Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at Wed Feb 2 01:36:21 CET 2011. -------- --- sudo/sudo.changes 2010-06-28 08:51:18.000000000 +0200 +++ /mounts/work_src_done/STABLE/sudo/sudo.changes 2011-01-28 12:22:22.000000000 +0100 @@ -1,0 +2,10 @@ +Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com + +- added openldap schema file (bnc#667558) + +------------------------------------------------------------------- +Thu Jan 13 10:11:35 UTC 2011 - puzel@novell.com + +- add sudo-CVE-2011-0010.patch (bnc#663881) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- sudo-CVE-2011-0010.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.2uwGQs/_old 2011-02-02 01:35:18.000000000 +0100 +++ /var/tmp/diff_new_pack.2uwGQs/_new 2011-02-02 01:35:18.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package sudo (Version 1.7.2p7) +# spec file for package sudo # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ BuildRequires: libselinux-devel PreReq: coreutils Version: 1.7.2p7 -Release: 4 +Release: 5 Group: System/Base License: BSD3c(or similar) Url: http://www.sudo.ws/ @@ -38,6 +38,7 @@ Patch5: %{name}-1.7.1-secure_path.diff Patch6: %{name}-1.7.1-env.diff Patch7: %{name}-1.7.1-pam_rhost.diff +Patch8: sudo-CVE-2011-0010.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -66,6 +67,7 @@ %patch5 %patch6 %patch7 +%patch8 -p1 cp %{SOURCE2} . %build @@ -102,6 +104,8 @@ install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit +install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema +install -m 644 schema.OpenLDAP $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/sudo.schema %post chmod 0440 %{_sysconfdir}/sudoers @@ -116,6 +120,9 @@ %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers %config %{_sysconfdir}/pam.d/sudo %attr(4755,root,root) %{_bindir}/sudo +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/schema +%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema %{_bindir}/sudoedit %{_sbindir}/* %{_libexecdir}/sudo ++++++ sudo-CVE-2011-0010.patch ++++++ # User Todd C. Miller <Todd.Miller@courtesan.com> # Date 1294760019 18000 # Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5 # Parent 8f9303326db73a2e00cd53c2515db8188386cfc0 If the user is running sudo as himself but as a different group we need to prompt for a password. Index: sudo-1.7.2p7/check.c =================================================================== --- sudo-1.7.2p7.orig/check.c +++ sudo-1.7.2p7/check.c @@ -93,7 +93,13 @@ check_user(validated, mode) /* do not check or update timestamp */ status = TS_ERROR; } else { - if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) + /* + * Don't prompt for the root passwd or if the user is exempt. + * If the user is not changing uid/gid, no need for a password. + */ + if (user_uid == 0 || (user_uid == runas_pw->pw_uid && + (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || + user_is_exempt()) return; build_timestamp(×tampdir, ×tampfile); Index: sudo-1.7.2p7/pwutil.c =================================================================== --- sudo-1.7.2p7.orig/pwutil.c +++ sudo-1.7.2p7/pwutil.c @@ -565,3 +565,50 @@ sudo_endgrent() sudo_freegrcache(); #endif } + + +int +user_in_group(struct passwd *pw, const char *group) +{ + char **gr_mem; + int i; + struct group *grp; + int retval = FALSE; + + grp = sudo_getgrnam(group); + if (grp == NULL) + goto done; + + /* check against user's primary (passwd file) gid */ + if (grp->gr_gid == pw->pw_gid) { + retval = TRUE; + goto done; + } + + /* + * If we are matching the invoking or list user and that user has a + * supplementary group vector, check it. + */ + if (user_ngroups > 0 && + strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) { + for (i = 0; i < user_ngroups; i++) { + if (grp->gr_gid == user_groups[i]) { + retval = TRUE; + goto done; + } + } + } else + { + if (grp != NULL && grp->gr_mem != NULL) { + for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) { + if (strcmp(*gr_mem, pw->pw_name) == 0) { + retval = TRUE; + goto done; + } + } + } + } + +done: + return(retval); +} Index: sudo-1.7.2p7/sudo.h =================================================================== --- sudo-1.7.2p7.orig/sudo.h +++ sudo-1.7.2p7/sudo.h @@ -316,6 +316,7 @@ struct passwd *sudo_getpwuid __P((uid_t) struct group *sudo_getgrnam __P((const char *)); struct group *sudo_fakegrnam __P((const char *)); struct group *sudo_getgrgid __P((gid_t)); +int user_in_group(struct passwd *pw, const char *group); #ifdef HAVE_SELINUX void selinux_exec __P((char *, char *, char **, int)); #endif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org