243745 – [PATCH] security/sudo update 1.8.30 --> 1.8.31

Bug 243745 - [PATCH] security/sudo update 1.8.30 --> 1.8.31

Summary: [PATCH] security/sudo update 1.8.30 --> 1.8.31

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Renato Botelho

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-01-30 22:17 UTC by Cy Schubert
Modified:	2020-02-01 05:16 UTC (History)
CC List:	0 users

See Also:

Flags:	garga: maintainer-feedback+

Attachments
Update sudo to 1.8.31 (781 bytes, patch) 2020-01-30 22:18 UTC, Cy Schubert	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cy Schubert freebsd_committer

2020-01-30 22:17:19 UTC

Comment 1 Cy Schubert freebsd_committer

2020-01-30 22:17:51 UTC

Sudo 1.8.31 is now available.  This version fixes a serious bug
when the "pwfeedback" option is enabled in sudoers that can lead
to a buffer overflow.  See https://www.sudo.ws/alerts/pwfeedback.html
for full details.

Source:
    https://www.sudo.ws/dist/sudo-1.8.31.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.8.31.tar.gz

SHA256 checksum:
    7ea8d97a3cee4c844e0887ea7a1bd80eb54cc98fd77966776cb1a80653ad454f
MD5 checksum:
    ce17ff6e72a70f8d5dabba8abf3cd2de

Binary packages:
    https://www.sudo.ws/download.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.8.31 and 1.8.30

 * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
   sudoers option is enabled on systems with uni-directional pipes.

 * The "sudoedit_checkdir" option now treats a user-owned directory
   as writable, even if it does not have the write bit set at the
   time of check.  Symbolic links will no longer be followed by
   sudoedit in any user-owned directory.  Bug #912

 * Fixed sudoedit on macOS 10.15 and above where the root file system
   is mounted read-only.  Bug #913.

 * Fixed a crash introduced in sudo 1.8.30 when suspending sudo
   at the password prompt.  Bug #914.

 * Fixed compilation on systems where the mmap MAP_ANON flag
   is not available.  Bug #915.

2.		(text/plain)
____________________________________________________________
sudo-announce mailing list <sudo-announce@sudo.ws>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-announce

Comment 2 Cy Schubert freebsd_committer

2020-01-30 22:18:32 UTC

Created attachment 211209 [details]
Update sudo to 1.8.31

Comment 3 Renato Botelho freebsd_committer

2020-01-31 13:09:36 UTC

I was working on this update yesterday when my test box crashed.  Please go ahead and commit it.  Thank you!

Comment 4 commit-hook freebsd_committer

2020-01-31 14:00:10 UTC

A commit references this bug:

Author: cy
Date: Fri Jan 31 13:59:20 UTC 2020
New revision: 524707
URL: https://svnweb.freebsd.org/changeset/ports/524707

Log:
  security/sudo update 1.8.30 --> 1.8.31

  PR:		243745
  Submitted by:	cy@
  Reported by:	cy@
  Approved by:	garga@
  MFH:		2020Q1
  Security:	 CVE-2019-18634

Changes:
  head/security/sudo/Makefile
  head/security/sudo/distinfo

Comment 5 commit-hook freebsd_committer

2020-02-01 04:14:35 UTC

A commit references this bug:

Author: cy
Date: Sat Feb  1 04:13:44 UTC 2020
New revision: 524754
URL: https://svnweb.freebsd.org/changeset/ports/524754

Log:
  MFH: r524707

  security/sudo update 1.8.30 --> 1.8.31

  PR:		243745
  Submitted by:	cy@
  Reported by:	cy@
  Approved by:	garga@
  Security:	CVE-2019-18634

  Approved by:	portmgr (miwi@)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/security/sudo/Makefile
  branches/2020Q1/security/sudo/distinfo

Comment 6 Cy Schubert freebsd_committer

2020-02-01 05:16:05 UTC

Committed.