This patch will upgrade Sudo version 1.7.2 patchlevel 7 to Sudo version 1.7.2 patchlevel 8. To apply: $ cd sudo-1.7.2p7 $ patch -p1 < sudo-1.7.2p8.patch diff -urNa sudo-1.7.2p7/ChangeLog sudo-1.7.2p8/ChangeLog --- sudo-1.7.2p7/ChangeLog Wed Jun 2 10:14:40 2010 +++ sudo-1.7.2p8/ChangeLog Wed Jun 30 09:15:24 2010 @@ -1,3 +1,29 @@ +2010-06-29 Todd C. Miller + + * env.c: In unsetenv() check for NULL or empty name as per + POSIX 1003.1-2008 + + * env.c: Do not rely on env.env_len when unsetting a variable, + just use the NULL terminator. + +2010-06-25 Todd C. Miller + + * env.c: In unsetenv(), do not assign ep early as we may + end up reallocating env.envp which could result in ep + pointing to freed memory if the environ pointer is out + of sync with env.envp. + + * pwutil.c: Ignore case when matching user/group names in + the cache. From Quest sudo. + + * sudo.c: Defer call to sudo_nonunix_groupcheck_cleanup() + until after we have closed the sudoers sources. From Quest + sudo. + + * vasgroups.c: Use warningx() instead of log_error() since + the latter is not available to visudo or testsudoers. This + does mean that they don't end up in syslog. + 2010-06-02 Todd C. Miller * auth/pam.c: Fix OpenPAM detection for newer versions. diff -urNa sudo-1.7.2p7/configure sudo-1.7.2p8/configure --- sudo-1.7.2p7/configure Wed Jun 2 09:38:22 2010 +++ sudo-1.7.2p8/configure Wed Jun 30 09:17:19 2010 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for sudo 1.7.2p7. +# Generated by GNU Autoconf 2.61 for sudo 1.7.2p8. # # Report bugs to . # @@ -724,8 +724,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7.2p7' -PACKAGE_STRING='sudo 1.7.2p7' +PACKAGE_VERSION='1.7.2p8' +PACKAGE_STRING='sudo 1.7.2p8' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' # Factoring default headers for most tests. @@ -1417,7 +1417,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7.2p7 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.2p8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1482,7 +1482,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7.2p7:";; + short | recursive ) echo "Configuration of sudo 1.7.2p8:";; esac cat <<\_ACEOF @@ -1684,7 +1684,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7.2p7 +sudo configure 1.7.2p8 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1698,7 +1698,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7.2p7, which was +It was created by sudo $as_me 1.7.2p8, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -24725,7 +24725,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7.2p7, which was +This file was extended by sudo $as_me 1.7.2p8, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -24774,7 +24774,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -sudo config.status 1.7.2p7 +sudo config.status 1.7.2p8 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff -urNa sudo-1.7.2p7/configure.in sudo-1.7.2p8/configure.in --- sudo-1.7.2p7/configure.in Wed Jun 2 09:28:49 2010 +++ sudo-1.7.2p8/configure.in Wed Jun 30 09:16:51 2010 @@ -3,7 +3,7 @@ dnl dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller dnl -AC_INIT([sudo], [1.7.2p7], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.7.2p8], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h) dnl dnl This won't work before AC_INIT diff -urNa sudo-1.7.2p7/env.c sudo-1.7.2p8/env.c --- sudo-1.7.2p7/env.c Fri May 28 10:04:41 2010 +++ sudo-1.7.2p8/env.c Tue Jun 29 09:27:27 2010 @@ -317,10 +317,10 @@ unsetenv(var) const char *var; { - char **ep = env.envp; + char **ep; size_t len; - if (strchr(var, '=') != NULL) { + if (var == NULL || *var == '\0' || strchr(var, '=') != NULL) { errno = EINVAL; #ifdef UNSETENV_VOID return; @@ -355,17 +355,18 @@ } len = strlen(var); - while (*ep != NULL) { + for (ep = env.envp; *ep != NULL;) { if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') { - /* Found it; shift remainder + NULL over by one and update len. */ - memmove(ep, ep + 1, - (env.env_len - (ep - env.envp)) * sizeof(char *)); - env.env_len--; + /* Found it; shift remainder + NULL over by one. */ + char **cur = ep; + while ((*cur = *(cur + 1)) != NULL) + cur++; /* Keep going, could be multiple instances of the var. */ } else { ep++; } } + env.env_len = ep - env.envp; #ifndef UNSETENV_VOID return(0); #endif @@ -462,13 +463,14 @@ if (found && overwrite) { while (*ep != NULL) { if (strncmp(str, *ep, len) == 0) { - memmove(ep, ep + 1, - (env.env_len - (ep - env.envp)) * sizeof(char *)); - env.env_len--; + char **cur = ep; + while ((*cur = *(cur + 1)) != NULL) + cur++; } else { ep++; } } + env.env_len = ep - env.envp; } } diff -urNa sudo-1.7.2p7/pwutil.c sudo-1.7.2p8/pwutil.c --- sudo-1.7.2p7/pwutil.c Fri Apr 9 06:12:02 2010 +++ sudo-1.7.2p8/pwutil.c Fri Jun 25 09:59:10 2010 @@ -106,7 +106,7 @@ { const struct passwd *pw1 = (const struct passwd *) v1; const struct passwd *pw2 = (const struct passwd *) v2; - return(strcmp(pw1->pw_name, pw2->pw_name)); + return(strcasecmp(pw1->pw_name, pw2->pw_name)); } #define FIELD_SIZE(src, name, size) \ @@ -408,7 +408,7 @@ { const struct group *grp1 = (const struct group *) v1; const struct group *grp2 = (const struct group *) v2; - return(strcmp(grp1->gr_name, grp2->gr_name)); + return(strcasecmp(grp1->gr_name, grp2->gr_name)); } struct group * diff -urNa sudo-1.7.2p7/sudo.c sudo-1.7.2p8/sudo.c --- sudo-1.7.2p7/sudo.c Fri Apr 9 06:12:02 2010 +++ sudo-1.7.2p8/sudo.c Tue Jun 29 10:54:29 2010 @@ -359,11 +359,6 @@ } } -#ifdef USING_NONUNIX_GROUPS - /* Finished with the groupcheck code */ - sudo_nonunix_groupcheck_cleanup(); -#endif - if (safe_cmnd == NULL) safe_cmnd = estrdup(user_cmnd); @@ -466,6 +461,11 @@ tq_foreach_fwd(snl, nss) nss->close(nss); +#ifdef USING_NONUNIX_GROUPS + /* Finished with the groupcheck code */ + sudo_nonunix_groupcheck_cleanup(); +#endif + /* Deferred exit due to sudo_ldap_close() */ if (ISSET(sudo_mode, (MODE_VALIDATE|MODE_CHECK|MODE_LIST))) exit(rc); @@ -1444,6 +1444,9 @@ tq_foreach_fwd(snl, nss) nss->close(nss); } +#ifdef USING_NONUNIX_GROUPS + sudo_nonunix_groupcheck_cleanup(); +#endif sudo_endpwent(); sudo_endgrent(); } diff -urNa sudo-1.7.2p7/sudo.cat sudo-1.7.2p8/sudo.cat --- sudo-1.7.2p7/sudo.cat Tue Jun 1 14:20:38 2010 +++ sudo-1.7.2p8/sudo.cat Wed Jun 30 09:21:00 2010 @@ -61,7 +61,7 @@ -1.7.2p7 June 1, 2010 1 +1.7.2p8 June 30, 2010 1 @@ -127,7 +127,7 @@ -1.7.2p7 June 1, 2010 2 +1.7.2p8 June 30, 2010 2 @@ -193,7 +193,7 @@ -1.7.2p7 June 1, 2010 3 +1.7.2p8 June 30, 2010 3 @@ -259,7 +259,7 @@ -1.7.2p7 June 1, 2010 4 +1.7.2p8 June 30, 2010 4 @@ -325,7 +325,7 @@ -1.7.2p7 June 1, 2010 5 +1.7.2p8 June 30, 2010 5 @@ -391,7 +391,7 @@ -1.7.2p7 June 1, 2010 6 +1.7.2p8 June 30, 2010 6 @@ -457,7 +457,7 @@ -1.7.2p7 June 1, 2010 7 +1.7.2p8 June 30, 2010 7 @@ -523,7 +523,7 @@ -1.7.2p7 June 1, 2010 8 +1.7.2p8 June 30, 2010 8 @@ -589,7 +589,7 @@ -1.7.2p7 June 1, 2010 9 +1.7.2p8 June 30, 2010 9 @@ -655,6 +655,6 @@ -1.7.2p7 June 1, 2010 10 +1.7.2p8 June 30, 2010 10 diff -urNa sudo-1.7.2p7/sudo.man.in sudo-1.7.2p8/sudo.man.in --- sudo-1.7.2p7/sudo.man.in Tue Jun 1 14:19:00 2010 +++ sudo-1.7.2p8/sudo.man.in Wed Jun 30 09:20:40 2010 @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "June 1, 2010" "1.7.2p7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 30, 2010" "1.7.2p8" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urNa sudo-1.7.2p7/sudoers.cat sudo-1.7.2p8/sudoers.cat --- sudo-1.7.2p7/sudoers.cat Tue Jun 1 14:20:52 2010 +++ sudo-1.7.2p8/sudoers.cat Wed Jun 30 09:21:00 2010 @@ -61,7 +61,7 @@ -1.7.2p7 June 1, 2010 1 +1.7.2p8 June 30, 2010 1 @@ -127,7 +127,7 @@ -1.7.2p7 June 1, 2010 2 +1.7.2p8 June 30, 2010 2 @@ -193,7 +193,7 @@ -1.7.2p7 June 1, 2010 3 +1.7.2p8 June 30, 2010 3 @@ -259,7 +259,7 @@ -1.7.2p7 June 1, 2010 4 +1.7.2p8 June 30, 2010 4 @@ -325,7 +325,7 @@ -1.7.2p7 June 1, 2010 5 +1.7.2p8 June 30, 2010 5 @@ -391,7 +391,7 @@ -1.7.2p7 June 1, 2010 6 +1.7.2p8 June 30, 2010 6 @@ -457,7 +457,7 @@ -1.7.2p7 June 1, 2010 7 +1.7.2p8 June 30, 2010 7 @@ -523,7 +523,7 @@ -1.7.2p7 June 1, 2010 8 +1.7.2p8 June 30, 2010 8 @@ -589,7 +589,7 @@ -1.7.2p7 June 1, 2010 9 +1.7.2p8 June 30, 2010 9 @@ -655,7 +655,7 @@ -1.7.2p7 June 1, 2010 10 +1.7.2p8 June 30, 2010 10 @@ -717,11 +717,11 @@ passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will - normally only be used if the password prompt provided by + normally only be used if the password prompt provided -1.7.2p7 June 1, 2010 11 +1.7.2p8 June 30, 2010 11 @@ -730,9 +730,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - systems such as PAM matches the string "Password:". If - _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always be - used. This flag is _o_f_f by default. + by systems such as PAM matches the string "Password:". + If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always + be used. This flag is _o_f_f by default. preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When @@ -787,7 +787,7 @@ -1.7.2p7 June 1, 2010 12 +1.7.2p8 June 30, 2010 12 @@ -853,7 +853,7 @@ -1.7.2p7 June 1, 2010 13 +1.7.2p8 June 30, 2010 13 @@ -919,7 +919,7 @@ -1.7.2p7 June 1, 2010 14 +1.7.2p8 June 30, 2010 14 @@ -985,7 +985,7 @@ -1.7.2p7 June 1, 2010 15 +1.7.2p8 June 30, 2010 15 @@ -1051,7 +1051,7 @@ -1.7.2p7 June 1, 2010 16 +1.7.2p8 June 30, 2010 16 @@ -1117,7 +1117,7 @@ -1.7.2p7 June 1, 2010 17 +1.7.2p8 June 30, 2010 17 @@ -1183,7 +1183,7 @@ -1.7.2p7 June 1, 2010 18 +1.7.2p8 June 30, 2010 18 @@ -1249,7 +1249,7 @@ -1.7.2p7 June 1, 2010 19 +1.7.2p8 June 30, 2010 19 @@ -1315,7 +1315,7 @@ -1.7.2p7 June 1, 2010 20 +1.7.2p8 June 30, 2010 20 @@ -1381,7 +1381,7 @@ -1.7.2p7 June 1, 2010 21 +1.7.2p8 June 30, 2010 21 @@ -1447,7 +1447,7 @@ -1.7.2p7 June 1, 2010 22 +1.7.2p8 June 30, 2010 22 @@ -1513,7 +1513,7 @@ -1.7.2p7 June 1, 2010 23 +1.7.2p8 June 30, 2010 23 @@ -1579,7 +1579,7 @@ -1.7.2p7 June 1, 2010 24 +1.7.2p8 June 30, 2010 24 @@ -1645,6 +1645,6 @@ -1.7.2p7 June 1, 2010 25 +1.7.2p8 June 30, 2010 25 diff -urNa sudo-1.7.2p7/sudoers.ldap.cat sudo-1.7.2p8/sudoers.ldap.cat --- sudo-1.7.2p7/sudoers.ldap.cat Tue Jun 1 14:21:16 2010 +++ sudo-1.7.2p8/sudoers.ldap.cat Wed Jun 30 09:21:00 2010 @@ -61,7 +61,7 @@ -1.7.2p7 June 1, 2010 1 +1.7.2p8 June 30, 2010 1 @@ -127,7 +127,7 @@ -1.7.2p7 June 1, 2010 2 +1.7.2p8 June 30, 2010 2 @@ -193,7 +193,7 @@ -1.7.2p7 June 1, 2010 3 +1.7.2p8 June 30, 2010 3 @@ -259,7 +259,7 @@ -1.7.2p7 June 1, 2010 4 +1.7.2p8 June 30, 2010 4 @@ -325,7 +325,7 @@ -1.7.2p7 June 1, 2010 5 +1.7.2p8 June 30, 2010 5 @@ -391,7 +391,7 @@ -1.7.2p7 June 1, 2010 6 +1.7.2p8 June 30, 2010 6 @@ -457,7 +457,7 @@ -1.7.2p7 June 1, 2010 7 +1.7.2p8 June 30, 2010 7 @@ -523,7 +523,7 @@ -1.7.2p7 June 1, 2010 8 +1.7.2p8 June 30, 2010 8 @@ -589,7 +589,7 @@ -1.7.2p7 June 1, 2010 9 +1.7.2p8 June 30, 2010 9 @@ -655,7 +655,7 @@ -1.7.2p7 June 1, 2010 10 +1.7.2p8 June 30, 2010 10 @@ -721,7 +721,7 @@ -1.7.2p7 June 1, 2010 11 +1.7.2p8 June 30, 2010 11 @@ -787,6 +787,6 @@ -1.7.2p7 June 1, 2010 12 +1.7.2p8 June 30, 2010 12 diff -urNa sudo-1.7.2p7/sudoers.ldap.man.in sudo-1.7.2p8/sudoers.ldap.man.in --- sudo-1.7.2p7/sudoers.ldap.man.in Tue Jun 1 14:19:17 2010 +++ sudo-1.7.2p8/sudoers.ldap.man.in Wed Jun 30 09:20:40 2010 @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "June 1, 2010" "1.7.2p7" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "June 30, 2010" "1.7.2p8" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urNa sudo-1.7.2p7/sudoers.man.in sudo-1.7.2p8/sudoers.man.in --- sudo-1.7.2p7/sudoers.man.in Tue Jun 1 14:19:27 2010 +++ sudo-1.7.2p8/sudoers.man.in Wed Jun 30 09:20:41 2010 @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "June 1, 2010" "1.7.2p7" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "June 30, 2010" "1.7.2p8" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urNa sudo-1.7.2p7/vasgroups.c sudo-1.7.2p8/vasgroups.c --- sudo-1.7.2p7/vasgroups.c Wed Jun 2 09:43:22 2010 +++ sudo-1.7.2p8/vasgroups.c Fri Jun 25 09:59:10 2010 @@ -111,7 +111,7 @@ if (!sudo_vas_available) { if (error_cause_shown == FALSE) { /* Produce the saved error reason */ - log_error(NO_MAIL|NO_EXIT, "Non-unix group checking unavailable: %s", + warningx("Non-unix group checking unavailable: %s", err_msg ? err_msg : "(unknown cause)"); error_cause_shown = TRUE; @@ -154,9 +154,7 @@ FINISHED: /* cleanups */ if (vaserr != VAS_ERR_SUCCESS && vaserr != VAS_ERR_NOT_FOUND ) { - int error_flags = NO_MAIL | MSG_ONLY | NO_EXIT; - - log_error(error_flags, "Error while checking group membership " + warningx("Error while checking group membership " "for user \"%s\", group \"%s\", error: %s%s.", user, group, v_err_get_string(sudo_vas_ctx, 1), /* A helpful hint if there seems to be a non-FQDN as the domain */ @@ -281,7 +279,7 @@ if (libvas_handle) { if (dlclose(libvas_handle) != 0) - log_error(NO_MAIL|NO_EXIT, "dlclose() failed: %s", dlerror()); + warningx("dlclose() failed: %s", dlerror()); libvas_handle = NULL; } } diff -urNa sudo-1.7.2p7/visudo.cat sudo-1.7.2p8/visudo.cat --- sudo-1.7.2p7/visudo.cat Tue Jun 1 14:21:26 2010 +++ sudo-1.7.2p8/visudo.cat Wed Jun 30 09:21:00 2010 @@ -61,7 +61,7 @@ -1.7.2p7 June 1, 2010 1 +1.7.2p8 June 30, 2010 1 @@ -127,7 +127,7 @@ -1.7.2p7 June 1, 2010 2 +1.7.2p8 June 30, 2010 2 @@ -193,6 +193,6 @@ -1.7.2p7 June 1, 2010 3 +1.7.2p8 June 30, 2010 3 diff -urNa sudo-1.7.2p7/visudo.man.in sudo-1.7.2p8/visudo.man.in --- sudo-1.7.2p7/visudo.man.in Tue Jun 1 14:19:40 2010 +++ sudo-1.7.2p8/visudo.man.in Wed Jun 30 09:20:41 2010 @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "June 1, 2010" "1.7.2p7" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "June 30, 2010" "1.7.2p8" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l