[pkgsrc/trunk]: pkgsrc/security/sudo Upgrade to address CVE-2014-0106

[kim <kim%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/45780edbe404
branches:  trunk
changeset: 631503:45780edbe404
user:      kim <kim%pkgsrc.org@localhost>
date:      Sat Mar 08 11:51:56 2014 +0000

description:
Upgrade to address CVE-2014-0106

http://www.sudo.ws/sudo/alerts/env_add.html

What's new in Sudo 1.7.10p8?

* Sudo's exit code now indicates a failure if the user does not
  successfully authenticate.

* On HP-UX systems, sudo will now use the pstat() function to
  determine the tty instead of ttyname().

* Fixed compilation when --without-iologdir configure option is
  specified.

* On systems with BSD login classes, if the user specified a group
  (not a user) to run the command as, it was possible to specify
  a different login class even when the command was not run as the
  super user.

* The closefrom() emulation on Mac OS X now uses /dev/fd if possible.
  It also now sets the close on exec flag instead of actually
  closing the descriptors to avoid a crash in libdispatch.

* The sudoers plugin will now ignore invalid domain names when
  checking netgroup membership.  Most Linux systems use the string
  "(none)" for the NIS-style domain name instead of an empty string.

* Fixed the logic when checking environment variables on the
  command line against the env_check and env_delete blacklists.
  This is only a problem when env_reset is disabled in sudoers.

diffstat:

 security/sudo/Makefile                |   6 +++---
 security/sudo/distinfo                |  14 +++++++-------
 security/sudo/patches/patch-af        |  16 ++++++++--------
 security/sudo/patches/patch-ag        |  20 ++++++++++----------
 security/sudo/patches/patch-logging.c |   8 ++++----
 5 files changed, 32 insertions(+), 32 deletions(-)

diffs (188 lines):

diff -r 99defd7408dd -r 45780edbe404 security/sudo/Makefile
--- a/security/sudo/Makefile    Sat Mar 08 11:46:14 2014 +0000
+++ b/security/sudo/Makefile    Sat Mar 08 11:51:56 2014 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.141 2014/02/12 23:18:37 tron Exp $
+# $NetBSD: Makefile,v 1.142 2014/03/08 11:51:56 kim Exp $
 #
 
-DISTNAME=              sudo-1.7.10p7
-PKGREVISION=           1
+DISTNAME=              sudo-1.7.10p8
+#PKGREVISION=          0
 CATEGORIES=            security
 MASTER_SITES=          http://www.sudo.ws/dist/ \
                        ftp://ftp.sudo.ws/pub/sudo/ \
diff -r 99defd7408dd -r 45780edbe404 security/sudo/distinfo
--- a/security/sudo/distinfo    Sat Mar 08 11:46:14 2014 +0000
+++ b/security/sudo/distinfo    Sat Mar 08 11:51:56 2014 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.80 2013/07/26 10:48:22 ryoon Exp $
+$NetBSD: distinfo,v 1.81 2014/03/08 11:51:56 kim Exp $
 
-SHA1 (sudo-1.7.10p7.tar.gz) = b5beb1a470d1f03b3940aff612f5089244dd773a
-RMD160 (sudo-1.7.10p7.tar.gz) = 171e54506c30a85fa642070332db012aba4a6203
-Size (sudo-1.7.10p7.tar.gz) = 1217508 bytes
+SHA1 (sudo-1.7.10p8.tar.gz) = deb83d8ba8f15f70c134c3f3a74e750925aa9f59
+RMD160 (sudo-1.7.10p8.tar.gz) = de3594843c006f7d5d3b21c79dd4115b4823b19d
+Size (sudo-1.7.10p8.tar.gz) = 1220987 bytes
 SHA1 (patch-aa) = 0c9c173a26ea72dd06a7d3947a0b3ba6dc00cf40
-SHA1 (patch-af) = 463b1653f3015d08cd4c03b7f29d206d96aa1cc0
-SHA1 (patch-ag) = e0d9efd8afeda339d9cd186ffd6f644b15e8b213
-SHA1 (patch-logging.c) = 26608d7423b77f71f17b37cc87f4b2e75978d7cb
+SHA1 (patch-af) = 3462525bd0863ec5f957173a10839aed2b7cbb69
+SHA1 (patch-ag) = 86f9838045f2bed7eb8e4271553c510be31b7d6b
+SHA1 (patch-logging.c) = a16a9c6020a79cc378c3cfd1c6a1abd2326c8e6d
diff -r 99defd7408dd -r 45780edbe404 security/sudo/patches/patch-af
--- a/security/sudo/patches/patch-af    Sat Mar 08 11:46:14 2014 +0000
+++ b/security/sudo/patches/patch-af    Sat Mar 08 11:51:56 2014 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
+$NetBSD: patch-af,v 1.31 2014/03/08 11:51:56 kim Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.in.orig  2013-02-21 15:43:17.000000000 +0000
-+++ configure.in
-@@ -330,6 +330,18 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
+--- configure.in.orig  2014-03-05 08:08:53.000000000 -0500
++++ configure.in       2014-03-08 06:35:19.000000000 -0500
+@@ -330,6 +330,18 @@
                ;;
  esac])
  
@@ -28,7 +28,7 @@
  AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])],
  [case $with_passwd in
      yes|no)   AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
-@@ -1725,7 +1737,7 @@ case "$host" in
+@@ -1726,7 +1738,7 @@
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
@@ -37,7 +37,7 @@
                OSDEFS="${OSDEFS} -D_GNU_SOURCE"
                # Some Linux versions need to link with -lshadow
                shadow_funcs="getspnam"
-@@ -2015,7 +2027,7 @@ SUDO_MAILDIR
+@@ -2016,7 +2028,7 @@
  if test ${with_logincap-'no'} != "no"; then
      AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1
        case "$OS" in
@@ -46,7 +46,7 @@
            ;;
        esac
      ])
-@@ -2634,6 +2646,8 @@ if test ${with_kerb5-'no'} != "no"; then
+@@ -2635,6 +2647,8 @@
        ])
        AUTH_OBJS="$AUTH_OBJS kerb5.o"
      fi
@@ -55,7 +55,7 @@
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDO_LIBS}"
      AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
-@@ -3167,7 +3181,6 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -3168,7 +3182,6 @@
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
diff -r 99defd7408dd -r 45780edbe404 security/sudo/patches/patch-ag
--- a/security/sudo/patches/patch-ag    Sat Mar 08 11:46:14 2014 +0000
+++ b/security/sudo/patches/patch-ag    Sat Mar 08 11:51:56 2014 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
+$NetBSD: patch-ag,v 1.22 2014/03/08 11:51:56 kim Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.orig     2013-02-21 15:43:29.000000000 +0000
-+++ configure
-@@ -1484,7 +1484,7 @@ Fine tuning of the installation director
+--- configure.orig     2014-03-05 08:09:14.000000000 -0500
++++ configure  2014-03-08 06:35:19.000000000 -0500
+@@ -1484,7 +1484,7 @@
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
@@ -18,7 +18,7 @@
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --libdir=DIR            object code libraries [EPREFIX/lib]
-@@ -1569,6 +1569,7 @@ Optional Packages:
+@@ -1569,6 +1569,7 @@
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
@@ -26,7 +26,7 @@
    --without-passwd        don't use passwd/shadow file for authentication
    --with-skey=DIR         enable S/Key support
    --with-opie=DIR         enable OPIE support
-@@ -3959,6 +3960,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn
+@@ -3959,6 +3960,22 @@
  esac
  fi
  
@@ -49,7 +49,7 @@
  
  
  # Check whether --with-passwd was given.
-@@ -14233,7 +14250,7 @@ fi
+@@ -14244,7 +14261,7 @@
                : ${mansectsu='1m'}
                : ${mansectform='4'}
                ;;
@@ -58,7 +58,7 @@
                OSDEFS="${OSDEFS} -D_GNU_SOURCE"
                # Some Linux versions need to link with -lshadow
                shadow_funcs="getspnam"
-@@ -15632,7 +15649,7 @@ if test "x$ac_cv_header_login_cap_h" = x
+@@ -15643,7 +15660,7 @@
  _ACEOF
   LOGINCAP_USAGE='[-c class|-] '; LCMAN=1
        case "$OS" in
@@ -67,7 +67,7 @@
            ;;
        esac
  
-@@ -18569,6 +18586,8 @@ fi
+@@ -18580,6 +18597,8 @@
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
        AUTH_OBJS="$AUTH_OBJS kerb5.o"
      fi
@@ -76,7 +76,7 @@
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDO_LIBS}"
      for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -20313,7 +20332,6 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -20324,7 +20343,6 @@
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
diff -r 99defd7408dd -r 45780edbe404 security/sudo/patches/patch-logging.c
--- a/security/sudo/patches/patch-logging.c     Sat Mar 08 11:46:14 2014 +0000
+++ b/security/sudo/patches/patch-logging.c     Sat Mar 08 11:51:56 2014 +0000
@@ -1,11 +1,11 @@
-$NetBSD: patch-logging.c,v 1.3 2011/09/18 14:18:25 ryoon Exp $
+$NetBSD: patch-logging.c,v 1.4 2014/03/08 11:51:56 kim Exp $
 
 Make sure CODESET is actually defined, for the sake of
 old NetBSD versions
 
---- logging.c.orig     2011-08-13 17:32:04 +0000
-+++ logging.c
-@@ -573,7 +573,7 @@ send_mail(fmt, va_alist)
+--- logging.c.orig     2013-03-01 11:08:30.000000000 -0500
++++ logging.c  2014-03-08 06:35:19.000000000 -0500
+@@ -691,7 +691,7 @@
            (void) fputc(*p, mail);
      }