Merge sudo 1.9.13 from tip.

--HG--
branch : 1.9

.gitignore

@@ -3,7 +3,6 @@
 **/*.l[ao]
 **/*.lai
 **/*.map
-**/*.mo
 **/*.o
 **/*.plog
 
@@ -24,6 +23,7 @@ libtool
 pathnames.h
 ChangeLog
 PVS-Studio.cfg
+stamp-*
 uncrustify.files
 
 docs/*.man

.hgignore

@@ -3,7 +3,6 @@
 \.l[ao]$
 \.lai$
 \.map$
-\.mo$
 \.o$
 \.plog$
 
@@ -21,6 +20,7 @@ Makefile$
 
 ^ChangeLog$
 ^PVS-Studio\.cfg$
+^stamp-
 ^uncrustify\.files$
 ^docs/.*\.man$
 ^docs/.*\.mdoc$

INSTALL.md

@@ -138,9 +138,9 @@ Defaults are listed in brackets after the description.
         The directory to be used for sudo-specific files that do
         not survive a system reboot.  This is typically where the
         time stamp directory is located.  By default, configure
-        will choose from the following list:
-            /run/sudo /var/run/sudo, /var/db/sudo, /var/lib/sudo,
-            /var/adm/sudo, /usr/adm/sudo
+        will choose from the following list: /run/sudo /var/run/sudo,
+        /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo.
+
         This directory should be cleared when the system reboots.
         On systems that lack /run or /var/run, the default rundir and
         vardir may be the same.  In this case, only the ts directory
@@ -150,8 +150,9 @@ Defaults are listed in brackets after the description.
         The directory to be used for sudo-specific files that survive
         a system reboot.  This is typically where the lecture status
         directory is stored.  By default, configure will choose
-        from the following list:
-            /var/db/sudo, /var/lib/sudo, /var/adm/sudo, /usr/adm/sudo
+        from the following list: /var/db/sudo, /var/lib/sudo,
+        /var/adm/sudo, /usr/adm/sudo.
+
         This directory should **not** be cleared when the system boots.
 
     --with-relaydir=DIR
@@ -165,8 +166,9 @@ Defaults are listed in brackets after the description.
         is only used when sanitizing the TZ environment variable
         to allow for fully-qualified paths in TZ.  By default,
         configure will look for an existing "zoneinfo" directory
-        in the following locations:
-            /usr/share /usr/share/lib /usr/lib /etc
+        in the following locations: /usr/share, /usr/share/lib,
+        /usr/lib, /etc.
+
         If no zoneinfo directory is found, the TZ variable may not
         contain a fully-qualified path.
 
@@ -332,6 +334,17 @@ Defaults are listed in brackets after the description.
         via the user's PATH) and the default libtool that comes
         with sudo.
 
+    --with-aix-soname=svr4
+        Starting with version 1.9.13, sudo will build AIX-style
+        shared libraries and dynamic shared objects by default
+        instead of svr4-style..  This means that the default sudo
+        plugins are now .a (archive) files that contain a .so shared
+        object file instead of bare .so files.  This was done to
+        improve compatibility with the AIX Freeware ecosystem,
+        specifically, the AIX Freeware build of OpenSSL.  To restore
+        the old, pre-1.9.13 behavior, run configure using the
+        --with-aix-soname=svr4 option.
+
 ### Optional features:
 
     --disable-root-mailer
@@ -753,7 +766,7 @@ Defaults are listed in brackets after the description.
         the standard output.  This value may overridden at run-time
         in the sudo.conf file.
 
-    --with-badpass-message="BAD PASSWORD MESSAGE"
+    --with-badpass-message="MESSAGE"
         Message that is displayed if a user enters an incorrect password.
         The default is "Sorry, try again." unless insults are turned on.  
         Sudoers option: badpass_message
@@ -910,7 +923,7 @@ Defaults are listed in brackets after the description.
         the command they are trying is not listed in their sudoers file entry.  
         Sudoers option: mail_no_perms
 
-    --with-mailsubject="SUBJECT OF MAIL"
+    --with-mailsubject="SUBJECT"
         Subject of the mail sent to the "mailto" user. The token "%h"
         will expand to the hostname of the machine.
         The default value is "*** SECURITY information for %h ***".  
@@ -921,7 +934,7 @@ Defaults are listed in brackets after the description.
         This should go to a sysadmin at your site.  The default value is "root".  
         Sudoers option: mailto
 
-    --with-passprompt="PASSWORD PROMPT"
+    --with-passprompt="PROMPT"
         Default prompt to use when asking for a password; can be overridden
         via the -p option and the SUDO_PROMPT environment variable. Supports
         the "%H", "%h", "%U", and "%u" escapes as documented in the sudo

LICENSE.md

@@ -1,6 +1,6 @@
 Sudo is distributed under the following license:
 
-    Copyright (c) 1994-1996, 1998-2022
+    Copyright (c) 1994-1996, 1998-2023
         Todd C. Miller <Todd.Miller@sudo.ws>
 
     Permission to use, copy, modify, and distribute this software for any
@@ -148,14 +148,15 @@ following license:
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions
     are met:
-    1. Redistributions of source code must retain the above copyright
-       notice, this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    3. Neither the name of the University nor the names of its contributors
-       may be used to endorse or promote products derived from this software
-       without specific prior written permission.
+
+        1. Redistributions of source code must retain the above copyright
+           notice, this list of conditions and the following disclaimer.
+        2. Redistributions in binary form must reproduce the above copyright
+           notice, this list of conditions and the following disclaimer in the
+           documentation and/or other materials provided with the distribution.
+        3. Neither the name of the University nor the names of its contributors
+           may be used to endorse or promote products derived from this software
+           without specific prior written permission.
 
     THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
     ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -176,6 +177,7 @@ The file fnmatch.c bears the following license:
 
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions are met:
+
         * Redistributions of source code must retain the above copyright
           notice, this list of conditions and the following disclaimer.
         * Redistributions in binary form must reproduce the above copyright
@@ -207,11 +209,12 @@ The file getopt_long.c bears the following license:
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions
     are met:
-    1. Redistributions of source code must retain the above copyright
-       notice, this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
+
+        1. Redistributions of source code must retain the above copyright
+           notice, this list of conditions and the following disclaimer.
+        2. Redistributions in binary form must reproduce the above copyright
+           notice, this list of conditions and the following disclaimer in the
+           documentation and/or other materials provided with the distribution.
 
     THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -244,9 +247,9 @@ The file inet_pton.c bears the following license:
 
 The file arc4random.c bears the following license:
 
-    Copyright (c) 1996, David Mazieres <dm@uun.org>
-    Copyright (c) 2008, Damien Miller <djm@openbsd.org>
-    Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+    Copyright (c) 1996, David Mazieres <dm@uun.org>  
+    Copyright (c) 2008, Damien Miller <djm@openbsd.org>  
+    Copyright (c) 2013, Markus Friedl <markus@openbsd.org>  
     Copyright (c) 2014, Theo de Raadt <deraadt@openbsd.org>
 
     Permission to use, copy, modify, and distribute this software for any
@@ -279,7 +282,7 @@ The file arc4random_uniform.c bears the following license:
 
 The file getentropy.c bears the following license:
 
-    Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>
+    Copyright (c) 2014 Theo de Raadt <deraadt@openbsd.org>  
     Copyright (c) 2014 Bob Beck <beck@obtuse.com>
 
     Permission to use, copy, modify, and distribute this software for any
@@ -306,13 +309,14 @@ The embedded copy of zlib bears the following license:
     including commercial applications, and to alter it and redistribute it
     freely, subject to the following restrictions:
 
-    1. The origin of this software must not be misrepresented; you must not
-       claim that you wrote the original software. If you use this software
-       in a product, an acknowledgment in the product documentation would be
-       appreciated but is not required.
-    2. Altered source versions must be plainly marked as such, and must not be
-       misrepresented as being the original software.
-    3. This notice may not be removed or altered from any source distribution.
+        1. The origin of this software must not be misrepresented; you must not
+           claim that you wrote the original software. If you use this software
+           in a product, an acknowledgment in the product documentation would be
+           appreciated but is not required.
+        2. Altered source versions must be plainly marked as such, and must not
+           be misrepresented as being the original software.
+        3. This notice may not be removed or altered from any source
+           distribution.
 
     Jean-loup Gailly        Mark Adler
     jloup@gzip.org          madler@alumni.caltech.edu

MANIFEST

@@ -156,20 +156,30 @@ lib/iolog/regress/corpus/seed/log_json/pkg_add.json
 lib/iolog/regress/corpus/seed/log_json/pkg_delete.json
 lib/iolog/regress/corpus/seed/log_json/printenv.json
 lib/iolog/regress/corpus/seed/log_legacy/id.log
+lib/iolog/regress/corpus/seed/log_legacy/less.log
 lib/iolog/regress/corpus/seed/log_legacy/ls.log
 lib/iolog/regress/corpus/seed/log_legacy/mailq.log
 lib/iolog/regress/corpus/seed/log_legacy/make.log
 lib/iolog/regress/corpus/seed/log_legacy/pkg_add.log
 lib/iolog/regress/corpus/seed/log_legacy/pkg_delete.log
 lib/iolog/regress/corpus/seed/log_legacy/printenv.log
+lib/iolog/regress/corpus/seed/log_legacy/smtpctl.log
+lib/iolog/regress/corpus/seed/log_legacy/vi.log
 lib/iolog/regress/corpus/seed/timing/timing.1
 lib/iolog/regress/corpus/seed/timing/timing.2
 lib/iolog/regress/corpus/seed/timing/timing.3
 lib/iolog/regress/corpus/seed/timing/timing.4
+lib/iolog/regress/corpus/seed/timing/timing.5
+lib/iolog/regress/corpus/seed/timing/timing.6
+lib/iolog/regress/corpus/seed/timing/timing.7
+lib/iolog/regress/corpus/seed/timing/timing.8
+lib/iolog/regress/corpus/seed/timing/timing.9
 lib/iolog/regress/fuzz/fuzz_iolog_json.c
 lib/iolog/regress/fuzz/fuzz_iolog_json.dict
 lib/iolog/regress/fuzz/fuzz_iolog_legacy.c
+lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict
 lib/iolog/regress/fuzz/fuzz_iolog_timing.c
+lib/iolog/regress/fuzz/fuzz_iolog_timing.dict
 lib/iolog/regress/host_port/host_port_test.c
 lib/iolog/regress/iolog_filter/check_iolog_filter.c
 lib/iolog/regress/iolog_filter/test1/log
@@ -192,6 +202,7 @@ lib/iolog/regress/iolog_json/test1.in
 lib/iolog/regress/iolog_json/test2.in
 lib/iolog/regress/iolog_json/test2.out.ok
 lib/iolog/regress/iolog_json/test3.in
+lib/iolog/regress/iolog_json/test3.out.ok
 lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c
 lib/iolog/regress/iolog_path/check_iolog_path.c
 lib/iolog/regress/iolog_path/data
@@ -236,6 +247,7 @@ lib/util/getusershell.c
 lib/util/gidlist.c
 lib/util/glob.c
 lib/util/gmtime_r.c
+lib/util/hexchar.c
 lib/util/inet_ntop.c
 lib/util/inet_pton.c
 lib/util/isblank.c
@@ -280,11 +292,14 @@ lib/util/regress/glob/files
 lib/util/regress/glob/globtest.c
 lib/util/regress/glob/globtest.in
 lib/util/regress/harness.in
+lib/util/regress/hexchar/hexchar_test.c
+lib/util/regress/json/json_test.c
 lib/util/regress/mktemp/mktemp_test.c
 lib/util/regress/multiarch/multiarch_test.c
 lib/util/regress/open_parent_dir/open_parent_dir_test.c
 lib/util/regress/parse_gids/parse_gids_test.c
 lib/util/regress/progname/progname_test.c
+lib/util/regress/regex/regex_test.c
 lib/util/regress/strsig/strsig_test.c
 lib/util/regress/strsplit/strsplit_test.c
 lib/util/regress/strtofoo/strtobool_test.c
@@ -308,9 +323,6 @@ lib/util/regress/sudo_conf/test6.in
 lib/util/regress/sudo_conf/test6.out.ok
 lib/util/regress/sudo_conf/test7.in
 lib/util/regress/sudo_conf/test7.out.ok
-lib/util/regress/sudo_conf/test8.err.ok
-lib/util/regress/sudo_conf/test8.in
-lib/util/regress/sudo_conf/test8.out.ok
 lib/util/regress/sudo_parseln/parseln_test.c
 lib/util/regress/sudo_parseln/test1.in
 lib/util/regress/sudo_parseln/test1.out.ok
@@ -425,14 +437,21 @@ m4/ax_check_link_flag.m4
 m4/ax_func_getaddrinfo.m4
 m4/ax_func_snprintf.m4
 m4/ax_prog_cc_for_build.m4
+m4/gettext.m4
+m4/hardening.m4
+m4/ldap.m4
 m4/libtool.m4
 m4/ltoptions.m4
 m4/ltsugar.m4
 m4/ltversion.m4
 m4/lt~obsolete.m4
+m4/openssl.m4
+m4/pie.m4
 m4/python.m4
 m4/runlog.m4
+m4/sanitizer.m4
 m4/sudo.m4
+m4/visibility.m4
 pathnames.h.in
 plugins/audit_json/Makefile.in
 plugins/audit_json/audit_json.c
@@ -456,7 +475,6 @@ plugins/python/pyhelpers.h
 plugins/python/pyhelpers_cpychecker.h
 plugins/python/python_baseplugin.c
 plugins/python/python_convmessage.c
-plugins/python/python_importblocker.c
 plugins/python/python_loghandler.c
 plugins/python/python_plugin.exp
 plugins/python/python_plugin_approval.c
@@ -544,8 +562,6 @@ plugins/python/regress/testdata/check_loading_succeeds_with_missing_classname.st
 plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stderr
 plugins/python/regress/testdata/check_multiple_approval_plugin_and_arguments.stdout
 plugins/python/regress/testdata/check_python_plugins_do_not_affect_each_other.stdout
-plugins/python/regress/testdata/sudo.conf.developer_mode
-plugins/python/regress/testdata/sudo.conf.normal_mode
 plugins/python/regress/testhelpers.c
 plugins/python/regress/testhelpers.h
 plugins/python/sudo_python_debug.c
@@ -617,7 +633,6 @@ plugins/sudoers/gram.c
 plugins/sudoers/gram.h
 plugins/sudoers/gram.y
 plugins/sudoers/group_plugin.c
-plugins/sudoers/hexchar.c
 plugins/sudoers/ins_2001.h
 plugins/sudoers/ins_classic.h
 plugins/sudoers/ins_csops.h
@@ -679,6 +694,8 @@ plugins/sudoers/po/it.mo
 plugins/sudoers/po/it.po
 plugins/sudoers/po/ja.mo
 plugins/sudoers/po/ja.po
+plugins/sudoers/po/ka.mo
+plugins/sudoers/po/ka.po
 plugins/sudoers/po/ko.mo
 plugins/sudoers/po/ko.po
 plugins/sudoers/po/lt.mo
@@ -724,6 +741,10 @@ plugins/sudoers/pwutil_impl.c
 plugins/sudoers/redblack.c
 plugins/sudoers/redblack.h
 plugins/sudoers/regress/check_symbols/check_symbols.c
+plugins/sudoers/regress/corpus/seed/ldif/invalid_b64.ldif
+plugins/sudoers/regress/corpus/seed/ldif/pr196.ldif
+plugins/sudoers/regress/corpus/seed/ldif/sample.ldif
+plugins/sudoers/regress/corpus/seed/ldif/valid_b64.ldif
 plugins/sudoers/regress/corpus/seed/policy/policy.1
 plugins/sudoers/regress/corpus/seed/policy/policy.2
 plugins/sudoers/regress/corpus/seed/policy/policy.3
@@ -804,8 +825,12 @@ plugins/sudoers/regress/cvtsudoers/test37.out.ok
 plugins/sudoers/regress/cvtsudoers/test37.sh
 plugins/sudoers/regress/cvtsudoers/test38.out.ok
 plugins/sudoers/regress/cvtsudoers/test38.sh
+plugins/sudoers/regress/cvtsudoers/test39.out.ok
+plugins/sudoers/regress/cvtsudoers/test39.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok
 plugins/sudoers/regress/cvtsudoers/test4.sh
+plugins/sudoers/regress/cvtsudoers/test40.out.ok
+plugins/sudoers/regress/cvtsudoers/test40.sh
 plugins/sudoers/regress/cvtsudoers/test5.out.ok
 plugins/sudoers/regress/cvtsudoers/test5.sh
 plugins/sudoers/regress/cvtsudoers/test6.out.ok
@@ -837,7 +862,6 @@ plugins/sudoers/regress/parser/check_digest.c
 plugins/sudoers/regress/parser/check_digest.out.ok
 plugins/sudoers/regress/parser/check_fill.c
 plugins/sudoers/regress/parser/check_gentime.c
-plugins/sudoers/regress/parser/check_hexchar.c
 plugins/sudoers/regress/serialize_list/check_serialize_list.c
 plugins/sudoers/regress/starttime/check_starttime.c
 plugins/sudoers/regress/sudoers/test1.in
@@ -1167,6 +1191,8 @@ po/sk.mo
 po/sk.po
 po/sl.mo
 po/sl.po
+po/sq.mo
+po/sq.po
 po/sr.mo
 po/sr.po
 po/sudo.pot