From 8f27a8f156265d6b89eb4d77ebedf776681899b2 Mon Sep 17 00:00:00 2001 From: Praveen Kumar Date: Wed, 9 Jul 2025 11:36:34 +0530 Subject: sudo: upgrade 1.9.17 -> 1.9.17p1 Changelog: =========== * Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified when running a command or editing a file. This could enable a local privilege escalation attack if the sudoers file allows the user to run commands on a different host. * Fixed CVE-2025-32463. An attacker can leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. The chroot support has been deprecated an will be removed entirely in a future release. (From OE-Core rev: 4ac42eefe6c1b5895a3334d7f90004fdc8a3267f) Signed-off-by: Praveen Kumar Signed-off-by: Richard Purdie --- meta/recipes-extended/sudo/sudo_1.9.17.bb | 61 ----------------------------- meta/recipes-extended/sudo/sudo_1.9.17p1.bb | 61 +++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 61 deletions(-) delete mode 100644 meta/recipes-extended/sudo/sudo_1.9.17.bb create mode 100644 meta/recipes-extended/sudo/sudo_1.9.17p1.bb diff --git a/meta/recipes-extended/sudo/sudo_1.9.17.bb b/meta/recipes-extended/sudo/sudo_1.9.17.bb deleted file mode 100644 index 71d48f448d..0000000000 --- a/meta/recipes-extended/sudo/sudo_1.9.17.bb +++ /dev/null @@ -1,61 +0,0 @@ -require sudo.inc - -SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ - " - -PAM_SRC_URI = "file://sudo.pam" - -SRC_URI[sha256sum] = "3f212c69d534d5822b492d099abb02a593f91ca99f5afde5cb9bd3e1dcdad069" - -DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" -RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" - -CACHED_CONFIGUREVARS = " \ - ac_cv_type_rsize_t=no \ - ac_cv_path_MVPROG=${base_bindir}/mv \ - ac_cv_path_BSHELLPROG=${base_bindir}/sh \ - ac_cv_path_SENDMAILPROG=${sbindir}/sendmail \ - ac_cv_path_VIPROG=${base_bindir}/vi \ - " - -EXTRA_OECONF += " \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-tmpfiles.d=${nonarch_libdir}/tmpfiles.d', '--disable-tmpfiles.d', d)} \ - --with-rundir=/run/sudo \ - --with-vardir=/var/lib/sudo \ - --libexecdir=${libdir} \ - " - -do_install:append () { - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then - install -D -m 644 ${UNPACKDIR}/sudo.pam ${D}/${sysconfdir}/pam.d/sudo - if ${@bb.utils.contains('PACKAGECONFIG', 'pam-wheel', 'true', 'false', d)} ; then - echo 'auth required pam_wheel.so use_uid' >>${D}${sysconfdir}/pam.d/sudo - sed -i 's/# \(%wheel ALL=(ALL) ALL\)/\1/' ${D}${sysconfdir}/sudoers - fi - fi - - chmod 4111 ${D}${bindir}/sudo - chmod 0440 ${D}${sysconfdir}/sudoers - - # Explicitly remove the /sudo directory to avoid QA error - rmdir -p --ignore-fail-on-non-empty ${D}/run/sudo -} - -FILES:${PN}-dev += "${libdir}/${BPN}/lib*${SOLIBSDEV} ${libdir}/${BPN}/*.la \ - ${libdir}/lib*${SOLIBSDEV} ${libdir}/*.la" - -CONFFILES:${PN}-lib = "${sysconfdir}/sudoers" - -SUDO_PACKAGES = "${PN}-sudo\ - ${PN}-lib" - -PACKAGE_BEFORE_PN = "${SUDO_PACKAGES}" - -RDEPENDS:${PN}-sudo = "${PN}-lib" -RDEPENDS:${PN} += "${SUDO_PACKAGES}" - -FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit" -FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir} ${nonarch_libdir}" diff --git a/meta/recipes-extended/sudo/sudo_1.9.17p1.bb b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb new file mode 100644 index 0000000000..83bfc0621c --- /dev/null +++ b/meta/recipes-extended/sudo/sudo_1.9.17p1.bb @@ -0,0 +1,61 @@ +require sudo.inc + +SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ + " + +PAM_SRC_URI = "file://sudo.pam" + +SRC_URI[sha256sum] = "ff607ea717072197738a78f778692cd6df9a7e3e404565f51de063ca27455d32" + +DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" + +CACHED_CONFIGUREVARS = " \ + ac_cv_type_rsize_t=no \ + ac_cv_path_MVPROG=${base_bindir}/mv \ + ac_cv_path_BSHELLPROG=${base_bindir}/sh \ + ac_cv_path_SENDMAILPROG=${sbindir}/sendmail \ + ac_cv_path_VIPROG=${base_bindir}/vi \ + " + +EXTRA_OECONF += " \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-tmpfiles.d=${nonarch_libdir}/tmpfiles.d', '--disable-tmpfiles.d', d)} \ + --with-rundir=/run/sudo \ + --with-vardir=/var/lib/sudo \ + --libexecdir=${libdir} \ + " + +do_install:append () { + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then + install -D -m 644 ${UNPACKDIR}/sudo.pam ${D}/${sysconfdir}/pam.d/sudo + if ${@bb.utils.contains('PACKAGECONFIG', 'pam-wheel', 'true', 'false', d)} ; then + echo 'auth required pam_wheel.so use_uid' >>${D}${sysconfdir}/pam.d/sudo + sed -i 's/# \(%wheel ALL=(ALL) ALL\)/\1/' ${D}${sysconfdir}/sudoers + fi + fi + + chmod 4111 ${D}${bindir}/sudo + chmod 0440 ${D}${sysconfdir}/sudoers + + # Explicitly remove the /sudo directory to avoid QA error + rmdir -p --ignore-fail-on-non-empty ${D}/run/sudo +} + +FILES:${PN}-dev += "${libdir}/${BPN}/lib*${SOLIBSDEV} ${libdir}/${BPN}/*.la \ + ${libdir}/lib*${SOLIBSDEV} ${libdir}/*.la" + +CONFFILES:${PN}-lib = "${sysconfdir}/sudoers" + +SUDO_PACKAGES = "${PN}-sudo\ + ${PN}-lib" + +PACKAGE_BEFORE_PN = "${SUDO_PACKAGES}" + +RDEPENDS:${PN}-sudo = "${PN}-lib" +RDEPENDS:${PN} += "${SUDO_PACKAGES}" + +FILES:${PN}-sudo = "${bindir}/sudo ${bindir}/sudoedit" +FILES:${PN}-lib = "${localstatedir} ${libexecdir} ${sysconfdir} ${libdir} ${nonarch_libdir}" -- cgit v1.2.3-54-g00ecf