Pullup ticket #4337 - requested by kim

security/sudo: security update

Revisions pulled up:
- security/sudo/Makefile                                        1.142
- security/sudo/distinfo                                        1.81
- security/sudo/patches/patch-af                                1.31
- security/sudo/patches/patch-ag                                1.22
- security/sudo/patches/patch-logging.c                         1.4

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   kim
   Date:           Sat Mar  8 11:51:56 UTC 2014

   Modified Files:
           pkgsrc/security/sudo: Makefile distinfo
           pkgsrc/security/sudo/patches: patch-af patch-ag patch-logging.c

   Log Message:
   Upgrade to address CVE-2014-0106

   http://www.sudo.ws/sudo/alerts/env_add.html

   What's new in Sudo 1.7.10p8?

   * Sudo's exit code now indicates a failure if the user does not
     successfully authenticate.

   * On HP-UX systems, sudo will now use the pstat() function to
     determine the tty instead of ttyname().

   * Fixed compilation when --without-iologdir configure option is
     specified.

   * On systems with BSD login classes, if the user specified a group
     (not a user) to run the command as, it was possible to specify
     a different login class even when the command was not run as the
     super user.

   * The closefrom() emulation on Mac OS X now uses /dev/fd if possible.
     It also now sets the close on exec flag instead of actually
     closing the descriptors to avoid a crash in libdispatch.

   * The sudoers plugin will now ignore invalid domain names when
     checking netgroup membership.  Most Linux systems use the string
     "(none)" for the NIS-style domain name instead of an empty string.

   * Fixed the logic when checking environment variables on the
     command line against the env_check and env_delete blacklists.
     This is only a problem when env_reset is disabled in sudoers.

   To generate a diff of this commit:
   cvs rdiff -u -r1.141 -r1.142 pkgsrc/security/sudo/Makefile
   cvs rdiff -u -r1.80 -r1.81 pkgsrc/security/sudo/distinfo
   cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/sudo/patches/patch-af
   cvs rdiff -u -r1.21 -r1.22 pkgsrc/security/sudo/patches/patch-ag
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/security/sudo/patches/patch-logging.c

security/sudo/Makefile

@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.140 2013/03/01 14:24:57 kim Exp $
+# $NetBSD: Makefile,v 1.140.8.1 2014/03/08 20:33:47 spz Exp $
 #
 
-DISTNAME=		sudo-1.7.10p7
+DISTNAME=		sudo-1.7.10p8
+#PKGREVISION=		0
 CATEGORIES=		security
 MASTER_SITES=		http://www.sudo.ws/dist/ \
 			ftp://ftp.sudo.ws/pub/sudo/ \

security/sudo/distinfo

@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.80 2013/07/26 10:48:22 ryoon Exp $
+$NetBSD: distinfo,v 1.80.4.1 2014/03/08 20:33:47 spz Exp $
 
-SHA1 (sudo-1.7.10p7.tar.gz) = b5beb1a470d1f03b3940aff612f5089244dd773a
-RMD160 (sudo-1.7.10p7.tar.gz) = 171e54506c30a85fa642070332db012aba4a6203
-Size (sudo-1.7.10p7.tar.gz) = 1217508 bytes
+SHA1 (sudo-1.7.10p8.tar.gz) = deb83d8ba8f15f70c134c3f3a74e750925aa9f59
+RMD160 (sudo-1.7.10p8.tar.gz) = de3594843c006f7d5d3b21c79dd4115b4823b19d
+Size (sudo-1.7.10p8.tar.gz) = 1220987 bytes
 SHA1 (patch-aa) = 0c9c173a26ea72dd06a7d3947a0b3ba6dc00cf40
-SHA1 (patch-af) = 463b1653f3015d08cd4c03b7f29d206d96aa1cc0
-SHA1 (patch-ag) = e0d9efd8afeda339d9cd186ffd6f644b15e8b213
-SHA1 (patch-logging.c) = 26608d7423b77f71f17b37cc87f4b2e75978d7cb
+SHA1 (patch-af) = 3462525bd0863ec5f957173a10839aed2b7cbb69
+SHA1 (patch-ag) = 86f9838045f2bed7eb8e4271553c510be31b7d6b
+SHA1 (patch-logging.c) = a16a9c6020a79cc378c3cfd1c6a1abd2326c8e6d

security/sudo/patches/patch-af

@@ -1,4 +1,4 @@
-$NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
+$NetBSD: patch-af,v 1.30.4.1 2014/03/08 20:33:47 spz Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@ $NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.in.orig	2013-02-21 15:43:17.000000000 +0000
-+++ configure.in
-@@ -330,6 +330,18 @@ AC_ARG_WITH(csops, [AS_HELP_STRING([--wi
+--- configure.in.orig	2014-03-05 08:08:53.000000000 -0500
++++ configure.in	2014-03-08 06:35:19.000000000 -0500
+@@ -330,6 +330,18 @@
  		;;
  esac])
 
@@ -28,7 +28,7 @@ $NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
  AC_ARG_WITH(passwd, [AS_HELP_STRING([--without-passwd], [don't use passwd/shadow file for authentication])],
  [case $with_passwd in
      yes|no)	AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
-@@ -1725,7 +1737,7 @@ case "$host" in
+@@ -1726,7 +1738,7 @@
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -37,7 +37,7 @@ $NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
  		OSDEFS="${OSDEFS} -D_GNU_SOURCE"
  		# Some Linux versions need to link with -lshadow
  		shadow_funcs="getspnam"
-@@ -2015,7 +2027,7 @@ SUDO_MAILDIR
+@@ -2016,7 +2028,7 @@
  if test ${with_logincap-'no'} != "no"; then
      AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1
  	case "$OS" in
@@ -46,7 +46,7 @@ $NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
  	    ;;
  	esac
      ])
-@@ -2634,6 +2646,8 @@ if test ${with_kerb5-'no'} != "no"; then
+@@ -2635,6 +2647,8 @@
  	])
  	AUTH_OBJS="$AUTH_OBJS kerb5.o"
      fi
@@ -55,7 +55,7 @@ $NetBSD: patch-af,v 1.30 2013/07/26 10:48:22 ryoon Exp $
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDO_LIBS}"
      AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
-@@ -3167,7 +3181,6 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -3168,7 +3182,6 @@
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'

security/sudo/patches/patch-ag

@@ -1,4 +1,4 @@
-$NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
+$NetBSD: patch-ag,v 1.21.4.1 2014/03/08 20:33:47 spz Exp $
 
 * Add "--with-nbsdops" option, NetBSD standard options.
 * Link with util(3) in the case of DragonFly, too.
@@ -7,9 +7,9 @@ $NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
   functions (HAVE_KRB5_*).
 * Remove setting sysconfdir to "/etc".
 
---- configure.orig	2013-02-21 15:43:29.000000000 +0000
-+++ configure
-@@ -1484,7 +1484,7 @@ Fine tuning of the installation director
+--- configure.orig	2014-03-05 08:09:14.000000000 -0500
++++ configure	2014-03-08 06:35:19.000000000 -0500
+@@ -1484,7 +1484,7 @@
    --bindir=DIR            user executables [EPREFIX/bin]
    --sbindir=DIR           system admin executables [EPREFIX/sbin]
    --libexecdir=DIR        program executables [EPREFIX/libexec]
@@ -18,15 +18,15 @@ $NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
    --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
    --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
    --libdir=DIR            object code libraries [EPREFIX/lib]
-@@ -1569,6 +1569,7 @@ Optional Packages:
+@@ -1569,6 +1569,7 @@
    --with-libraries        additional libraries to link with
    --with-efence           link with -lefence for malloc() debugging
    --with-csops            add CSOps standard options
 +  --with-nbsdops          add NetBSD standard options
    --without-passwd        don't use passwd/shadow file for authentication
    --with-skey=DIR         enable S/Key support
    --with-opie=DIR         enable OPIE support
-@@ -3959,6 +3960,22 @@ $as_echo "$as_me: WARNING: Ignoring unkn
+@@ -3959,6 +3960,22 @@
  esac
  fi
 
@@ -49,7 +49,7 @@ $NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
 
 
  # Check whether --with-passwd was given.
-@@ -14233,7 +14250,7 @@ fi
+@@ -14244,7 +14261,7 @@
  		: ${mansectsu='1m'}
  		: ${mansectform='4'}
  		;;
@@ -58,7 +58,7 @@ $NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
  		OSDEFS="${OSDEFS} -D_GNU_SOURCE"
  		# Some Linux versions need to link with -lshadow
  		shadow_funcs="getspnam"
-@@ -15632,7 +15649,7 @@ if test "x$ac_cv_header_login_cap_h" = x
+@@ -15643,7 +15660,7 @@
  _ACEOF
   LOGINCAP_USAGE='[-c class|-] '; LCMAN=1
  	case "$OS" in
@@ -67,7 +67,7 @@ $NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
  	    ;;
  	esac
 
-@@ -18569,6 +18586,8 @@ fi
+@@ -18580,6 +18597,8 @@
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
  	AUTH_OBJS="$AUTH_OBJS kerb5.o"
      fi
@@ -76,7 +76,7 @@ $NetBSD: patch-ag,v 1.21 2013/07/26 10:48:22 ryoon Exp $
      _LIBS="$LIBS"
      LIBS="${LIBS} ${SUDO_LIBS}"
      for ac_func in krb5_verify_user krb5_init_secure_context
-@@ -20313,7 +20332,6 @@ test "$datarootdir" = '${prefix}/share' 
+@@ -20324,7 +20343,6 @@
  test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
  test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
  test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'

security/sudo/patches/patch-logging.c

@@ -1,11 +1,11 @@
-$NetBSD: patch-logging.c,v 1.3 2011/09/18 14:18:25 ryoon Exp $
+$NetBSD: patch-logging.c,v 1.3.20.1 2014/03/08 20:33:47 spz Exp $
 
 Make sure CODESET is actually defined, for the sake of
 old NetBSD versions
 
---- logging.c.orig	2011-08-13 17:32:04 +0000
-+++ logging.c
-@@ -573,7 +573,7 @@ send_mail(fmt, va_alist)
+--- logging.c.orig	2013-03-01 11:08:30.000000000 -0500
++++ logging.c	2014-03-08 06:35:19.000000000 -0500
+@@ -691,7 +691,7 @@
  	    (void) fputc(*p, mail);
      }