264 lines
8.6 KiB
RPMSpec
264 lines
8.6 KiB
RPMSpec
Name: sudo
|
|
Version: 1.9.2
|
|
Release: 16
|
|
Summary: Allows restricted root access for specified users
|
|
License: ISC
|
|
URL: http://www.courtesan.com/sudo/
|
|
|
|
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
|
|
Source1: sudoers
|
|
Source2: sudo
|
|
Source3: sudo-i
|
|
|
|
Patch0: backport-CVE-2021-23239-Fix-potential-directory.patch
|
|
Patch1: backport-Fix-some-warnings-from-pvs-studio.patch
|
|
Patch2: backport-CVE-2021-23240-Add-security-checks.patch
|
|
Patch3: backport-0001-CVE-2021-3156-Reset-valid_flags.patch
|
|
Patch4: backport-0002-CVE-2021-3156-Add-sudoedit-flag-checks.patch
|
|
Patch5: backport-0003-CVE-2021-3156-Fix-potential-buffer-overflow.patch
|
|
Patch6: backport-0004-CVE-2021-3156-Fix-the-memset-offset.patch
|
|
Patch7: backport-0005-CVE-2021-3156-Dont-assume-that-argv.patch
|
|
Patch8: backport-Fix-runstatedir-handling-for-distros-that-do-not-support-it.patch
|
|
Patch9: backport-In-json_stack_push-treat-stack-exhaustion-like-memory-allocation-failure.patch
|
|
Patch10: backport-Stricter-parsing-of-generalized-time.patch
|
|
Patch11: backport-Strict-tz-offset-parsing.patch
|
|
Patch12: backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
|
|
Patch13: backport-0001-CVE-2022-37434.patch
|
|
Patch14: backport-0002-CVE-2022-37434.patch
|
|
Patch15: backport-fix-CVE-2022-33070.patch
|
|
Patch16: backport-Fix-CVE-2022-43995-potential-heap-overflow-for-passwords.patch
|
|
Patch17: backport-Fix-incorrect-SHA384-512-digest-calculation.patch
|
|
Patch18: backport-sudo_passwd_verify-zero-out-des_pass-before-returnin.patch
|
|
Patch19: backport-cvtsudoers-Prevent-sudo-from-reading-into-undefined-.patch
|
|
Patch20: backport-Fix-a-potential-use-after-free-bug-with-cvtsudoers-f.patch
|
|
Patch21: backport-Fix-memory-leak-of-pass-in-converse.patch
|
|
Patch22: backport-sudo_passwd_cleanup-Set-auth-data-to-NULL-after-free.patch
|
|
Patch23: backport-CVE-2023-22809.patch
|
|
Patch24: backport-CVE-2023-28486_CVE-2023-28487.patch
|
|
Patch25: Fix-compilation-error-on-sw64-arch.patch
|
|
Patch26: backport-don-t-report-a-usage-error-for-sudo-V.patch
|
|
Patch27: backport-Do-not-rely-on-the-definition-of-ALLOW-DENY-being-tr.patch
|
|
Patch28: backport-CVE-2023-42465.patch
|
|
Patch29: backport-Make-all-match-functions-return-ALLOW-DENY-not-true-.patch
|
|
Patch30: backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch
|
|
|
|
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
Requires: pam
|
|
Recommends: vim-minimal
|
|
Requires(post): coreutils
|
|
|
|
BuildRequires: pam-devel groff openldap-devel flex bison automake autoconf libtool
|
|
BuildRequires: audit-libs-devel libcap-devel libselinux-devel sendmail gettext zlib-devel
|
|
BuildRequires: chrpath git
|
|
|
|
%description
|
|
Sudo is a program designed to allow a sysadmin to give limited root privileges
|
|
to users and log root activity. The basic philosophy is to give as few
|
|
privileges as possible but still allow people to get their work done.
|
|
|
|
%package devel
|
|
Summary: Development files for %{name}
|
|
Requires: %{name} = %{version}-%{release}
|
|
|
|
%description devel
|
|
The %{name}-devel package contains header files developing sudo
|
|
plugins that use %{name}.
|
|
|
|
%package_help
|
|
|
|
%prep
|
|
%autosetup -n %{name}-%{version} -S git
|
|
|
|
%build
|
|
autoreconf -I m4 -fv --install
|
|
export CFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
|
|
%configure \
|
|
--prefix=%{_prefix} \
|
|
--sbindir=%{_sbindir} \
|
|
--libdir=%{_libdir} \
|
|
--docdir=%{_pkgdocdir} \
|
|
--disable-root-mailer \
|
|
--disable-log-server \
|
|
--disable-log-client \
|
|
--with-logging=syslog \
|
|
--with-logfac=authpriv \
|
|
--with-pam \
|
|
--with-pam-login \
|
|
--with-editor=/bin/vi \
|
|
--with-env-editor \
|
|
--with-ignore-dot \
|
|
--with-tty-tickets \
|
|
--with-ldap \
|
|
--with-selinux \
|
|
--with-passprompt="[sudo] password for %p: " \
|
|
--with-linux-audit \
|
|
--with-sssd
|
|
|
|
%make_build
|
|
|
|
%check
|
|
make check
|
|
|
|
%install
|
|
rm -rf $RPM_BUILD_ROOT
|
|
%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
|
|
|
|
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
|
|
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
|
|
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
|
|
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
|
|
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
|
|
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
|
|
|
|
touch sudo.conf
|
|
echo sudo > sudo.conf
|
|
install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
|
|
rm -f sudo.conf
|
|
|
|
chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so
|
|
|
|
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
|
|
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
|
|
|
|
%delete_la
|
|
|
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist
|
|
|
|
%chrpath_delete
|
|
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
|
|
echo "/usr/libexec/sudo" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
|
|
|
|
%find_lang sudo
|
|
%find_lang sudoers
|
|
|
|
mkdir -p $RPM_BUILD_ROOT/etc/pam.d
|
|
install -p -c -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo
|
|
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
|
|
|
|
%post
|
|
/bin/chmod 0440 /etc/sudoers || :
|
|
/sbin/ldconfig || :
|
|
|
|
%postun -p /sbin/ldconfig
|
|
|
|
%files -f sudo.lang -f sudoers.lang
|
|
%attr(0440,root,root) %config(noreplace) /etc/sudoers
|
|
%attr(0750,root,root) %dir /etc/sudoers.d/
|
|
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
|
|
%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf
|
|
%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
|
|
%attr(4111,root,root) %{_bindir}/sudo
|
|
%attr(0111,root,root) %{_bindir}/sudoreplay
|
|
%{_bindir}/sudoedit
|
|
%{_bindir}/cvtsudoers
|
|
%attr(0755,root,root) %{_sbindir}/visudo
|
|
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
|
|
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
|
|
%dir /var/db/sudo
|
|
%dir /var/db/sudo/lectured
|
|
%dir %{_libexecdir}/sudo
|
|
%config(noreplace) /etc/pam.d/sudo
|
|
%config(noreplace) /etc/pam.d/sudo-i
|
|
%config(noreplace) /etc/ld.so.conf.d/*
|
|
%license doc/LICENSE
|
|
|
|
%files devel
|
|
%{_includedir}/sudo_plugin.h
|
|
|
|
%files help
|
|
%dir %{_pkgdocdir}/
|
|
%{_mandir}/man5/*
|
|
%{_mandir}/man8/*
|
|
%{_mandir}/man1/*
|
|
%{_pkgdocdir}/*
|
|
%doc plugins/sample/sample_plugin.c
|
|
%exclude %{_pkgdocdir}/ChangeLog
|
|
|
|
%changelog
|
|
* Thu Jun 27 2024 gengqihu <gengqihu2@h-partners.com> - 1.9.2-16
|
|
- Backport patch from upstream community
|
|
|
|
* Mon Jan 8 2024 wangqingsan <wangqingsan@huawei.com> - 1.9.2-15
|
|
- fix CVE-2023-42465.
|
|
|
|
* Mon Nov 27 2023 zhangruifang <zhangruifang1@h-partners.com> - 1.9.2-14
|
|
- Don't report a usage error for "sudo -V".
|
|
|
|
* Wed Apr 12 2023 wangyu <wangyu283@huawei.com> - 1.9.2-13
|
|
- Fix compilation error on sw64 arch.
|
|
|
|
* Mon Apr 10 2023 zhangzeyang <zhangzeyang@kylinos.cn> - 1.9.2-12
|
|
- change spec fix profile Overwrite
|
|
|
|
* Tue Mar 28 2023 wangcheng <wangcheng156@huawei.com> - 1.9.2-11
|
|
- Fix CVE-2023-28486 and CVE-2023-28487
|
|
|
|
* Mon Jan 30 2023 wangyu <wangyu283@huawei.com> - 1.9.2-10
|
|
- Fix CVE-2023-22809.
|
|
|
|
* Thu Dec 08 2022 wangyu <wangyu283@huawei.com> - 1.9.2-9
|
|
- Backport patches from upstream community
|
|
|
|
* Wed Nov 23 2022 wangyu <wangyu283@huawei.com> - 1.9.2-8
|
|
- Backport patches from upstream community
|
|
|
|
* Sat Nov 05 2022 wangyu <wangyu283@huawei.com> - 1.9.2-7
|
|
- Fix CVE-2022-43995
|
|
|
|
* Sat Sep 03 2022 wangyu <wangyu283@huawei.com> - 1.9.2-6
|
|
- Fix CVE-2022-37434 and CVE-2022-33070
|
|
|
|
* Thu Dec 23 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-5
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:fix an out of bounds read and another issue found by fuzz
|
|
|
|
* Thu Sep 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.9.2-4
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:treat stack exhaustion like memory allocation failure
|
|
|
|
* Fri Jan 29 2021 zoulin <zoulin13@huawei.com> - 1.9.2-3
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:Fix runstatedir handling for distros that do not support it
|
|
|
|
* Wed Jan 27 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-2
|
|
- Type:cves
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:fix CVE-2021-23239 CVE-2021-23240 CVE-2021-3156
|
|
|
|
* Thu Aug 27 2020 wangchen <wangchen137@huawei.com> - 1.9.2-1
|
|
- Type:enhancement
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:update to 1.9.2
|
|
|
|
* Fri Aug 21 2020 gaihuiying<gaihuiying1@huawei.com> - 1.8.27-5
|
|
- Type:enhancement
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:release +1 for rebuild
|
|
|
|
* Mon Jan 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-4
|
|
- fix CVE-2019-19232 and CVE-2019-19234
|
|
|
|
* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-3
|
|
- clean code
|
|
|
|
* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-2
|
|
- Fix CVE-2019-14287
|
|
|
|
* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-1
|
|
- Package init
|