From 6916b3b15a46d5ec4ef8effc9280357628b9b4d6 Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Sat, 26 Mar 2005 22:18:34 -0700 Subject: [PATCH] Imported Debian patch 1.6.8p7-1 --- config.guess | 16 ++++------------ config.sub | 10 +++++----- debian/README.Debian | 19 ------------------- debian/changelog | 40 ---------------------------------------- debian/rules | 4 +--- env.c | 11 ----------- sudo.c | 2 -- sudoers.man.in | 2 -- sudoers.pod | 9 +-------- 9 files changed, 11 insertions(+), 102 deletions(-) delete mode 100644 debian/README.Debian diff --git a/config.guess b/config.guess index 9c292ea..8229471 100644 --- a/config.guess +++ b/config.guess @@ -1,9 +1,9 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. -timestamp='2005-03-24' +timestamp='2004-11-12' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -53,7 +53,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -804,9 +804,6 @@ EOF i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit 0 ;; - amd64:CYGWIN*:*:*) - echo x86_64-unknown-cygwin - exit 0 ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit 0 ;; @@ -1200,9 +1197,6 @@ EOF *:QNX:*:4*) echo i386-pc-qnx exit 0 ;; - NSE-?:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk${UNAME_RELEASE} - exit 0 ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit 0 ;; @@ -1419,9 +1413,7 @@ This script, last modified $timestamp, has failed to recognize the operating system you are using. It is advised that you download the most up to date version of the config scripts from - http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess -and - http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub + ftp://ftp.gnu.org/pub/gnu/config/ If the version you run ($0) is already up to date, please send the following data and any information you think might be diff --git a/config.sub b/config.sub index d8fd2f8..0f84ac2 100755 --- a/config.sub +++ b/config.sub @@ -1,9 +1,9 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. -timestamp='2005-02-10' +timestamp='2004-11-30' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -70,7 +70,7 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -237,7 +237,7 @@ case $basic_machine in | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ - | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \ + | m32r | m32rle | m68000 | m68k | m88k | mcore \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -310,7 +310,7 @@ case $basic_machine in | ip2k-* | iq2000-* \ | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* \ + | m88110-* | m88k-* | mcore-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ diff --git a/debian/README.Debian b/debian/README.Debian deleted file mode 100644 index 8da7c94..0000000 --- a/debian/README.Debian +++ /dev/null @@ -1,19 +0,0 @@ -The version of sudo that ships with Debian by default resets the -environment, as described by the "env_reset" flag in the sudoers file. - -This implies that all environment variables are removed, except for -HOME, LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, -LANG, LANGUAGE, LC_*, and USER. - -In case you want sudo to preserve more environment variables, you must -specify the env_keep variable in the sudoers file. You should edit the -sudoers file using the visudo tool. - -Examples: -Preserve the default variables plus the EDITOR variable: - - Defaults env_keep+="EDITOR" - -Preserve the default variables plus all variables starting with LC_: - - Defaults env_keep+="LC_*" diff --git a/debian/changelog b/debian/changelog index 751c8d1..dc30fbe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,43 +1,3 @@ -sudo (1.6.8p7-1.4) stable-security; urgency=medium - - * Non-maintainer upload by the Security Team - * Reworked the former patch to limit environment variables from being - passed through, set env_reset as default instead [sudo.c, env.c, - sudoers.pod, Bug#342948, CVE-2005-4158] - * env_reset is now set by default - * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM, - DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER - (in addition to the SUDO_* variables) - * Rebuild sudoers.man.in from the POD file - * Added README.Debian - - -- Martin Schulze Mon, 20 Mar 2006 22:56:30 +0100 - -sudo (1.6.8p7-1.3) stable-security; urgency=high - - * Non-maintainer upload by the Security Team - * Reverse the environment semantic by forcing users to maintain a - whitelist [env.c, Bug#342948, CVE-2005-4158] - - -- Martin Schulze Mon, 12 Dec 2005 18:57:03 +0100 - -sudo (1.6.8p7-1.2) stable-security; urgency=high - - * Non-maintainer upload by the Security Team - * Clean SHELLOPTS and PS4 from the environment before executing programs - with sudo permissions [env.c, CAN-2005-2959] - - -- Martin Schulze Thu, 22 Sep 2005 23:32:53 +0200 - -sudo (1.6.8p7-1.1) unstable; urgency=high - - * Non-maintainer upload. - * High-urgency upload for sarge-targetted RC bugfix. - * Fix up a broken symlink pointing to debian/sudo/usr/bin/sudo, so - that sudoedit is usable again. Closes: #305735. - - -- Steve Langasek Tue, 26 Apr 2005 22:59:06 -0700 - sudo (1.6.8p7-1) unstable; urgency=low * new upstream version, closes: #299585 diff --git a/debian/rules b/debian/rules index f211075..6e6e939 100755 --- a/debian/rules +++ b/debian/rules @@ -26,8 +26,6 @@ build-stamp: --with-sendmail=/usr/sbin/sendmail \ --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" - -rm -f sudoers.man.in sudoers.man - make sudoers.man.in sudoers.man -$(MAKE) touch build-stamp @@ -53,7 +51,7 @@ install: build dh_installdirs install -o root -g root -m 4755 -s sudo debian/sudo/usr/bin/sudo - ln -sf sudo debian/sudo/usr/bin/sudoedit + ln -sf debian/sudo/usr/bin/sudo debian/sudo/usr/bin/sudoedit install -o root -g root -m 0755 -s visudo debian/sudo/usr/sbin/visudo install -o root -g root -m 0644 sudo.man \ debian/sudo/usr/share/man/man8/sudo.8 diff --git a/env.c b/env.c index b30b843..9d3a765 100644 --- a/env.c +++ b/env.c @@ -89,8 +89,6 @@ static char *format_env __P((char *, ...)); static const char *initial_badenv_table[] = { "IFS", "CDPATH", - "SHELLOPTS", - "PS4", "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", @@ -136,7 +134,6 @@ static const char *initial_checkenv_table[] = { "LC_*", "LANG", "LANGUAGE", - "TERM", NULL }; @@ -363,14 +360,6 @@ rebuild_env(envp, sudo_mode, noexec) } } - if (!strncmp (*ep, "DISPLAY=",8) - || !strncmp (*ep, "XAUTHORITY=", 11) - || !strncmp (*ep, "XAUTHORIZATION=", 15) - || !strncmp (*ep, "LANG=", 5) - || !strncmp (*ep, "LANGUAGE=", 9) - || !strncmp (*ep, "LC_", 3)) - keepit = 1; - /* For SUDO_PS1 -> PS1 conversion. */ if (strncmp(*ep, "SUDO_PS1=", 8) == 0) ps1 = *ep + 5; diff --git a/sudo.c b/sudo.c index 01f3310..31edb65 100644 --- a/sudo.c +++ b/sudo.c @@ -697,8 +697,6 @@ parse_args(argc, argv) return(rval); } - /* New default: reset the environment */ - def_env_reset = TRUE; while (NewArgc > 0 && NewArgv[0][0] == '-') { if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') warnx("please use single character options"); diff --git a/sudoers.man.in b/sudoers.man.in index 63946db..294ff67 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1413,5 +1413,3 @@ including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html for complete details. -.PP -Test diff --git a/sudoers.pod b/sudoers.pod index 372d8e9..563ab15 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -437,19 +437,12 @@ signals and setuid processes. If set, B will reset the environment to only contain the following variables: C, C, C, C, C, -C, C, C, -C, C, C, and C (in addition to the C variables). - -Of these, only C, C, C, C, -C, C, and C are copied unaltered from the old environment. +Of these, only C is copied unaltered from the old environment. The other variables are set to default values (possibly modified by the value of the I option). If B was compiled with the C option, its value will be used for the C environment variable. - -This option is enabled by default. - Other variables may be preserved with the I option. =item use_loginclass -- 2.39.5