CVS commit: pkgsrc/security/sudo

["Kimmo Suominen" <kim%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   kim
Date:           Tue Jul  1 05:09:11 UTC 2025

Modified Files:
        pkgsrc/security/sudo: Makefile distinfo

Log Message:
sudo: Upgrade to 1.9.17p1

What's new in Sudo 1.9.17p1

 * Fixed CVE-2025-32462.  Sudo's -h (--host) option could be specified
   when running a command or editing a file.  This could enable a
   local privilege escalation attack if the sudoers file allows the
   user to run commands on a different host.

 * Fixed CVE-2025-32463.  An attacker can leverage sudo's -R
   (--chroot) option to run arbitrary commands as root, even if
   they are not listed in the sudoers file.  The chroot support has
   been deprecated an will be removed entirely in a future release.

What's new in Sudo 1.9.17

 * Sudo now uses the NODEV macro consistently. Bug #1074.

 * Fixed a bug where the "ALL" command in a sudoers rule would
   override a previous NOSETENV tag.  Command tags are inherited
   from previous Cmnds in a Cmnd_Spec_List.  There is a special
   case for the SETENV tag with the "ALL" command, where SETENV is
   implied if no explicit SETENV or NOSETENV tag is specified.  This
   special case did not take into account that a NOSETENV tag that
   was inherited should override this behavior.

 * If sudo is run via ssh without a terminal and a password is
   required, it now suggest using ssh's "-t" option.

 * Fixed the display of timeout values in the "sudo -V" output
   on systems without a C99-compliant snprintf() function.

 * Quieted a number of minor Coverity warnings.

 * Fixed a problem running sudo from a serial console on Linux when
   the command is run in a pseudo-terminal (the default).

 * Fixed a crash in sudo which could occur if there was a fatal
   error after the user was validated but before the command was
   actually run.

 * Fixed a number of man page style warnings.  The "lint" make target
   in the docs directory will now run groff with warnings enabled
   if it is available.  Bug #1075.

 * The "ignore_dot" sudoers setting is now on by default.  There
   is now a "--disable-ignore-dot" configure option to disable it.
   The "--with-ignore-dot" configure option has been deprecated.

 * Fixed a problem with the "pwfeedback" option where an initial
   backspace would reduce the maximum length allowed for the password.
   GitHub issue #439.

 * Fixed minor grammar and spelling problems in the man pages.

 * Fixed a bug where a user could avoid entering a password for
   "sudo -l command" if they specified their own user or group name
   via the "-u" or "-g" options.

 * Avoid potential password guessing based on timing attacks on
   the strcmp() function on systems without PAM or a crypt() function
   where plaintext passwords are stored in the shadow password file.

 * Fixed a potential information leak where "sudo -l command" could
   be used to determine whether an executable exists in a directory
   that they do not have search access to.

 * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once
   again.  A long time ago sudo changed from using TCSAFLUSH to
   TCSADRAIN due to some systems having bugs related to TCSAFLUSH.
   That should no longer be a concern.  Using TCSAFLUSH ensures
   that password input that has been received by the kernel, but
   not yet read by sudo, will be discarded and not echoed.

 * Added the SUDO_TTY environment variable if the user has a terminal.
   This can be used to find the user's original tty device when sudo
   runs the command in its own pseudo-terminal.  GitHub issue #447.

 * New Cantonese translation for sudo.


To generate a diff of this commit:
cvs rdiff -u -r1.208 -r1.209 pkgsrc/security/sudo/Makefile
cvs rdiff -u -r1.137 -r1.138 pkgsrc/security/sudo/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/sudo/Makefile
diff -u pkgsrc/security/sudo/Makefile:1.208 pkgsrc/security/sudo/Makefile:1.209
--- pkgsrc/security/sudo/Makefile:1.208 Sat Apr 19 07:58:23 2025
+++ pkgsrc/security/sudo/Makefile       Tue Jul  1 05:09:11 2025
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.208 2025/04/19 07:58:23 wiz Exp $
+# $NetBSD: Makefile,v 1.209 2025/07/01 05:09:11 kim Exp $
 
-DISTNAME=      sudo-1.9.16p2
-PKGREVISION=   2
+DISTNAME=      sudo-1.9.17p1
 CATEGORIES=    security
 MASTER_SITES=  https://www.sudo.ws/dist/
 MASTER_SITES+= ftp://ftp.sudo.ws/pub/sudo/

Index: pkgsrc/security/sudo/distinfo
diff -u pkgsrc/security/sudo/distinfo:1.137 pkgsrc/security/sudo/distinfo:1.138
--- pkgsrc/security/sudo/distinfo:1.137 Mon Mar  3 21:51:40 2025
+++ pkgsrc/security/sudo/distinfo       Tue Jul  1 05:09:11 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.137 2025/03/03 21:51:40 nia Exp $
+$NetBSD: distinfo,v 1.138 2025/07/01 05:09:11 kim Exp $
 
-BLAKE2s (sudo-1.9.16p2.tar.gz) = 6e772f5372473d112e122f125cdf7da8db636de3c8c973f18232942fd98a51b1
-SHA512 (sudo-1.9.16p2.tar.gz) = 1e2ea762671890a03b0ea4b95b3849f2d3a4c301432db8767433e9d80c517efd8b7a68e0bbce1b178aff5857907600f1f5e0d889779cb27e38c2f602395f6f06
-Size (sudo-1.9.16p2.tar.gz) = 5398419 bytes
+BLAKE2s (sudo-1.9.17p1.tar.gz) = ff973b090b311fc0397a51f261243671594ac3e0ce14a707eca82b8fb07997c9
+SHA512 (sudo-1.9.17p1.tar.gz) = 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc
+Size (sudo-1.9.17p1.tar.gz) = 5449076 bytes
 SHA1 (patch-Makefile.in) = 1a83c55d27829013e2e23073046c5c39b020fafe
 SHA1 (patch-configure) = 1e8eff2a823b0f687ef563a5050f43fb4bb9d72c
 SHA1 (patch-examples_Makefile.in) = a20967ecd88eb5e4a8b47e6a3b80bc18be713409