Hello community,
here is the log from the commit of package sudo for openSUSE:Factory checked in at 2013-07-03 10:27:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
and /work/SRC/openSUSE:Factory/.sudo.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo"
Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2013-06-29 14:51:56.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes 2013-07-03 10:27:45.000000000 +0200
@@ -1,0 +2,5 @@
+Tue Jul 2 16:30:19 UTC 2013 - dmueller@suse.com
+
+- restore accidentally dropped suse-specific patches
+
+-------------------------------------------------------------------
@@ -5 +10,21 @@
- * especially all local patches are obsoleted by upstream fixes
+ * remove CVE-2013-1775
+ * remove CVE-2013-1776
+ * The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
+ * User messages are now always displayed in the user's locale, even when the
+ same message is being logged or mailed in a different locale.
+ * Log files created by sudo now explicitly have the group set to group ID 0
+ rather than relying on BSD group semantics (which may not be the default).
+ * A new exec_background sudoers option can be used to initially run the
+ command without read access to the terminal when running a command in a
+ pseudo-tty.
+ * Sudo now produces better error messages when there is an error in the sudo.conf file.
+ * Two new settings have been added to sudo.conf to give the admin better control of
+ how group database queries are performed.
+ * There is now a standalone sudo.conf manual page.
+ * New support for specifying a SHA-2 digest along with the command in sudoers.
+ Supported hash types are sha224, sha256, sha384 and sha512. See the description
+ of Digest_Spec in the sudoers manual or the description of sudoCommand in the
+ sudoers.ldap manual for details.
+ * Fixed potential false positives in visudo's alias cycle detection.
+ * Sudo now only builds Position Independent Executables (PIE) by default on Linux
+ systems and verifies that a trivial test program builds and runs.
New:
----
sudo-sudoers.patch
sudoers2ldif-env.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.CgEB9C/_old 2013-07-03 10:27:46.000000000 +0200
+++ /var/tmp/diff_new_pack.CgEB9C/_new 2013-07-03 10:27:46.000000000 +0200
@@ -26,6 +26,9 @@
Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
Source1: sudo.pamd
Source2: README.SUSE
+Patch0: sudoers2ldif-env.patch
+# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
+Patch1: sudo-sudoers.patch
BuildRequires: audit-devel
BuildRequires: groff
BuildRequires: libselinux-devel
@@ -53,6 +56,8 @@
%prep
%setup -q
+%patch0 -p1
+%patch1 -p1
%build
%ifarch s390 s390x %sparc
++++++ sudo-sudoers.patch ++++++
Index: sudo-1.8.0/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in
+++ sudo-1.8.0/plugins/sudoers/sudoers.in
@@ -31,37 +31,36 @@
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be necessary after this change
+
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
##
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system. When configuring sudo, delete the two
+## following lines:
+Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
+
##
## Runas alias specification
##
@@ -77,14 +76,6 @@ root ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
## (the '#' here does not indicate a comment)
#includedir @sysconfdir@/sudoers.d
++++++ sudoers2ldif-env.patch ++++++
Index: sudo-1.8.7/plugins/sudoers/sudoers2ldif
===================================================================
--- sudo-1.8.7.orig/plugins/sudoers/sudoers2ldif
+++ sudo-1.8.7/plugins/sudoers/sudoers2ldif
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
#
# Copyright (c) 2007, 2010-2011, 2013 Todd C. Miller