From nobody Mon Nov 07 14:22:51 2022 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N5YNX4Dh3z4h657 for ; Mon, 7 Nov 2022 14:22:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4N5YNX13Z1z3YlY for ; Mon, 7 Nov 2022 14:22:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N5YNX07gJz1436 for ; Mon, 7 Nov 2022 14:22:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2A7EMpYa080932 for ; Mon, 7 Nov 2022 14:22:51 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2A7EMpso080931 for ports-bugs@FreeBSD.org; Mon, 7 Nov 2022 14:22:51 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 267617] [PATCH] security/sudo: Update to 1.9.12p1 Date: Mon, 07 Nov 2022 14:22:51 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: garga@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667830972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jjMe0X5SccfVD+wyQC22fuW0eFHXPjiWg+QX5CY2xfY=; b=hGpsH82NFbUmeWkvxed3pTx1HUtzIPJWoFOea9eTfz430YX1bkRbVY3lw7pTLtLmI+IDLW cg9cTb74ueE2V6rbZPMfvT//l2MaZVYh6jHXSQT8rbkegSCmljFDv37faAQGrdYXqtSLT/ tFBqWo36gCJYCKde69EsX+yRbW7ZzjcNzoV4Hcb2D94F51VF+6HBe5Kv7yafpvjxkwYpXH ab9T6H/pCKEZxsv/Cc2dA5eqUSJq97N0pC0WTF17A5x7HxmfJwChn3Yn59BY/mI4e69jSm +iMRR7tHLY4ZzXvESourtOTGtXHW4ObxyCNrIEvtbEbgmJZYmA6AAMCIZ68zgg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1667830972; a=rsa-sha256; cv=none; b=TqV0Ri60ld2amA1yePpiuRo+CqxGotzKtdBCmZTFnVc6DVmBk0rJw/cvVP/wfghQ0Upci9 M9nLcuweCiqZBLfzU873k5ljevWldrTN72Ie/ZWELeedktK1Z4fC7wyDj9ylQWURg+C7PG RBbuyxpXze9gHOLPicSo6LRehek5Q4vjP8sqzYobJJHzHh75ChOhtrYS4XFahTfA2AzRGq zgDwvSi1tWWbI+Uh12uxc7rmGHpJ7OmI7OPXSFme6B3+2EKP/o68lIlUaJ3bHZ4YJ/jbDV YQASa4fTFFjrtbC7b1E5Selr3nx5gIJLhi4CRtYw0Lx8KnfYeqCPwKRUYSy7gQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267617 Bug ID: 267617 Summary: [PATCH] security/sudo: Update to 1.9.12p1 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: garga@FreeBSD.org Reporter: cy@FreeBSD.org CC: ports-bugs@FreeBSD.org Flags: maintainer-feedback?(garga@FreeBSD.org) Flags: maintainer-feedback?, merge-quarterly? Created attachment 237918 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237918&action= =3Dedit Update sudo to 1.9.12p1 Sudo version 1.9.12p1 is now available which fixes several minor bugs in sudo 1.9.12. It includes a fix for CVE-2022-43995, a non-exploitable potential out-of-bounds write on systems that do not use PAM, AIX authentication or BSD authentication. Source: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.12p1.tar.gz SHA256 checksum: 475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8 MD5 checksum: 486ebd8ff62a8671f609d9067b0dd79b Binary packages: https://www.sudo.ws/getting/packages/ https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_12p1 For a list of download mirror sites, see: https://www.sudo.ws/getting/download_mirrors/ Sudo web site: https://www.sudo.ws/ Major changes between sudo 1.9.12p1 and 1.9.12: * Sudo's configure script now does a better job of detecting when the -fstack-clash-protection compiler option does not work. GitHub issue #191. * Fixed CVE-2022-43995, a potential out-of-bounds write for passwords smaller than 8 characters when passwd authentication is enabled. This does not affect configurations that use other authentication methods such as PAM, AIX authentication or BSD authentication. * Fixed a build error with some configurations compiling host_port.c. Major changes between sudo 1.9.12 and 1.9.11p3: * Fixed a bug in the ptrace-based intercept mode where the current working directory could include garbage at the end. * Fixed a compilation error on systems that lack the stdint.h header. Bug #1035 * Fixed a bug when logging the command's exit status in intercept mode. The wrong command could be logged with the exit status. * For ptrace-based intercept mode, sudo will now attempt to verify that the command path name, arguments and environment have not changed from the time when they were authorized by the security policy. The new "intercept_verify" sudoers setting can be used to control this behavior. * Fixed running commands with a relative path (e.g. ./foo) in intercept mode. Previously, this would fail if sudo's current working directory was different from that of the command. * Sudo now supports passing the execve(2) system call the NULL pointer for the `argv` and/or `envp` arguments when in intercept mode. Linux treats a NULL pointer like an empty array. * The sudoers LDAP schema now allows sudoUser, sudoRunasUser and sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII. * Fixed a problem with "sudo -i" on SELinux when the target user's home directory is not searchable by sudo. GitHub issue #160. * Neovim has been added to the list of visudo editors that support passing the line number on the command line. * Fixed a bug in sudo's SHA384 and SHA512 message digest padding. * Added a new "-N" (--no-update) command line option to sudo which can be used to prevent sudo from updating the user's cached credentials. It is now possible to determine whether or not a user's cached credentials are currently valid by running: $ sudo -Nnv and checking the exit value. One use case for this is to indicate in a shell prompt that sudo is "active" for the user. * PAM approval modules are no longer invoked when running sub-commands in intercept mode unless the "intercept_authenticate" option is set. There is a substantial performance penalty for calling into PAM for each command run. PAM approval modules are still called for the initial command. * Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2) if available. * The XDG_CURRENT_DESKTOP environment variable is now preserved by default. This makes it possible for graphical applications to choose the correct theme when run via sudo. * On 64-bit systems, if sudo fails to load a sudoers group plugin, it will use system-specific heuristics to try to locate a 64-bit version of the plugin. * The cvtsudoers manual now documents the JSON and CSV output formats. GitHub issue #172. * Fixed a bug where sub-commands were not being logged to a remote log server when log_subcmds was enabled. GitHub issue #174. * The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout sudoers settings can be used to support more fine-grained I/O logging. The sudo front-end no longer allocates a pseudo-terminal when running a command if the I/O logging plugin requests logging of stdin, stdout, or stderr but not terminal input/output. * Quieted a libgcrypt run-time initialization warning. This fixes Debian bug #1019428 and Ubuntu bug #1397663. * Fixed a bug in visudo that caused literal backslashes to be removed from the EDITOR environment variable. GitHub issue #179. * The sudo Python plugin now implements the "find_spec" method instead of the the deprecated "find_module". This fixes a test failure when a newer version of setuptools that doesn't include "find_module" is found on the system. * Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as a directory instead of a plain file. The same bug could result in I/O log directories that end in six or more X's being created literally in addition to the name being used as a template for the mkdtemp(3) function. * Fixed a long-standing bug where a sudoers rule with a command line argument of "", which indicates the command may be run with no arguments, would also match a literal "" on the command line. GitHub issue #182. * Added the -I option to visudo which only edits the main sudoers file. Include files are not edited unless a syntax error is found. * Fixed "sudo -l -U otheruser" output when the runas list is empty. Previously, sudo would list the invoking user instead of the list user. GitHub issue #183. * Fixed the display of command tags and options in "sudo -l" output when the RunAs user or group changes. A new line is started for RunAs changes which means we need to display the command tags and options again. GitHub issue #184. * The sesh helper program now uses getopt_long(3) to parse the command line options. * The embedded copy of zlib has been updated to version 1.2.13. * Fixed a bug that prevented event log data from being sent to the log server when I/O logging was not enabled. This only affected systems without PAM or configurations where the pam_session and pam_setcred options were disabled in the sudoers file. * Fixed a bug where "sudo -l" output included a carriage return after the newline. This is only needed when displaying to a terminal in raw mode. Bug #1042. --=20 You are receiving this mail because: You are on the CC list for the bug.=