This patch will upgrade Sudo version 1.8.10 to Sudo version 1.8.10 patchlevel 1. To apply: $ cd sudo-1.8.10 $ patch -p1 < sudo-1.8.10p1.patch diff -urNa sudo-1.8.10/ChangeLog sudo-1.8.10p1/ChangeLog --- sudo-1.8.10/ChangeLog Mon Mar 10 06:35:21 2014 +++ sudo-1.8.10p1/ChangeLog Thu Mar 13 15:20:38 2014 @@ -1,3 +1,40 @@ +2014-03-13 Todd C. Miller + + * NEWS, configure, configure.ac: + Sudo 1.8.10p1 + [33828a3385ad] + + * plugins/sudoers/timestamp.c: + Fix typo/thinko that prevented "Defaults !tty_tickets" from working. + [f65cc29dbcc7] + + * plugins/sudoers/parse.c: + Fix "sudo -l command" output when the matching command is negated. + Bug #636 + [b4a92803f733] + +2014-03-11 Todd C. Miller + + * MANIFEST, common/Makefile.in, common/regress/atofoo/atofoo_test.c, + common/regress/sudo_conf/test5.err.ok, + common/regress/tailq/hltq_test.c: + The atofoo_test and hltq_test tests now display their own test error + rate. Display pass/fail count separately for sudo_conf and + sudo_parseln tests. Check stderr output for the sudo_conf test. + [5c814709ac70] + + * src/Makefile.in: + Don't run the check_ttyname test if cross compiling. + [874ecc1c3db0] + + * plugins/sudoers/Makefile.in: + CWD no longer used. + [13b2f3c4269b] + + * plugins/sudoers/Makefile.in: + Fix diff of toke and err output files in "make check" + [485cdf3c75e7] + 2014-03-07 Todd C. Miller * src/po/de.mo, src/po/de.po: diff -urNa sudo-1.8.10/MANIFEST sudo-1.8.10p1/MANIFEST --- sudo-1.8.10/MANIFEST Fri Mar 7 14:51:19 2014 +++ sudo-1.8.10p1/MANIFEST Thu Mar 13 15:18:40 2014 @@ -33,6 +33,7 @@ common/regress/sudo_conf/test3.out.ok common/regress/sudo_conf/test4.in common/regress/sudo_conf/test4.out.ok +common/regress/sudo_conf/test5.err.ok common/regress/sudo_conf/test5.in common/regress/sudo_conf/test5.out.ok common/regress/sudo_conf/test6.in diff -urNa sudo-1.8.10/NEWS sudo-1.8.10p1/NEWS --- sudo-1.8.10/NEWS Fri Mar 7 14:51:44 2014 +++ sudo-1.8.10p1/NEWS Thu Mar 13 15:18:40 2014 @@ -1,3 +1,13 @@ +What's new in Sudo 1.8.10p1? + + * Fixed a bug introduced in sudo 1.8.10 that prevented the disabling + of tty-based tickets. + + * Fixed a bug with netgated commands in "sudo -l command" that + could cause the command to be listed even when it was explicitly + denied. This only affected list mode when a command was specified. + Bug #636 + What's new in Sudo 1.8.10? * It is now possible to disable network interface probing in diff -urNa sudo-1.8.10/common/Makefile.in sudo-1.8.10p1/common/Makefile.in --- sudo-1.8.10/common/Makefile.in Fri Mar 7 14:51:20 2014 +++ sudo-1.8.10p1/common/Makefile.in Thu Mar 13 15:18:40 2014 @@ -126,43 +126,59 @@ cppcheck: cppcheck $(CPPCHECK_OPTS) -I$(incdir) -I$(top_builddir) -I$(top_srcdir) $(srcdir)/*.c +# Note: some regress checks are run from srcdir for consistent error messages check: $(TEST_PROGS) @if test X"$(cross_compiling)" != X"yes"; then \ - passed=0; failed=0; total=0; \ - total=1; \ - if ./atofoo_test; then \ - passed=`expr $$passed + 1`; \ - else \ - failed=`expr $$failed + 1`; \ - fi; \ - if ./hltq_test; then \ - passed=`expr $$passed + 1`; \ - else \ - failed=`expr $$failed + 1`; \ - fi; \ + rval=0; \ + ./atofoo_test || rval=`expr $$rval + $$?`; \ + ./hltq_test || rval=`expr $$rval + $$?`; \ + build_dir=`pwd`; \ + cd $(srcdir); \ for dir in sudo_conf sudo_parseln; do \ - mkdir -p regress/$$dir; \ - for t in $(srcdir)/regress/$$dir/*.in; do \ + passed=0; failed=0; total=0; \ + mkdir -p $$build_dir/regress/$$dir; \ + for t in regress/$$dir/*.in; do \ base=`basename $$t .in`; \ - out="regress/$$dir/$$base.out"; \ + out="$$build_dir/regress/$$dir/$${base}.out"; \ + out_ok="regress/$$dir/$${base}.out.ok"; \ + err="$$build_dir/regress/$$dir/$${base}.err"; \ + err_ok="regress/$$dir/$${base}.err.ok"; \ if test "$$dir" = "sudo_conf"; then \ - ./conf_test $$t >$$out; \ + $$build_dir/conf_test $$t >$$out 2>$$err; \ else \ - ./parseln_test <$$t >$$out; \ + $$build_dir/parseln_test <$$t >$$out 2>$$err; \ fi; \ - if cmp $$out $(srcdir)/$$out.ok >/dev/null; then \ + if cmp $$out $$out_ok >/dev/null; then \ passed=`expr $$passed + 1`; \ echo "$$dir/$$base: OK"; \ else \ failed=`expr $$failed + 1`; \ echo "$$dir/$$base: FAIL"; \ - diff $$out $(srcdir)/$$out.ok; \ + diff $$out $$out_ok || true; \ fi; \ total=`expr $$total + 1`; \ + if test -s $$err_ok; then \ + if cmp $$err $$err_ok >/dev/null; then \ + passed=`expr $$passed + 1`; \ + echo "$$dir/$$base (stderr): OK"; \ + else \ + failed=`expr $$failed + 1`; \ + echo "$$dir/$$base (stderr): FAIL"; \ + diff $$err $$err_ok || true; \ + fi; \ + total=`expr $$total + 1`; \ + elif test -s $$err; then \ + failed=`expr $$failed + 1`; \ + echo "$$dir/$$base (stderr): FAIL"; \ + cat $$err 1>&2; \ + fi; \ done; \ + if test $$failed -ne 0; then \ + rval=`expr $$rval + $$failed`; \ + fi; \ + echo "$$dir: $$passed/$$total tests passed; $$failed/$$total tests failed"; \ done; \ - echo "$$dir: $$passed/$$total tests passed; $$failed/$$total tests failed"; \ - exit $$failed; \ + exit $$rval; \ fi clean: diff -urNa sudo-1.8.10/common/regress/atofoo/atofoo_test.c sudo-1.8.10p1/common/regress/atofoo/atofoo_test.c --- sudo-1.8.10/common/regress/atofoo/atofoo_test.c Fri Mar 7 14:51:19 2014 +++ sudo-1.8.10p1/common/regress/atofoo/atofoo_test.c Thu Mar 13 15:18:40 2014 @@ -61,13 +61,14 @@ }; static int -test_atobool(void) +test_atobool(int *ntests) { struct atobool_data *d; int errors = 0; int value; for (d = atobool_data; d->bool_str != NULL; d++) { + (*ntests)++; value = atobool(d->bool_str); if (value != d->value) { warningx_nodebug("FAIL: %s != %d", d->bool_str, d->value); @@ -94,7 +95,7 @@ }; static int -test_atoid(void) +test_atoid(int *ntests) { struct atoid_data *d; const char *errstr; @@ -103,6 +104,7 @@ id_t value; for (d = atoid_data; d->idstr != NULL; d++) { + (*ntests)++; errstr = "some error"; value = atoid(d->idstr, d->sep, &ep, &errstr); if (errstr != NULL) { @@ -136,7 +138,7 @@ }; static int -test_atomode(void) +test_atomode(int *ntests) { struct atomode_data *d; const char *errstr; @@ -144,6 +146,7 @@ mode_t mode; for (d = atomode_data; d->mode_str != NULL; d++) { + (*ntests)++; errstr = "some error"; mode = atomode(d->mode_str, &errstr); if (errstr != NULL) { @@ -167,12 +170,16 @@ main(int argc, char *argv[]) { int errors = 0; + int ntests = 0; initprogname(argc > 0 ? argv[0] : "atofoo"); - errors += test_atobool(); - errors += test_atoid(); - errors += test_atomode(); + errors += test_atobool(&ntests); + errors += test_atoid(&ntests); + errors += test_atomode(&ntests); + + printf("%s: %d tests run, %d errors, %d%% success rate\n", getprogname(), + ntests, errors, (ntests - errors) * 100 / ntests); exit(errors); } diff -urNa sudo-1.8.10/common/regress/sudo_conf/test5.err.ok sudo-1.8.10p1/common/regress/sudo_conf/test5.err.ok --- sudo-1.8.10/common/regress/sudo_conf/test5.err.ok Wed Dec 31 17:00:00 1969 +++ sudo-1.8.10p1/common/regress/sudo_conf/test5.err.ok Thu Mar 13 15:18:40 2014 @@ -0,0 +1 @@ +conf_test: invalid max groups `0' in regress/sudo_conf/test5.in, line 1 diff -urNa sudo-1.8.10/common/regress/tailq/hltq_test.c sudo-1.8.10p1/common/regress/tailq/hltq_test.c --- sudo-1.8.10/common/regress/tailq/hltq_test.c Fri Mar 7 14:51:19 2014 +++ sudo-1.8.10p1/common/regress/tailq/hltq_test.c Thu Mar 13 15:18:40 2014 @@ -70,6 +70,7 @@ struct test_data *hltq; struct test_data_list tq; int errors = 0; + int ntests = 0; initprogname(argc > 0 ? argv[0] : "hltq_test"); @@ -83,14 +84,17 @@ warningx_nodebug("FAIL: HLTQ_FIRST(1 entry) doesn't return first element: got %p, expected %p", HLTQ_FIRST(&d1), &d1); errors++; } + ntests++; if (HLTQ_LAST(&d1, test_data, entries) != &d1) { warningx_nodebug("FAIL: HLTQ_LAST(1 entry) doesn't return first element: got %p, expected %p", HLTQ_LAST(&d1, test_data, entries), &d1); errors++; } + ntests++; if (HLTQ_PREV(&d1, test_data, entries) != NULL) { warningx_nodebug("FAIL: HLTQ_PREV(1 entry) doesn't return NULL: got %p", HLTQ_PREV(&d1, test_data, entries)); errors++; } + ntests++; HLTQ_INIT(&d2, entries); d2.a = 2; @@ -112,36 +116,44 @@ warningx_nodebug("FAIL: HLTQ_FIRST(3 entries) doesn't return first element: got %p, expected %p", HLTQ_FIRST(hltq), &d1); errors++; } + ntests++; if (HLTQ_LAST(hltq, test_data, entries) != &d3) { warningx_nodebug("FAIL: HLTQ_LAST(3 entries) doesn't return third element: got %p, expected %p", HLTQ_LAST(hltq, test_data, entries), &d3); errors++; } + ntests++; if (HLTQ_NEXT(&d1, entries) != &d2) { warningx_nodebug("FAIL: HLTQ_NEXT(&d1) doesn't return &d2: got %p, expected %p", HLTQ_NEXT(&d1, entries), &d2); errors++; } + ntests++; if (HLTQ_NEXT(&d2, entries) != &d3) { warningx_nodebug("FAIL: HLTQ_NEXT(&d2) doesn't return &d3: got %p, expected %p", HLTQ_NEXT(&d2, entries), &d3); errors++; } + ntests++; if (HLTQ_NEXT(&d3, entries) != NULL) { warningx_nodebug("FAIL: HLTQ_NEXT(&d3) doesn't return NULL: got %p", HLTQ_NEXT(&d3, entries)); errors++; } + ntests++; if (HLTQ_PREV(&d1, test_data, entries) != NULL) { warningx_nodebug("FAIL: HLTQ_PREV(&d1) doesn't return NULL: got %p", HLTQ_PREV(&d1, test_data, entries)); errors++; } + ntests++; if (HLTQ_PREV(&d2, test_data, entries) != &d1) { warningx_nodebug("FAIL: HLTQ_PREV(&d2) doesn't return &d1: got %p, expected %p", HLTQ_PREV(&d2, test_data, entries), &d1); errors++; } + ntests++; if (HLTQ_PREV(&d3, test_data, entries) != &d2) { warningx_nodebug("FAIL: HLTQ_PREV(&d3) doesn't return &d2: got %p, expected %p", HLTQ_PREV(&d3, test_data, entries), &d2); errors++; } + ntests++; /* Test conversion to TAILQ. */ HLTQ_TO_TAILQ(&tq, hltq, entries); @@ -150,36 +162,47 @@ warningx_nodebug("FAIL: TAILQ_FIRST(&tq) doesn't return first element: got %p, expected %p", TAILQ_FIRST(&tq), &d1); errors++; } + ntests++; if (TAILQ_LAST(&tq, test_data_list) != &d3) { warningx_nodebug("FAIL: TAILQ_LAST(&tq) doesn't return third element: got %p, expected %p", TAILQ_LAST(&tq, test_data_list), &d3); errors++; } + ntests++; if (TAILQ_NEXT(&d1, entries) != &d2) { warningx_nodebug("FAIL: TAILQ_NEXT(&d1) doesn't return &d2: got %p, expected %p", TAILQ_NEXT(&d1, entries), &d2); errors++; } + ntests++; if (TAILQ_NEXT(&d2, entries) != &d3) { warningx_nodebug("FAIL: TAILQ_NEXT(&d2) doesn't return &d3: got %p, expected %p", TAILQ_NEXT(&d2, entries), &d3); errors++; } + ntests++; if (TAILQ_NEXT(&d3, entries) != NULL) { warningx_nodebug("FAIL: TAILQ_NEXT(&d3) doesn't return NULL: got %p", TAILQ_NEXT(&d3, entries)); errors++; } + ntests++; if (TAILQ_PREV(&d1, test_data_list, entries) != NULL) { warningx_nodebug("FAIL: TAILQ_PREV(&d1) doesn't return NULL: got %p", TAILQ_PREV(&d1, test_data_list, entries)); errors++; } + ntests++; if (TAILQ_PREV(&d2, test_data_list, entries) != &d1) { warningx_nodebug("FAIL: TAILQ_PREV(&d2) doesn't return &d1: got %p, expected %p", TAILQ_PREV(&d2, test_data_list, entries), &d1); errors++; } + ntests++; if (TAILQ_PREV(&d3, test_data_list, entries) != &d2) { warningx_nodebug("FAIL: TAILQ_PREV(&d3) doesn't return &d2: got %p, expected %p", TAILQ_PREV(&d3, test_data_list, entries), &d2); errors++; } + ntests++; + + printf("%s: %d tests run, %d errors, %d%% success rate\n", getprogname(), + ntests, errors, (ntests - errors) * 100 / ntests); exit(errors); } diff -urNa sudo-1.8.10/configure sudo-1.8.10p1/configure --- sudo-1.8.10/configure Fri Mar 7 14:51:47 2014 +++ sudo-1.8.10p1/configure Thu Mar 13 15:18:40 2014 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.10. +# Generated by GNU Autoconf 2.69 for sudo 1.8.10p1. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.10' -PACKAGE_STRING='sudo 1.8.10' +PACKAGE_VERSION='1.8.10p1' +PACKAGE_STRING='sudo 1.8.10p1' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1505,7 +1505,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.10 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.10p1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1570,7 +1570,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.10:";; + short | recursive ) echo "Configuration of sudo 1.8.10p1:";; esac cat <<\_ACEOF @@ -1802,7 +1802,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.10 +sudo configure 1.8.10p1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2511,7 +2511,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.10, which was +It was created by sudo $as_me 1.8.10p1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -22958,7 +22958,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.10, which was +This file was extended by sudo $as_me 1.8.10p1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23024,7 +23024,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.10 +sudo config.status 1.8.10p1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.10/configure.ac sudo-1.8.10p1/configure.ac --- sudo-1.8.10/configure.ac Fri Mar 7 14:51:48 2014 +++ sudo-1.8.10p1/configure.ac Thu Mar 13 15:18:40 2014 @@ -4,7 +4,7 @@ dnl Copyright (c) 1994-1996,1998-2014 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.10], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.10p1], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl diff -urNa sudo-1.8.10/plugins/sudoers/Makefile.in sudo-1.8.10p1/plugins/sudoers/Makefile.in --- sudo-1.8.10/plugins/sudoers/Makefile.in Fri Mar 7 14:51:21 2014 +++ sudo-1.8.10p1/plugins/sudoers/Makefile.in Thu Mar 13 15:18:40 2014 @@ -330,7 +330,6 @@ check: $(TEST_PROGS) visudo testsudoers @if test X"$(cross_compiling)" != X"yes"; then \ rval=0; \ - CWD=`pwd`; \ mkdir -p regress/parser; \ ./check_addr $(srcdir)/regress/parser/check_addr.in || rval=`expr $$rval + $$?`; \ ./check_base64 || rval=`expr $$rval + $$?`; \ @@ -367,7 +366,7 @@ else \ failed=`expr $$failed + 1`; \ echo "$$dir/$$base (toke): FAIL"; \ - diff $$out $(srcdir)/$$out.ok || true; \ + diff $$toke $(srcdir)/$$toke.ok || true; \ fi; \ total=`expr $$total + 1`; \ done; \ @@ -400,7 +399,7 @@ else \ failed=`expr $$failed + 1`; \ echo "$$dir/$$base (stderr): FAIL"; \ - diff $$out $(srcdir)/$$out.ok || true; \ + diff $$err $(srcdir)/$$err.ok || true; \ fi; \ total=`expr $$total + 1`; \ elif test -s $$err; then \ diff -urNa sudo-1.8.10/plugins/sudoers/parse.c sudo-1.8.10p1/plugins/sudoers/parse.c --- sudo-1.8.10/plugins/sudoers/parse.c Fri Mar 7 14:50:57 2014 +++ sudo-1.8.10p1/plugins/sudoers/parse.c Thu Mar 13 15:18:40 2014 @@ -697,7 +697,8 @@ if (runas_match == ALLOW) { cmnd_match = cmnd_matches(cs->cmnd); if (cmnd_match != UNSPEC) { - match = host_match && runas_match ? cs->cmnd : NULL; + if (cmnd_match == ALLOW) + match = cs->cmnd; goto matched; } } diff -urNa sudo-1.8.10/plugins/sudoers/timestamp.c sudo-1.8.10p1/plugins/sudoers/timestamp.c --- sudo-1.8.10/plugins/sudoers/timestamp.c Fri Mar 7 14:51:20 2014 +++ sudo-1.8.10p1/plugins/sudoers/timestamp.c Thu Mar 13 15:18:40 2014 @@ -403,7 +403,7 @@ timestamp_key.flags = TS_ANYUID; } timestamp_key.sid = user_sid; - if (def_timestampdir) { + if (def_tty_tickets) { if (user_ttypath != NULL && stat(user_ttypath, &sb) == 0) { /* tty-based time stamp */ timestamp_key.type = TS_TTY; @@ -537,7 +537,7 @@ timestamp_key.size = sizeof(timestamp_key); timestamp_key.type = TS_GLOBAL; /* may be overriden below */ timestamp_key.flags = TS_ANYUID; - if (def_timestampdir) { + if (def_tty_tickets) { struct stat sb; if (user_ttypath != NULL && stat(user_ttypath, &sb) == 0) { /* tty-based time stamp */ diff -urNa sudo-1.8.10/src/Makefile.in sudo-1.8.10p1/src/Makefile.in --- sudo-1.8.10/src/Makefile.in Fri Mar 7 14:51:21 2014 +++ sudo-1.8.10p1/src/Makefile.in Thu Mar 13 15:18:40 2014 @@ -184,7 +184,9 @@ cppcheck $(CPPCHECK_OPTS) -I$(incdir) -I$(top_builddir) -I. -I$(srcdir) -I$(top_srcdir) $(srcdir)/*.c check: $(TEST_PROGS) - ./check_ttyname + @if test X"$(cross_compiling)" != X"yes"; then \ + ./check_ttyname; \ + fi clean: -$(LIBTOOL) --mode=clean rm -f $(PROGS) $(TEST_PROGS) *.lo *.o *.la *.a stamp-* core *.core core.*