Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi release team,
With the maintainer's permission [1], I'd like to ask for your opinion
on how to proceed with #731583.
<simple>
Based on a patch provided by upstream, I created a debdiff (attached)
for 1.8.10p3 in testing with the following changelog entry:
* Backport upstream's fix for host specifications using a FQDN.
These were no longer working since 1.8.8. Closes: #731583
Considering that the severity of #731583 is serious, I assume an upload
to t-p-u should be OK?
</simple>
<controversial>
Furthermore, I was wondering though whether you'd consider allowing
sudo/1.8.11p2 from unstable to migrate.
The diff between testing and unstable is huge (MBs), so this would be
very difficult to review and of course totally against freeze policy.
However, I am under the impression that
(a) it would be highly preferrable to support 1.8.11p2 in Jessie,
especially from a security POV
(b) According to [2,3,4], most of the changes are bugfixes. In fact,
I only count 7 non-fix changes and non-translation changes,
and most of the fix changes appear to be highly desirable.
Furthermore, the largest part of this code base, [3], has unstable since
2014-10-10, and its migration to testing was only interrupted by the
upload of revision -2 of [3] on 2014-10-20, so apparently juuust not
enough for the full 10-day period. This upload merely added two patches.
Then again, on 2014-10-30, [4] was uploaded. This new upstream release
contained only a single (apparently urgent) bugfix. However, this upload
reset the 10-day clock again, so 1.8.11p* did not enter testing again.
So there really isn't anything that new to Debian in the version in
unstable. Looking back, the easiest solution would probably have been to
ask for an unblock of [4] (the one-change fix) just after its upload on
2014-10-30, but that's water under the bridge now.
</controversial>
If allowing 1.8.11p2 to migrate is something you'd consider discussing,
please let me know how I can help in your deliberations. If this change
is simply too big, please let me know if you are OK with the t-p-u
upload of the attached debdiff for 1.8.10p3, and I will then contact the
maintainer / look for NMU sponsorship.
Regards,
Christian
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731583#104
[2] http://www.sudo.ws/sudo/stable.html#1.8.11
[3] http://www.sudo.ws/sudo/stable.html#1.8.11p1
[4] http://www.sudo.ws/sudo/stable.html#1.8.11p2
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog
--- sudo-1.8.10p3/debian/changelog 2014-09-14 18:26:06.000000000 +0200
+++ sudo-1.8.10p3/debian/changelog 2014-12-05 15:12:47.000000000 +0100
@@ -1,3 +1,11 @@
+sudo (1.8.10p3-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport upstream's fix for host specifications using a FQDN. These were
+ no longer working since 1.8.8. Closes: #731583
+
+ -- Christian Kastner <deb...@kvr.at> Fri, 05 Dec 2014 15:10:30 +0100
+
sudo (1.8.10p3-1) unstable; urgency=low
* new upstream release
diff -Nru
sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff
sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff
--- sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff
1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.10p3/debian/patches/Fix-for-broken-FQDN-host-specifications.diff
2014-12-05 15:20:43.000000000 +0100
@@ -0,0 +1,92 @@
+From: Christian Kastner <deb...@kvr.at>
+Date: Fri, 05 Dec 2014 14:58:50 +0100
+Subject: Fix for broken FQDN host specifications
+
+A bug was introduced in sudo 1.8.8 which broke host specifications using a
+FQDN, eg Host_Alias = host.example.com. Upstream has fixed this in 1.8.12.
+
+This patch contains the fix backported to 1.8.10p3.
+
+Origin: http://www.sudo.ws/repos/sudo/rev/4f75b01d4884
+Bug: http://www.sudo.ws/bugs/show_bug.cgi?id=678
+Bug-Debian: https://bugs.debian.org/731583
+Last-Update: 2014-05-12
+
+Index: sudo-1.8.10p3/plugins/sudoers/sudoers.c
+===================================================================
+--- sudo-1.8.10p3.orig/plugins/sudoers/sudoers.c
++++ sudo-1.8.10p3/plugins/sudoers/sudoers.c
+@@ -799,32 +799,69 @@ set_loginclass(struct passwd *pw)
+ #endif
+
+ /*
+- * Look up the fully qualified domain name and set user_host and user_shost.
++ * Look up the fully qualified domain name of user_host and user_runhost.
++ * Sets user_host, user_shost, user_runhost and user_srunhost.
+ * Use AI_FQDN if available since "canonical" is not always the same as fqdn.
+ */
+ static void
+ set_fqdn(void)
+ {
+ struct addrinfo *res0, hint;
++ bool remote;
+ char *p;
+ debug_decl(set_fqdn, SUDO_DEBUG_PLUGIN)
+
++ /* If the -h flag was given we need to resolve both host and runhost. */
++ remote = strcmp(user_runhost, user_host) != 0;
++
+ memset(&hint, 0, sizeof(hint));
+ hint.ai_family = PF_UNSPEC;
+ hint.ai_flags = AI_FQDN;
++
++ /* First resolve user_host, sets user_host and user_shost. */
+ if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) {
+ log_warning(MSG_ONLY, N_("unable to resolve host %s"), user_host);
+ } else {
+ if (user_shost != user_host)
+ efree(user_shost);
+ efree(user_host);
+- user_host = estrdup(res0->ai_canonname);
++ user_host = user_shost = estrdup(res0->ai_canonname);
+ freeaddrinfo(res0);
+ if ((p = strchr(user_host, '.')) != NULL)
+ user_shost = estrndup(user_host, (size_t)(p - user_host));
+- else
+- user_shost = user_host;
+ }
++
++ /* Next resolve user_runhost, sets user_runhost and user_srunhost. */
++ if (remote) {
++ if (getaddrinfo(user_runhost, NULL, &hint, &res0) != 0) {
++ log_warning(MSG_ONLY,
++ N_("unable to resolve host %s"), user_runhost);
++ } else {
++ if (user_srunhost != user_runhost)
++ efree(user_srunhost);
++ efree(user_runhost);
++ user_runhost = user_srunhost = estrdup(res0->ai_canonname);
++ freeaddrinfo(res0);
++ if ((p = strchr(user_runhost, '.'))) {
++ user_srunhost =
++ estrndup(user_runhost, (size_t)(p - user_runhost));
++ }
++ }
++ } else {
++ /* Not remote, just use user_host. */
++ if (user_srunhost != user_runhost)
++ efree(user_srunhost);
++ efree(user_runhost);
++ user_runhost = user_srunhost = estrdup(user_host);
++ if ((p = strchr(user_runhost, '.'))) {
++ user_srunhost =
++ estrndup(user_runhost, (size_t)(p - user_runhost));
++ }
++ }
++
++ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
++ "host %s, shost %s, runhost %s, srunhost %s",
++ user_host, user_shost, user_runhost, user_srunhost);
+ debug_return;
+ }
+
diff -Nru sudo-1.8.10p3/debian/patches/series
sudo-1.8.10p3/debian/patches/series
--- sudo-1.8.10p3/debian/patches/series 2014-09-14 18:26:06.000000000 +0200
+++ sudo-1.8.10p3/debian/patches/series 2014-12-05 15:09:41.000000000 +0100
@@ -1,2 +1,3 @@
typo-in-classic-insults.diff
paths-in-samples.diff
+Fix-for-broken-FQDN-host-specifications.diff
