FreeBSD Bugzilla – Attachment 192969 Details for
Bug 227900
security/sudo: Update to 1.8.23
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch file
security_sudo.patch (text/plain), 7.08 KB, created by
Yasuhiro Kimura
on 2018-05-01 15:06:43 UTC
(
hide
)
Description:
patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2018-05-01 15:06:43 UTC
Size:
7.08 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 468760) >+++ Makefile (working copy) >@@ -2,8 +2,7 @@ > # $FreeBSD$ > > PORTNAME= sudo >-PORTVERSION= 1.8.22 >-PORTREVISION= 5 >+PORTVERSION= 1.8.23 > CATEGORIES= security > MASTER_SITES= SUDO > >Index: distinfo >=================================================================== >--- distinfo (revision 468760) >+++ distinfo (working copy) >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1516196577 >-SHA256 (sudo-1.8.22.tar.gz) = 7256cb27c20883b14360eddbd17f98922073d104b214cf65aeacf1d9c9b9fd02 >-SIZE (sudo-1.8.22.tar.gz) = 3029051 >+TIMESTAMP = 1525182816 >+SHA256 (sudo-1.8.23.tar.gz) = d863d29b6fc87bc784a3223350e2b28a2ff2c4738f0fb8f1c92bb38c3017e679 >+SIZE (sudo-1.8.23.tar.gz) = 3150674 >Index: files/patch-plugins_sudoers_match.c >=================================================================== >--- files/patch-plugins_sudoers_match.c (revision 468760) >+++ files/patch-plugins_sudoers_match.c (nonexistent) >@@ -1,208 +0,0 @@ >---- plugins/sudoers/match.c Mon Jan 15 10:31:56 2018 -0700 >-+++ plugins/sudoers/match.c Tue Apr 24 09:49:28 2018 -0600 >-@@ -1,5 +1,5 @@ >- /* >-- * Copyright (c) 1996, 1998-2005, 2007-2017 >-+ * Copyright (c) 1996, 1998-2005, 2007-2018 >- * Todd C. Miller <Todd.Miller@sudo.ws> >- * >- * Permission to use, copy, modify, and distribute this software for any >-@@ -447,31 +447,20 @@ do_stat(int fd, const char *path, struct >- } >- >- /* >-- * On systems with fexecve(2), set the close-on-exec flag on the file >-- * descriptor only if the file is not a script. Because scripts need >-- * to be executed by an interpreter the fd must remain open for the >-- * interpreter to use. >-+ * Check whether the fd refers to a shell script with a "#!" shebang. >- */ >--static void >--set_cloexec(int fd) >-+static bool >-+is_script(int fd) >- { >-- bool is_script = false; >--#ifdef HAVE_FEXECVE >-+ bool ret = false; >- char magic[2]; >- >-- /* Check for #! cookie and set is_script. */ >- if (read(fd, magic, 2) == 2) { >- if (magic[0] == '#' && magic[1] == '!') >-- is_script = true; >-+ ret = true; >- } >- (void) lseek(fd, (off_t)0, SEEK_SET); >--#endif /* HAVE_FEXECVE */ >-- /* >-- * Shell scripts go through namei twice and so we can't set the close >-- * on exec flag on the fd for fexecve(2). >-- */ >-- if (!is_script) >-- (void)fcntl(fd, F_SETFD, FD_CLOEXEC); >-+ return ret; >- } >- >- /* >-@@ -500,16 +489,57 @@ open_cmnd(const char *path, const struct >- if (fd == -1) >- debug_return_bool(false); >- >-- set_cloexec(fd); >-+ (void)fcntl(fd, F_SETFD, FD_CLOEXEC); >- *fdp = fd; >- debug_return_bool(true); >- } >- >-+static void >-+set_cmnd_fd(int fd) >-+{ >-+ debug_decl(set_cmnd_fd, SUDOERS_DEBUG_MATCH) >-+ >-+ if (cmnd_fd != -1) >-+ close(cmnd_fd); >-+ >-+ if (fd != -1) { >-+ if (def_fdexec == never) { >-+ /* Never use fexedcve() */ >-+ close(fd); >-+ fd = -1; >-+ } else if (is_script(fd)) { >-+ char fdpath[PATH_MAX]; >-+ struct stat sb; >-+ int flags; >-+ >-+ /* We can only use fexecve() on a script if /dev/fd/N exists. */ >-+ snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd); >-+ if (stat(fdpath, &sb) != 0) { >-+ /* Missing /dev/fd file, can't use fexecve(). */ >-+ close(fd); >-+ fd = -1; >-+ } else { >-+ /* >-+ * Shell scripts go through namei twice so we can't have the >-+ * close on exec flag set on the fd for fexecve(2). >-+ */ >-+ flags = fcntl(fd, F_GETFD) & ~FD_CLOEXEC; >-+ (void)fcntl(fd, F_SETFD, flags); >-+ } >-+ } >-+ } >-+ >-+ cmnd_fd = fd; >-+ >-+ debug_return; >-+} >-+ >- static bool >- command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args, >- const struct sudo_digest *digest) >- { >- struct stat sb; /* XXX - unused */ >-+ int fd = -1; >- debug_decl(command_matches_fnmatch, SUDOERS_DEBUG_MATCH) >- >- /* >-@@ -522,30 +552,22 @@ command_matches_fnmatch(const char *sudo >- if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) >- debug_return_bool(false); >- if (command_args_match(sudoers_cmnd, sudoers_args)) { >-- if (cmnd_fd != -1) { >-- close(cmnd_fd); >-- cmnd_fd = -1; >-- } >- /* Open the file for fdexec or for digest matching. */ >-- if (!open_cmnd(user_cmnd, digest, &cmnd_fd)) >-+ if (!open_cmnd(user_cmnd, digest, &fd)) >- goto bad; >-- if (!do_stat(cmnd_fd, user_cmnd, &sb)) >-+ if (!do_stat(fd, user_cmnd, &sb)) >- goto bad; >- /* Check digest of user_cmnd since sudoers_cmnd is a pattern. */ >-- if (digest != NULL) { >-- if (!digest_matches(cmnd_fd, user_cmnd, digest)) >-- goto bad; >-- if (def_fdexec == never) { >-- close(cmnd_fd); >-- cmnd_fd = -1; >-- } >-- } >-+ if (digest != NULL && !digest_matches(fd, user_cmnd, digest)) >-+ goto bad; >-+ set_cmnd_fd(fd); >-+ >- /* No need to set safe_cmnd since user_cmnd matches sudoers_cmnd */ >- debug_return_bool(true); >- bad: >-- if (cmnd_fd != -1) { >-- close(cmnd_fd); >-- cmnd_fd = -1; >-+ if (fd != -1) { >-+ close(fd); >-+ fd = -1; >- } >- debug_return_bool(false); >- } >-@@ -673,16 +695,7 @@ done: >- if (cp != NULL) { >- if (command_args_match(sudoers_cmnd, sudoers_args)) { >- /* safe_cmnd was set above. */ >-- if (cmnd_fd != -1) { >-- close(cmnd_fd); >-- cmnd_fd = -1; >-- } >-- if (fd != -1) { >-- if (def_fdexec == never) >-- close(fd); >-- else >-- cmnd_fd = fd; >-- } >-+ set_cmnd_fd(fd); >- debug_return_bool(true); >- } >- } >-@@ -728,6 +741,7 @@ digest_matches(int fd, const char *file, >- debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) >- >- file_digest = sudo_filedigest(fd, file, sd->digest_type, &digest_len); >-+ lseek(fd, SEEK_SET, (off_t)0); >- if (file_digest == NULL) { >- /* Warning (if any) printed by sudo_filedigest() */ >- goto done; >-@@ -826,16 +840,7 @@ command_matches_normal(const char *sudoe >- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); >- goto bad; >- } >-- if (cmnd_fd != -1) { >-- close(cmnd_fd); >-- cmnd_fd = -1; >-- } >-- if (fd != -1) { >-- if (def_fdexec == never) >-- close(fd); >-- else >-- cmnd_fd = fd; >-- } >-+ set_cmnd_fd(fd); >- debug_return_bool(true); >- bad: >- if (fd != -1) >-@@ -921,16 +926,7 @@ command_matches_dir(const char *sudoers_ >- closedir(dirp); >- >- if (dent != NULL) { >-- if (cmnd_fd != -1) { >-- close(cmnd_fd); >-- cmnd_fd = -1; >-- } >-- if (fd != -1) { >-- if (def_fdexec == never) >-- close(fd); >-- else >-- cmnd_fd = fd; >-- } >-+ set_cmnd_fd(fd); >- debug_return_bool(true); >- } >- if (fd != -1) >Index: pkg-plist >=================================================================== >--- pkg-plist (revision 468760) >+++ pkg-plist (working copy) >@@ -1,3 +1,4 @@ >+bin/cvtsudoers > bin/sudo > bin/sudoedit > bin/sudoreplay >@@ -11,6 +12,7 @@ > libexec/sudo/sudo_noexec.so > libexec/sudo/sudoers.so > libexec/sudo/system_group.so >+man/man1/cvtsudoers.1.gz > man/man5/sudo.conf.5.gz > man/man5/sudoers.5.gz > man/man5/sudoers_timestamp.5.gz >@@ -97,6 +99,7 @@ > %%NLS%%share/locale/vi/LC_MESSAGES/sudoers.mo > %%NLS%%share/locale/zh_CN/LC_MESSAGES/sudo.mo > %%NLS%%share/locale/zh_CN/LC_MESSAGES/sudoers.mo >+%%NLS%%share/locale/zh_TW/LC_MESSAGES/sudo.mo > @dir etc/sudoers.d > @dir /var/db/sudo/lectured > @dir /var/db/sudo
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=192969">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 227900
: 192969