NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/sudo: security bump to version 1.9.15p5

Browse Source 
- Drop patch (already in version) and so also drop autoreconf
- The sudoers plugin has been modified to make it more resilient to
  ROWHAMMER attacks on authentication and policy matching. This
  addresses CVE-2023-42465.

https://www.sudo.ws/releases/stable/#1.9.15p5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2024-01-07 18:46:55 +01:00 committed by Yann E. MORIN
parent 358a379f47
commit c87746afef
4 changed files with 3 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.checkpackageignore
View File

@ -1284,7 +1284,6 @@ package/start-stop-daemon/0001-add-uclibc-alias-and-musl.patch Upstream
package/start-stop-daemon/0002-just-warn-on-missing-arch.patch Upstream package/start-stop-daemon/0002-just-warn-on-missing-arch.patch Upstream
package/statserial/0001-ncurses-link.patch Upstream package/statserial/0001-ncurses-link.patch Upstream
package/stunnel/S50stunnel Indent Shellcheck Variables package/stunnel/S50stunnel Indent Shellcheck Variables
package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
package/supervisor/S99supervisord Variables package/supervisor/S99supervisord Variables
package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
package/suricata/S99suricata Shellcheck package/suricata/S99suricata Shellcheck

47
package/sudo/0001-configure.ac-fix-openssl-static-build.patch
View File

@ -1,47 +0,0 @@
From 1fed5adc166d5f2190a6b6ad048ec2d803316327 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 22 Feb 2023 10:13:30 +0100
Subject: [PATCH] configure.ac: fix openssl static build
Do not use AX_APPEND_FLAG as it will break static builds by removing
duplicates such as -lz or -latomic which are needed by -lssl and
-lcrypto. This will fix the following build failure with sparc which
needs -latomic:
Checking for X509_STORE_CTX_get0_cert
configure:21215: /home/thomas/autobuild/instance-3/output-1/host/bin/sparc-buildroot-linux-uclibc-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DZLIB_CONST -static conftest.c -L/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib -lssl -lz -pthread -latomic -lcrypto >&5
/home/thomas/autobuild/instance-3/output-1/host/lib/gcc/sparc-buildroot-linux-uclibc/10.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/thomas/autobuild/instance-3/output-1/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(x509cset.o): in function `X509_CRL_up_ref':
x509cset.c:(.text+0x108): undefined reference to `__atomic_fetch_add_4'
[...]
In file included from ./hostcheck.c:38:
../../include/sudo_compat.h:342:41: error: conflicting types for 'ASN1_STRING_data'
342 | # define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
| ^~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/8be59dd94e4916f9457cb435104e36e62a28373b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Retrieved from:
https://github.com/sudo-project/sudo/commit/1fed5adc166d5f2190a6b6ad048ec2d803316327]
---
m4/openssl.m4 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/m4/openssl.m4 b/m4/openssl.m4
index a2e4941ae8..b4cbd821db 100644
--- a/m4/openssl.m4
+++ b/m4/openssl.m4
@@ -44,7 +44,9 @@ AC_DEFUN([SUDO_CHECK_OPENSSL], [
SUDO_APPEND_LIBPATH([LIBTLS], [$f])
;;
*)
- AX_APPEND_FLAG([$f], [LIBTLS])
+ # Do not use AX_APPEND_FLAG as it will break static builds by removing
+ # duplicates such as -lz or -latomic which are needed by -lssl and -lcrypto
+ LIBTLS="$LIBTLS $f"
;;
esac
done

2
package/sudo/sudo.hash
View File

@ -1,4 +1,4 @@
# From: https://www.sudo.ws/getting/download/ # From: https://www.sudo.ws/getting/download/
sha256 92334a12bb93e0c056b09f53e255ccb7d6f67c6350e2813cd9593ceeca78560b sudo-1.9.13p3.tar.gz sha256 558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558 sudo-1.9.15p5.tar.gz
# Locally calculated # Locally calculated
sha256 ea33b3971e8e4d9657cd6794a952aaa71b22bd16745f1645455b6ead010e0a28 LICENSE.md sha256 ea33b3971e8e4d9657cd6794a952aaa71b22bd16745f1645455b6ead010e0a28 LICENSE.md

6
package/sudo/sudo.mk
View File

@ -4,8 +4,8 @@
# #
################################################################################ ################################################################################
SUDO_VERSION_MAJOR = 1.9.13 SUDO_VERSION_MAJOR = 1.9.15
SUDO_VERSION_MINOR = p3 SUDO_VERSION_MINOR = p5
SUDO_VERSION = $(SUDO_VERSION_MAJOR)$(SUDO_VERSION_MINOR) SUDO_VERSION = $(SUDO_VERSION_MAJOR)$(SUDO_VERSION_MINOR)
SUDO_SITE = https://www.sudo.ws/sudo/dist SUDO_SITE = https://www.sudo.ws/sudo/dist
SUDO_LICENSE = ISC, BSD-3-Clause SUDO_LICENSE = ISC, BSD-3-Clause
@ -13,8 +13,6 @@ SUDO_LICENSE_FILES = LICENSE.md
SUDO_CPE_ID_VERSION = $(SUDO_VERSION_MAJOR) SUDO_CPE_ID_VERSION = $(SUDO_VERSION_MAJOR)
SUDO_CPE_ID_UPDATE = $(SUDO_VERSION_MINOR) SUDO_CPE_ID_UPDATE = $(SUDO_VERSION_MINOR)
SUDO_SELINUX_MODULES = sudo SUDO_SELINUX_MODULES = sudo
# We're patching m4/openssl.m4
SUDO_AUTORECONF = YES
# This is to avoid sudo's make install from chown()ing files which fails # This is to avoid sudo's make install from chown()ing files which fails
SUDO_INSTALL_TARGET_OPTS = INSTALL_OWNER="" DESTDIR="$(TARGET_DIR)" install SUDO_INSTALL_TARGET_OPTS = INSTALL_OWNER="" DESTDIR="$(TARGET_DIR)" install
SUDO_CONF_OPTS = \ SUDO_CONF_OPTS = \