From 2158f6ac411e8fa6bebf47d72626bf619d136065 Mon Sep 17 00:00:00 2001 From: fly_fzc <2385803914@qq.com> Date: Wed, 31 Jan 2024 15:11:19 +0800 Subject: [PATCH] Backport patch from upstream community --- ...only-try-to-reuse-a-privilege-if-one.patch | 29 +++++++++++++++++++ sudo.spec | 8 +++-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch diff --git a/backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch b/backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch new file mode 100644 index 0000000..18cf68f --- /dev/null +++ b/backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch @@ -0,0 +1,29 @@ +From 2ffcda8e15afe312550be4017d8c40dbb438b786 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 2 Nov 2023 14:42:42 -0600 +Subject: [PATCH] role_to_sudoers: only try to reuse a privilege if one is + present + +Reference:https://github.com/sudo-project/sudo/commit/2ffcda8e15afe312550be4017d8c40dbb438b786 +Conflict:NA + +--- + plugins/sudoers/parse_ldif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c +index 87c94125c..180e7da6c 100644 +--- a/plugins/sudoers/parse_ldif.c ++++ b/plugins/sudoers/parse_ldif.c +@@ -427,7 +427,7 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role, + U_("unable to allocate memory")); + } + +- if (reuse_privilege) { ++ if (reuse_privilege && !TAILQ_EMPTY(&us->privileges)) { + /* Hostspec unchanged, append cmndlist to previous privilege. */ + struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list); + if (reuse_runas) { +-- +2.33.0 + diff --git a/sudo.spec b/sudo.spec index 9e770e0..0c52402 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 16 +Release: 17 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -42,6 +42,7 @@ Patch28: backport-sudoers_parse_ldif-do-not-free-parse_tree-before-usi.patch Patch29: backport-Do-not-rely-on-the-definition-of-ALLOW-DENY-being-tr.patch Patch30: backport-CVE-2023-42465.patch Patch31: backport-Make-all-match-functions-return-ALLOW-DENY-.patch +Patch32: backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -193,7 +194,10 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog -* Wed Jan 10 2024 zhangruifang - 1.9.8p2-16 +* Wed Jan 31 2024 fuanan - 1.9.8p2-17 +- Backport patch from upstream community + +* Wed Jan 10 2024 wangqingsan - 1.9.8p2-16 - fix CVE-2023-42465 * Tue Nov 28 2023 zhangruifang - 1.9.8p2-15 -- Gitee