** Description changed: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. + + ------ Justification of patches removed from debian/patches/series ------ + * typo-in-classic-insults.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * paths-in-samples.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * Whitelist-DPKG_COLORS-environment-variable.diff + * This exact patch is present in upstream version 1.9.5p2-2 + * CVE-2021-23239.patch + * This exact patch is NOT present in upstream version 1.9.5p2-2 + * The patch is made to address a vulnerability wherein users + were able to gain information about what directories existed + that they should not have had access to. + * Upstream version 1.9.5p2-2 addresses this vulnerability using + the function sudo_edit_parent_valid in the file src/sudo_edit.c + * Since the vulnerability is addressed in upstream version + 1.9.5p2-2 it can safely be dropped + * CVE-2021-3156-1.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-2.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-3.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-4.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * CVE-2021-3156-5.patch + * The code from this patch already exitsts in upstream + version 1.9.5p2-2 + * ineffective_no_root_mailer.patch + * This exact patch is present in upstream version 1.9.5p2-2 + under the name fix-no-root-mailer.diff + + Changes: + * Merge from Debian unstable. (LP: #1915307) + Remaining changes: + - debian/rules: + + use dh-autoreconf + - debian/rules: stop shipping init scripts, as they are no longer + necessary. + - debian/rules: + + compile with --without-lecture --with-tty-tickets --enable-admin-flag + + install man/man8/sudo_root.8 in both flavours + + install apport hooks + - debian/sudo-ldap.dirs, debian/sudo.dirs: + + add usr/share/apport/package-hooks + - debian/sudo.pam: + + Use pam_env to read /etc/environment and /etc/default/locale + environment files. Reading ~/.pam_environment is not permitted due + to security reasons. + - debian/sudoers: + + also grant admin group sudo access + + include /snap/bin in the secure_path + + sudo (1.9.5p2-2) unstable; urgency=medium + + * patch from upstream repo to fix NO_ROOT_MAILER + + sudo (1.9.5p2-1) unstable; urgency=high + + * new upstream version, addresses CVE-2021-3156 + + sudo (1.9.5p1-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Heap-based buffer overflow (CVE-2021-3156) + - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit + - Add sudoedit flag checks in plugin that are consistent with front-end + - Fix potential buffer overflow when unescaping backslashes in user_args + - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL + - Don't assume that argv is allocated as a single flat buffer + + sudo (1.9.5p1-1) unstable; urgency=medium + + * new upstream version, closes: #980028 + + sudo (1.9.5-1) unstable; urgency=medium + + * new upstream version + + sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium + + * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option + - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER + in plugins/sudoers/logging.c, plugins/sudoers/policy.c. + - No CVE number + + sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium + + * SECURITY UPDATE: dir existence issue via sudoedit race + - debian/patches/CVE-2021-23239.patch: fix potential directory existing + info leak in sudoedit in src/sudo_edit.c. + - CVE-2021-23239 + * SECURITY UPDATE: heap-based buffer overflow + - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to + MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. + - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in + plugin in plugins/sudoers/policy.c. + - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow + when unescaping backslashes in plugins/sudoers/sudoers.c. + - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when + converting a v1 timestamp to TS_LOCKEXCL in + plugins/sudoers/timestamp.c. + - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is + allocated as a single flat buffer in src/parse_args.c. + - CVE-2021-3156
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. ------ Justification of patches removed from debian/patches/series ------ * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is allocated as a single flat buffer in src/parse_args.c. - CVE-2021-3156 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
