From f30cb74fef4b97721010ca9bc6a6b6dde03c4add Mon Sep 17 00:00:00 2001 From: Robin Lu Date: Fri, 22 Nov 2019 11:01:27 +0800 Subject: [PATCH] Update sudo srpm patch for CVE bug To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm And we have to update some patches according to new srpm. https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists Closes-Bug: 1852825 Depends-On: https://review.opendev.org/#/c/695637/ Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756 Signed-off-by: Robin Lu --- .../0001-Update-package-versioning-for-TIS-format.patch | 4 ++-- .../centos/meta_patches/0002-spec-include-TiS-changes.patch | 6 +++--- base/sudo/centos/meta_patches/0003-remove-make-check.patch | 2 +- base/sudo/centos/srpm_path | 2 +- centos_srpms_centos.lst | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/base/sudo/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/base/sudo/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch index 794d66d2a..5b475e427 100644 --- a/base/sudo/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch +++ b/base/sudo/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch @@ -15,8 +15,8 @@ index c8d2f64..b6402bb 100644 Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 --Release: 3%{?dist} -+Release: 3.el7%{?_tis_dist}.%{tis_patch_ver} +-Release: 4%{?dist}.1 ++Release: 4.el7_7.1%{?_tis_dist}.%{tis_patch_ver} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ diff --git a/base/sudo/centos/meta_patches/0002-spec-include-TiS-changes.patch b/base/sudo/centos/meta_patches/0002-spec-include-TiS-changes.patch index 1c5083b5d..0ee52261f 100644 --- a/base/sudo/centos/meta_patches/0002-spec-include-TiS-changes.patch +++ b/base/sudo/centos/meta_patches/0002-spec-include-TiS-changes.patch @@ -11,7 +11,7 @@ diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index b6402bb..acbcb26 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec -@@ -111,7 +111,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL +@@ -126,7 +126,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL --with-ignore-dot \ --with-tty-tickets \ --with-ldap \ @@ -20,7 +20,7 @@ index b6402bb..acbcb26 100644 --with-selinux \ --with-passprompt="[sudo] password for %p: " \ --with-linux-audit \ -@@ -138,6 +138,9 @@ install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers +@@ -153,6 +153,9 @@ install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf @@ -30,7 +30,7 @@ index b6402bb..acbcb26 100644 # Remove upstream sudoers file rm -f %{buildroot}%{_sysconfdir}/sudoers.dist -@@ -210,6 +213,7 @@ rm -rf %{buildroot} +@@ -225,6 +228,7 @@ rm -rf %{buildroot} %{_mandir}/man5/sudoers_timestamp.5.gz %dir %{_docdir}/sudo-%{version} %{_docdir}/sudo-%{version}/* diff --git a/base/sudo/centos/meta_patches/0003-remove-make-check.patch b/base/sudo/centos/meta_patches/0003-remove-make-check.patch index f6ab0c2a0..ded83eaf1 100644 --- a/base/sudo/centos/meta_patches/0003-remove-make-check.patch +++ b/base/sudo/centos/meta_patches/0003-remove-make-check.patch @@ -2,7 +2,7 @@ diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 8c3f395..17531f7 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec -@@ -120,7 +120,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL +@@ -135,7 +135,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL make %check diff --git a/base/sudo/centos/srpm_path b/base/sudo/centos/srpm_path index 227d96962..469d2e4e3 100644 --- a/base/sudo/centos/srpm_path +++ b/base/sudo/centos/srpm_path @@ -1 +1 @@ -mirror:Source/sudo-1.8.23-3.el7.src.rpm +mirror:Source/sudo-1.8.23-4.el7_7.1.src.rpm diff --git a/centos_srpms_centos.lst b/centos_srpms_centos.lst index f1b4c5a24..1c848759d 100644 --- a/centos_srpms_centos.lst +++ b/centos_srpms_centos.lst @@ -40,7 +40,7 @@ resource-agents-4.1.1-12.el7_6.7.src.rpm setup-2.8.71-10.el7.src.rpm shim-15-1.el7.centos.src.rpm shim-signed-15-1.el7.centos.src.rpm -sudo-1.8.23-3.el7.src.rpm +sudo-1.8.23-4.el7_7.1.src.rpm systemd-219-62.el7_6.5.src.rpm tboot-1.9.6-3.el7.src.rpm tpm2-tools-3.0.4-2.el7.src.rpm