houmingyong<houmingyong@huawei.com> - 1.9.8p2-8
- Fix CVE-2023-22809
* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-7
- Backport patches from upstream community
* Fri Nov 25 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-6
- Backport patches from upstream community
* Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-5
- Backport patches from upstream community
* Sat Nov 05 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-4
- Fix CVE-2022-43995
* Sat Sep 03 2022 wangyu <wangyu283@huawei.com> - 1.9.8p2-3
- Fix CVE-2022-37434 and CVE-2022-33070
* Mon Mar 7 2022 panxiaohe <panxh.life@foxmail.com> - 1.9.8p2-2
- remove rpath and runpath of exec files and libraries
* Tue Dec 14 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.8p2-1
- Update to 1.9.8p2
* Thu Sep 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.9.5p2-2
- DESC: treat stack exhaustion like memory allocation failure
* Wed Jul 7 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.5p2-1
- Update to 1.9.5p2
* Fri Jan 29 2021 zoulin <zoulin13@huawei.com> - 1.9.2-3
- Fix runstatedir handling for distros that do not support it
* Wed Jan 27 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-2
- fix CVE-2021-23239 CVE-2021-23240 CVE-2021-3156
* Wed Jul 29 2020 zhangxingliang <zhangxingliang3@huawei.com> - 1.9.2-1
- update to 1.9.2
* Fri Apr 17 2020 Anakin Zhang <nbztx@126.com> - 1.8.27-5
- Read drop-in files from /etc/sudoers.d
* Mon Jan 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-4
- fix CVE-2019-19232 and CVE-2019-19234
* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-3
- clean code
* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-2
- Fix CVE-2019-14287
* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-1
- Package init
Reference in New Issue View Git Blame Copy Permalink