From nobody Wed Feb 15 03:41:32 2023 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PGkQP0Jcvz3rBQk for ; Wed, 15 Feb 2023 03:41:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PGkQN5MZWz3GC6 for ; Wed, 15 Feb 2023 03:41:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676432492; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZRt6Qwza1x/7kPCRiJz5m+hE+YBTX+AFOPz7zwUhJ9Y=; b=HpXEgSMxjzVhNLJvcuFzjokkYt3kgblI8SZ4TIoVeTijskl3Bkaq4biMPuZkaPh8OMhTQ1 GREEXLTQ2MRGBJKIl0VqF56DgtzPjP9jv5sSxpsimprFesFzpSIiXiDeRe52HVaa/Poh4Y YB8iudN5bgv2b/I+twiIkGjG6C8zZ2QOy9bX+cabk2+vcL3WgXWUquCrhkY0lj8tcJTkAl ThW0wI9RYsm78/oR75x3oDo5l+zAytYV19SRY3/I0luVOT42jgixslWqiPoha0SoaPLWnl vUW6gduPtXdnrlIwnKaCGqujMM4pqq1nOP+0dINjYApYeREJQ6kYLeRO4JC80A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676432492; a=rsa-sha256; cv=none; b=KeSoEPfEq/3EzNMsagV36Jvhnj+ZpR5pRjD1JhdujDKlRaqQZtf8Y07ywlPbtQ9u2vqXQ6 yjQNW1OSeMFIeyVKTcwGBdbCgXeVTTNXfA0TW58v8wLA9Y0D6m1hR3KXO9UskDXPT88ZwN fqadHgWYvyahfkfKVMIpx6CmjNxu+Tc1gJX53Bjp/d0n9CMH1fHcO5oXrrGXSi/imTxa7O CSvfmxwXeLdhDFJSztxlJgE2869m08v84VUtM5Wj7KHs/nXUH3TD/MHdSeFjUFmBXzj4qc 6UxUjryz1hJjeXa+LVpKvNk/lSfzcvdXVSetvJnpWN+1m3zrkTZp2SlupCxpsQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PGkQN4HfPz1PGx for ; Wed, 15 Feb 2023 03:41:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 31F3fW47077096 for ; Wed, 15 Feb 2023 03:41:32 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 31F3fWH8077095 for ports-bugs@FreeBSD.org; Wed, 15 Feb 2023 03:41:32 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 269563] [PATCH] security/sudo: Update to 1.9.13 Date: Wed, 15 Feb 2023 03:41:32 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: garga@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269563 Bug ID: 269563 Summary: [PATCH] security/sudo: Update to 1.9.13 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: garga@FreeBSD.org Reporter: cy@FreeBSD.org CC: garga@FreeBSD.org, ports-bugs@FreeBSD.org Flags: maintainer-feedback?(garga@FreeBSD.org) Flags: maintainer-feedback?(garga@FreeBSD.org), merge-quarterly? CC: garga@FreeBSD.org Created attachment 240165 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D240165&action= =3Dedit Update sudo to 1.9.13 Sudo version 1.9.13 is now available. In addition to bug fixes, sudo 1.9.13 adds a new "list" pseudo-command in sudoers that can be used to give a user permission to list another user's privileges. Previously, it was necessary to give a user permission to run any command as either root or the target user for them to be able to use the -U option. Source: https://www.sudo.ws/dist/sudo-1.9.13.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.13.tar.gz SHA256 checksum: 3f55455b46edb0a129d925dcc39972f12f7c7fb78d0ccab6017ee16c8177e436 MD5 checksum: caf38f60c7a58aa4d16c7c9e3bbdeebb Binary packages: https://www.sudo.ws/getting/packages/ https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_13 For a list of download mirror sites, see: https://www.sudo.ws/getting/download_mirrors/ Sudo web site: https://www.sudo.ws/ Major changes between sudo 1.9.13 and 1.9.12p2: * Fixed a bug running relative commands via sudo when "log_subcmds" is enabled. GitHub issue #194. * Fixed a signal handling bug when running sudo commands in a shell script. Signals were not being forwarded to the command when the sudo process was not run in its own process group. * Fixed a bug in cvtsudoers' LDIF parsing when the file ends without a newline and a backslash is the last character of the file. * Fixed a potential use-after-free bug with cvtsudoers filtering. GitHub issue #198. * Added a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. * Fixed potential memory leaks in error paths. GitHub issues #199, #202. * Fixed potential NULL dereferences on memory allocation failure. GitHub issues #204, #211. * Sudo now uses C23-style attributes in function prototypes instead of gcc-style attributes if supported. * Added a new "list" pseudo-command in sudoers to allow a user to list another user's privileges. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. This also includes a fix to the log entry when a user lacks permission to run "sudo -U otheruser -l command". Previously, the logs would indicate that the user tried to run the actual command, now the log entry includes the list operation. * JSON logging now escapes control characters if they happen to appear in the command or environment. * New Albanian translation from translationproject.org. * Regular expressions in sudoers or logsrvd.conf may no longer contain consecutive repetition operators. This is implementation- specific behavior according to POSIX, but some implementations will allocate excessive amounts of memory. This mainly affects the fuzzers. * Sudo now builds AIX-style shared libraries and dynamic shared objects by default instead of svr4-style. This means that the default sudo plugins are now .a (archive) files that contain a .so shared object file instead of bare .so files. This was done to improve compatibility with the AIX Freeware ecosystem, specifically, the AIX Freeware build of OpenSSL. Sudo will still load svr4-style .so plugins and if a .so file is requested, either via sudo.conf or the sudoers file, and only the .a file is present, sudo will convert the path from plugin.so to plugin.a(plugin.so) when loading it. This ensures compatibility with existing configurations. To restore the old, pre-1.9.13 behavior, run configure using the --with-aix-soname=3Dsvr4 option. * Sudo no longer checks the ownership and mode of the plugins that it loads. Plugins are configured via either the sudo.conf or sudoers file which are trusted configuration files. These checks suffered from time-of-check vs. time-of-use race conditions and complicate loading plugins that are not simple paths. Ownership and mode checks are still performed when loading the sudo.conf and sudoers files, which do not suffer from race conditions. The sudo.conf "developer_mode" setting is no longer used. * Control characters in sudo log messages and "sudoreplay -l" output are now escaped in octal format. Space characters in the command path are also escaped. Command line arguments that contain spaces are surrounded by single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. * Improved support for DragonFly BSD which uses a different struct procinfo than either FreeBSD or 4.4BSD. * Fixed a compilation error on Linux arm systems running older kernels that may not define EM_ARM in linux/elf-em.h. GitHub issue #232. * Fixed a compilation error when LDFLAGS contains -Wl,--no-undefined. Sudo will now link using -Wl,--no-undefined by default if possible. GitHub issue #234. * Fixed a bug executing a command with a very long argument vector when "log_subcmds" or "intercept" is enabled on a system where "intercept_type" is set to "trace". GitHub issue #194. * When sudo is configured to run a command in a pseudo-terminal but the standard input is not connected to a terminal, the command will now be run as a background process. This works around a problem running sudo commands in the background from a shell script where changing the terminal to raw mode could interfere with the interactive shell that ran the script. GitHub issue #237. * A missing include file in sudoers is no longer a fatal error unless the error_recovery plugin argument has been set to false. 2. (text/plain) ____________________________________________________________ sudo-announce mailing list For list information, options, or to unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-announce --=20 You are receiving this mail because: You are on the CC list for the bug.=