This patch will upgrade Sudo version 1.8.21 patchlevel 1 to Sudo version 1.8.21 patchlevel 2. To apply: $ cd sudo-1.8.21p1 $ patch -p1 < sudo-1.8.21p2.patch diff -urNa sudo-1.8.21p1/ChangeLog sudo-1.8.21p2/ChangeLog --- sudo-1.8.21p1/ChangeLog Fri Sep 1 14:15:24 2017 +++ sudo-1.8.21p2/ChangeLog Wed Sep 6 21:05:29 2017 @@ -1,3 +1,34 @@ +2017-09-06 Todd C. Miller + + * NEWS, configure, configure.ac: + sudo 1.8.21p2 + [94d18888e7c4] + + * src/exec.c: + sudo_terminated() should not return true when SIGCHLD is pending. + Bug #801 + [57f636b6489f] + + * src/tgetpass.c: + Set SIGCHLD handler to SIG_DFL before forking the askpass command + and restore after. Otherwise, SIGCHLD will end up in the list of + pending signals and sudo_execute() will not execute the command. + [c171eeabdc72] + + * lib/util/event.c: + The read and write sides of signal_pipe[] were swapped, resulting in + EBADF reading from and writing to the signal pipe on Linux and + probably others. On systems with bidirectional pipes this was not an + issue. + [7668f93e6544] + +2017-09-05 Todd C. Miller + + * plugins/sudoers/auth/pam.c: + Fix a logic error in 96651906de42 which prevented sudo from using + the PAM-supplied prompt. Bug #799 + [6ee5cc13af69] + 2017-09-01 Todd C. Miller * NEWS, configure, configure.ac: diff -urNa sudo-1.8.21p1/NEWS sudo-1.8.21p2/NEWS --- sudo-1.8.21p1/NEWS Fri Sep 1 14:13:13 2017 +++ sudo-1.8.21p2/NEWS Wed Sep 6 21:04:33 2017 @@ -1,3 +1,15 @@ +What's new in Sudo 1.8.21p2 + + * Fixed a bug introduced in version 1.8.21 which prevented sudo + from using the PAM-supplied prompt. Bug #799 + + * Fixed a bug introduced in version 1.8.21 which could result in + sudo hanging when running commands that exit quickly. Bug #800 + + * Fixed a bug introduced in version 1.8.21 which prevented the + command from being run when the password was read via an external + program using the askpass interface. Bug #801 + What's new in Sudo 1.8.21p1 * On systems that support both PAM and SIGINFO, the main sudo diff -urNa sudo-1.8.21p1/configure sudo-1.8.21p2/configure --- sudo-1.8.21p1/configure Fri Sep 1 14:13:13 2017 +++ sudo-1.8.21p2/configure Wed Sep 6 21:04:33 2017 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.21p1. +# Generated by GNU Autoconf 2.69 for sudo 1.8.21p2. # # Report bugs to . # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.21p1' -PACKAGE_STRING='sudo 1.8.21p1' +PACKAGE_VERSION='1.8.21p2' +PACKAGE_STRING='sudo 1.8.21p2' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1538,7 +1538,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.21p1 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.21p2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1603,7 +1603,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.21p1:";; + short | recursive ) echo "Configuration of sudo 1.8.21p2:";; esac cat <<\_ACEOF @@ -1861,7 +1861,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.21p1 +sudo configure 1.8.21p2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2570,7 +2570,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.21p1, which was +It was created by sudo $as_me 1.8.21p2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -27005,7 +27005,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.21p1, which was +This file was extended by sudo $as_me 1.8.21p2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27071,7 +27071,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.21p1 +sudo config.status 1.8.21p2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urNa sudo-1.8.21p1/configure.ac sudo-1.8.21p2/configure.ac --- sudo-1.8.21p1/configure.ac Fri Sep 1 14:13:13 2017 +++ sudo-1.8.21p2/configure.ac Wed Sep 6 21:04:33 2017 @@ -4,7 +4,7 @@ dnl Copyright (c) 1994-1996,1998-2017 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.21p1], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.8.21p2], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl diff -urNa sudo-1.8.21p1/lib/util/event.c sudo-1.8.21p2/lib/util/event.c --- sudo-1.8.21p1/lib/util/event.c Wed Aug 23 12:07:29 2017 +++ sudo-1.8.21p2/lib/util/event.c Wed Sep 6 21:04:33 2017 @@ -153,7 +153,7 @@ } if (nread == -1 && errno != EAGAIN) { sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO, - "%s: error reading from signal pipe", __func__); + "%s: error reading from signal pipe fd %d", __func__, fd); } /* Activate signal events. */ @@ -182,7 +182,7 @@ "%s: unable to create signal pipe", __func__); goto bad; } - sudo_ev_init(&base->signal_event, base->signal_pipe[1], + sudo_ev_init(&base->signal_event, base->signal_pipe[0], SUDO_EV_READ|SUDO_EV_PERSIST, signal_pipe_cb, base); debug_return_int(0); @@ -341,7 +341,7 @@ signal_base->signal_caught = 1; /* Wake up the other end of the pipe. */ - ignore_result(write(signal_base->signal_pipe[0], &ch, 1)); + ignore_result(write(signal_base->signal_pipe[1], &ch, 1)); } } @@ -622,7 +622,7 @@ if (errno == EINTR) { /* Interrupted by signal, check for sigevents. */ if (base->signal_caught) { - signal_pipe_cb(base->signal_pipe[1], SUDO_EV_READ, base); + signal_pipe_cb(base->signal_pipe[0], SUDO_EV_READ, base); break; } continue; diff -urNa sudo-1.8.21p1/plugins/sudoers/auth/pam.c sudo-1.8.21p2/plugins/sudoers/auth/pam.c --- sudo-1.8.21p1/plugins/sudoers/auth/pam.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p2/plugins/sudoers/auth/pam.c Wed Sep 6 21:04:33 2017 @@ -435,28 +435,32 @@ size_t user_len; debug_decl(use_pam_prompt, SUDOERS_DEBUG_AUTH) - if (!def_passprompt_override) { - /* If sudo prompt matches "^Password: ?$", use PAM prompt. */ - if (PROMPT_IS_PASSWORD(def_prompt)) - debug_return_bool(true); + /* Always use sudo prompt if passprompt_override is set. */ + if (def_passprompt_override) + debug_return_bool(false); - /* If PAM prompt matches "^Password: ?$", use sudo prompt. */ - if (PAM_PROMPT_IS_PASSWORD(pam_prompt)) - debug_return_bool(false); + /* If sudo prompt matches "^Password: ?$", use PAM prompt. */ + if (PROMPT_IS_PASSWORD(def_prompt)) + debug_return_bool(true); - /* - * Some PAM modules use "^username's Password: ?$" instead of - * "^Password: ?" so check for that too. - */ - user_len = strlen(user_name); - if (strncmp(pam_prompt, user_name, user_len) == 0) { - const char *cp = pam_prompt + user_len; - if (strncmp(cp, "'s Password:", 12) == 0 && - (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0'))) - debug_return_bool(false); - } + /* If PAM prompt matches "^Password: ?$", use sudo prompt. */ + if (PAM_PROMPT_IS_PASSWORD(pam_prompt)) + debug_return_bool(false); + + /* + * Some PAM modules use "^username's Password: ?$" instead of + * "^Password: ?" so check for that too. + */ + user_len = strlen(user_name); + if (strncmp(pam_prompt, user_name, user_len) == 0) { + const char *cp = pam_prompt + user_len; + if (strncmp(cp, "'s Password:", 12) == 0 && + (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0'))) + debug_return_bool(false); } - debug_return_bool(false); + + /* Otherwise, use the PAM prompt. */ + debug_return_bool(true); } /* diff -urNa sudo-1.8.21p1/src/exec.c sudo-1.8.21p2/src/exec.c --- sudo-1.8.21p1/src/exec.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p2/src/exec.c Wed Sep 6 21:04:33 2017 @@ -311,6 +311,9 @@ for (signo = 0; signo < NSIG; signo++) { if (signal_pending(signo)) { switch (signo) { + case SIGCHLD: + /* Ignore. */ + break; case SIGTSTP: /* Suspend below if not terminated. */ sigtstp = true; diff -urNa sudo-1.8.21p1/src/tgetpass.c sudo-1.8.21p2/src/tgetpass.c --- sudo-1.8.21p1/src/tgetpass.c Wed Aug 23 12:07:28 2017 +++ sudo-1.8.21p2/src/tgetpass.c Wed Sep 6 21:04:33 2017 @@ -238,10 +238,18 @@ sudo_askpass(const char *askpass, const char *prompt) { static char buf[SUDO_CONV_REPL_MAX + 1], *pass; + struct sigaction sa, savechld; int pfd[2], status; pid_t child; debug_decl(sudo_askpass, SUDO_DEBUG_CONV) + /* Set SIGCHLD handler to default since we call waitpid() below. */ + memset(&sa, 0, sizeof(sa)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sa.sa_handler = SIG_DFL; + (void) sigaction(SIGCHLD, &sa, &savechld); + if (pipe(pfd) == -1) sudo_fatal(U_("unable to create pipe")); @@ -287,6 +295,9 @@ if (pass == NULL) errno = EINTR; /* make cancel button simulate ^C */ + + /* Restore saved SIGCHLD handler. */ + (void) sigaction(SIGCHLD, &savechld, NULL); debug_return_str_masked(pass); }