diff --git a/backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch b/backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch new file mode 100644 index 0000000000000000000000000000000000000000..18cf68f725602ddb7d4f49b7121438198faefc14 --- /dev/null +++ b/backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch @@ -0,0 +1,29 @@ +From 2ffcda8e15afe312550be4017d8c40dbb438b786 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 2 Nov 2023 14:42:42 -0600 +Subject: [PATCH] role_to_sudoers: only try to reuse a privilege if one is + present + +Reference:https://github.com/sudo-project/sudo/commit/2ffcda8e15afe312550be4017d8c40dbb438b786 +Conflict:NA + +--- + plugins/sudoers/parse_ldif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plugins/sudoers/parse_ldif.c b/plugins/sudoers/parse_ldif.c +index 87c94125c..180e7da6c 100644 +--- a/plugins/sudoers/parse_ldif.c ++++ b/plugins/sudoers/parse_ldif.c +@@ -427,7 +427,7 @@ role_to_sudoers(struct sudoers_parse_tree *parse_tree, struct sudo_role *role, + U_("unable to allocate memory")); + } + +- if (reuse_privilege) { ++ if (reuse_privilege && !TAILQ_EMPTY(&us->privileges)) { + /* Hostspec unchanged, append cmndlist to previous privilege. */ + struct privilege *prev_priv = TAILQ_LAST(&us->privileges, privilege_list); + if (reuse_runas) { +-- +2.33.0 + diff --git a/sudo.spec b/sudo.spec index 6f715393eb21ed4e3d05c4f0a67333911f3bf340..8f59a86cd1f46f84fed7fe2b6aa8303cffe633b0 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,6 +1,6 @@ Name: sudo Version: 1.9.8p2 -Release: 15 +Release: 16 Summary: Allows restricted root access for specified users License: ISC URL: http://www.courtesan.com/sudo/ @@ -41,6 +41,7 @@ Patch27: backport-sudoers_parse_ldif-do-not-free-parse_tree-before-usi.patch Patch28: backport-Do-not-rely-on-the-definition-of-ALLOW-DENY-being-tr.patch Patch29: backport-CVE-2023-42465.patch Patch30: backport-Make-all-match-functions-return-ALLOW-DENY-.patch +Patch31: backport-role_to_sudoers-only-try-to-reuse-a-privilege-if-one.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: pam @@ -191,6 +192,9 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i %exclude %{_pkgdocdir}/ChangeLog %changelog +* Wed Jan 31 2024 fuanan - 1.9.8p2-16 +- Backport patch from upstream community + * Tue Jan 9 2024 wangqingsan - 1.9.8p2-15 - fix CVE-2023-42465