jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-07-30 14:46:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

sudo: security bump to version 1.8.12

Browse Source 
Fixes CVE-2014-9680 - A user with sudo access may be able to exploit
parsing bugs in the time zone parsing functions of the system's C
library functions. The user may also be able to read arbitrary files,
potentially causing changes in system behavior when reading certain
device special files or simply causing the program run via sudo to
block.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Gustavo Zacarias 2015-02-17 09:50:51 -03:00 committed by Thomas Petazzoni
parent b34c63375a
commit 3bd38b4eca
5 changed files with 27 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
package/sudo/0001-make-signame-include-unistd_h.patch Normal file
View File

@ -0,0 +1,20 @@
signame.c uses sudo_compat.h which in turn uses gid_t definitions
that are normally defined in unistd.h.
This doesn't seem to cause issues with (e)glibc systems, but it does break
uClibc-based builds.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff -Nura sudo-1.8.12.orig/lib/util/mksigname.c sudo-1.8.12/lib/util/mksigname.c
--- sudo-1.8.12.orig/lib/util/mksigname.c 2015-02-09 15:40:10.000000000 -0300
+++ sudo-1.8.12/lib/util/mksigname.c 2015-02-17 09:20:05.126701093 -0300
@@ -44,6 +44,9 @@
printf("#include <config.h>\n");
printf("#include <signal.h>\n");
+ printf("#ifdef HAVE_UNISTD_H\n");
+ printf("#include <unistd.h>\n");
+ printf("#endif /* HAVE_UNISTD_H */\n");
printf("#include \"sudo_compat.h\"\n\n");
printf("const char *const sudo_sys_signame[NSIG] = {\n");
for (i = 0; i < NSIG; i++) {

29
package/sudo/0001-no-netgroup.patch
View File

@ -1,29 +0,0 @@
# HG changeset patch
# User Todd C. Miller <Todd.Miller@courtesan.com>
# Date 1406550172 21600
# Node ID 57deb66ef8ffc0f551d460e15a34f7df78f54d2a
# Parent f547bf80c436c07ddb1c7385d22db96862ae7e4f
Fix compilation on systems w/o netgroups.
Status: upstream
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff -r f547bf80c436 -r 57deb66ef8ff plugins/sudoers/match.c
--- a/plugins/sudoers/match.c Sat Jul 26 06:07:34 2014 -0600
+++ b/plugins/sudoers/match.c Mon Jul 28 06:22:52 2014 -0600
@@ -972,12 +972,12 @@
rc = true;
else if (lhost != shost && innetgr(netgr, shost, user, domain))
rc = true;
-#endif /* HAVE_INNETGR */
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"netgroup %s matches (%s|%s, %s, %s): %s", netgr, lhost ? lhost : "",
shost ? shost : "", user ? user : "", domain ? domain : "",
rc ? "true" : "false");
+#endif /* HAVE_INNETGR */
debug_return_bool(rc);
}

21
package/sudo/0002-drop-sspcflags-piecflags-for-host.patch
View File

@ -1,21 +0,0 @@
Don't use SSP_CFLAGS and PIE_CFLAGS for host tools.
http://www.sudo.ws/bugs/show_bug.cgi?id=662
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
diff -Nura sudo-1.8.10p3.orig/compat/Makefile.in sudo-1.8.10p3/compat/Makefile.in
--- sudo-1.8.10p3.orig/compat/Makefile.in 2014-03-07 18:51:19.000000000 -0300
+++ sudo-1.8.10p3/compat/Makefile.in 2014-09-20 07:29:30.913108029 -0300
@@ -96,10 +96,10 @@
./mksigname > $@
mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/missing.h $(top_builddir)/config.h
- $(CC) $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
mksigname: $(srcdir)/mksigname.c $(srcdir)/mksigname.h $(incdir)/missing.h $(top_builddir)/config.h
- $(CC) $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mksigname.c -o $@
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksigname.c -o $@
fnm_test: fnm_test.o libreplace.la
$(LIBTOOL) --mode=link $(CC) -o $@ fnm_test.o libreplace.la $(PIE_LDFLAGS) $(SSP_LDFLAGS)

5
package/sudo/sudo.hash
View File

@ -1,3 +1,2 @@
# From announcement http://www.sudo.ws/pipermail/sudo-announce/2014-May/000132.html # From http://www.sudo.ws/pipermail/sudo-announce/2015-February/000136.html
md5 fcd8d0d9f9f0397d076ee901e242ed39 sudo-1.8.10p3.tar.gz sha256 163b51841de8ad19276581a6782d61f5948f1f72a0a843371a1c167d3dc4f3b0 sudo-1.8.12.tar.gz
sha256 6eda135fa68163108f1c24de6975de5ddb09d75730bb62d6390bda7b04345400 sudo-1.8.10p3.tar.gz

11
package/sudo/sudo.mk
View File

@ -4,13 +4,12 @@
# #
################################################################################ ################################################################################
SUDO_VERSION = 1.8.10p3 SUDO_VERSION = 1.8.12
SUDO_SITE = http://www.sudo.ws/sudo/dist SUDO_SITE = http://www.sudo.ws/sudo/dist
SUDO_LICENSE = ISC BSD-3c SUDO_LICENSE = ISC BSD-3c
SUDO_LICENSE_FILES = doc/LICENSE SUDO_LICENSE_FILES = doc/LICENSE
# Ships a beta libtool version hence our patch doesn't apply. # This is to avoid sudo's make install from chown()ing files which fails
# Run autoreconf to regenerate ltmain.sh. SUDO_INSTALL_TARGET_OPTS = INSTALL_OWNER="" DESTDIR="$(TARGET_DIR)" install
SUDO_AUTORECONF = YES
SUDO_CONF_OPTS = \ SUDO_CONF_OPTS = \
--without-lecture \ --without-lecture \
--without-sendmail \ --without-sendmail \
@ -23,8 +22,8 @@ SUDO_CONF_OPTS = \
# mksigname/mksiglist needs to run on build host to generate source files # mksigname/mksiglist needs to run on build host to generate source files
define SUDO_BUILD_MKSIGNAME_MKSIGLIST_HOST define SUDO_BUILD_MKSIGNAME_MKSIGLIST_HOST
$(MAKE) $(HOST_CONFIGURE_OPTS) \ $(MAKE) $(HOST_CONFIGURE_OPTS) \
CPPFLAGS="$(HOST_CPPFLAGS) -I../include -I.." \ CPPFLAGS="$(HOST_CPPFLAGS) -I../../include -I../.." \
-C $(@D)/compat mksigname mksiglist -C $(@D)/lib/util mksigname mksiglist
endef endef
SUDO_POST_CONFIGURE_HOOKS += SUDO_BUILD_MKSIGNAME_MKSIGLIST_HOST SUDO_POST_CONFIGURE_HOOKS += SUDO_BUILD_MKSIGNAME_MKSIGLIST_HOST