Name: sudo
Version: 1.9.2
Release: 9
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/

Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: sudoers
Source2: sudo
Source3: sudo-i

Patch0:  backport-CVE-2021-23239-Fix-potential-directory.patch
Patch1:  backport-Fix-some-warnings-from-pvs-studio.patch
Patch2:  backport-CVE-2021-23240-Add-security-checks.patch
Patch3:  backport-0001-CVE-2021-3156-Reset-valid_flags.patch
Patch4:  backport-0002-CVE-2021-3156-Add-sudoedit-flag-checks.patch
Patch5:  backport-0003-CVE-2021-3156-Fix-potential-buffer-overflow.patch
Patch6:  backport-0004-CVE-2021-3156-Fix-the-memset-offset.patch
Patch7:  backport-0005-CVE-2021-3156-Dont-assume-that-argv.patch
Patch8:  backport-Fix-runstatedir-handling-for-distros-that-do-not-support-it.patch
Patch9:  backport-In-json_stack_push-treat-stack-exhaustion-like-memory-allocation-failure.patch
Patch10: backport-Stricter-parsing-of-generalized-time.patch
Patch11: backport-Strict-tz-offset-parsing.patch
Patch12: backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
Patch13: backport-0001-CVE-2022-37434.patch
Patch14: backport-0002-CVE-2022-37434.patch
Patch15: backport-fix-CVE-2022-33070.patch
Patch16: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
Patch17: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
Patch18: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
Patch19: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
Patch20: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
Patch21: backport-Fix-memory-leak-of-pass-in-converse.patch
Patch22: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch

Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
Recommends: vim-minimal
Requires(post): coreutils

BuildRequires: pam-devel groff openldap-devel flex bison automake autoconf libtool
BuildRequires: audit-libs-devel libcap-devel libselinux-devel sendmail gettext zlib-devel
BuildRequires: chrpath git

%description
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity.  The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.

%package        devel
Summary:        Development files for %{name}
Requires:       %{name} = %{version}-%{release}

%description    devel
The %{name}-devel package contains header files developing sudo
plugins that use %{name}.

%package_help

%prep
%autosetup -n %{name}-%{version} -S git

%build
autoreconf -I m4 -fv --install
export CFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
%configure \
        --prefix=%{_prefix} \
        --sbindir=%{_sbindir} \
        --libdir=%{_libdir} \
        --docdir=%{_pkgdocdir} \
        --disable-root-mailer \
        --disable-log-server \
        --disable-log-client \
        --with-logging=syslog \
        --with-logfac=authpriv \
        --with-pam \
        --with-pam-login \
        --with-editor=/bin/vi \
        --with-env-editor \
        --with-ignore-dot \
        --with-tty-tickets \
        --with-ldap \
        --with-selinux \
        --with-passprompt="[sudo] password for %p: " \
        --with-linux-audit \
        --with-sssd

%make_build

%check
make check

%install
rm -rf $RPM_BUILD_ROOT
%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/

touch sudo.conf
echo sudo > sudo.conf
install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
rm -f sudo.conf

chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so

rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo

%delete_la

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist

%chrpath_delete
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "/usr/libexec/sudo" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf

%find_lang sudo
%find_lang sudoers

mkdir -p $RPM_BUILD_ROOT/etc/pam.d
install -p -c -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i

%post
/bin/chmod 0440 /etc/sudoers || :
/sbin/ldconfig || :

%postun -p /sbin/ldconfig

%files -f sudo.lang -f sudoers.lang
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
%attr(0640,root,root) /etc/sudo.conf
%attr(4111,root,root) %{_bindir}/sudo
%attr(0111,root,root) %{_bindir}/sudoreplay
%{_bindir}/sudoedit
%{_bindir}/cvtsudoers
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
%dir /var/db/sudo
%dir /var/db/sudo/lectured
%dir %{_libexecdir}/sudo
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%config(noreplace) /etc/ld.so.conf.d/*
%license doc/LICENSE

%files devel
%{_includedir}/sudo_plugin.h

%files help
%dir %{_pkgdocdir}/
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_mandir}/man1/*
%{_pkgdocdir}/*
%doc plugins/sample/sample_plugin.c
%exclude %{_pkgdocdir}/ChangeLog

%changelog
* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.2-9
- Backport patches from upstream community

* Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.2-8
- Backport patches from upstream community

* Sat Nov 05 2022 wangyu <wangyu283@huawei.com> - 1.9.2-7
- Fix CVE-2022-43995

* Sat Sep 03 2022 wangyu <wangyu283@huawei.com> - 1.9.2-6
- Fix CVE-2022-37434 and CVE-2022-33070

* Thu Dec 23 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-5
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix an out of bounds read and another issue found by fuzz

* Thu Sep 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.9.2-4
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:treat stack exhaustion like memory allocation failure

* Fri Jan 29 2021 zoulin <zoulin13@huawei.com> - 1.9.2-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Fix runstatedir handling for distros that do not support it

* Wed Jan 27 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-2
- Type:cves
- ID:NA
- SUG:NA
- DESC:fix CVE-2021-23239 CVE-2021-23240 CVE-2021-3156

* Thu Aug 27 2020 wangchen <wangchen137@huawei.com> - 1.9.2-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:update to 1.9.2

* Fri Aug 21 2020 gaihuiying<gaihuiying1@huawei.com> - 1.8.27-5
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:release +1 for rebuild

* Mon Jan 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-4
- fix CVE-2019-19232 and CVE-2019-19234

* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-3
- clean code

* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-2
- Fix CVE-2019-14287

* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-1
- Package init