Hi, this looks mostly very good! I have some tiny nitpicks: 1) It's good to mention the patches that are being dropped in the changelog entry. 2) There are some whitespace changes in the bottom of the changelog that you could drop if you felt like it.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1915307 Title: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main) Status in sudo package in Ubuntu: In Progress Bug description: This requires a merge because there are changes in the Ubuntu version not present in the Debian version. ------ Justification of patches removed from debian/patches/series ------ * typo-in-classic-insults.diff * This exact patch is present in upstream version 1.9.5p2-2 * paths-in-samples.diff * This exact patch is present in upstream version 1.9.5p2-2 * Whitelist-DPKG_COLORS-environment-variable.diff * This exact patch is present in upstream version 1.9.5p2-2 * CVE-2021-23239.patch * This exact patch is NOT present in upstream version 1.9.5p2-2 * The patch is made to address a vulnerability wherein users were able to gain information about what directories existed that they should not have had access to. * Upstream version 1.9.5p2-2 addresses this vulnerability using the function sudo_edit_parent_valid in the file src/sudo_edit.c * Since the vulnerability is addressed in upstream version 1.9.5p2-2 it can safely be dropped * CVE-2021-3156-1.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-2.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-3.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-4.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * CVE-2021-3156-5.patch * The code from this patch already exitsts in upstream version 1.9.5p2-2 * ineffective_no_root_mailer.patch * This exact patch is present in upstream version 1.9.5p2-2 under the name fix-no-root-mailer.diff Changes: * Merge from Debian unstable. (LP: #1915307) Remaining changes: - debian/rules: + use dh-autoreconf - debian/rules: stop shipping init scripts, as they are no longer necessary. - debian/rules: + compile with --without-lecture --with-tty-tickets --enable-admin-flag + install man/man8/sudo_root.8 in both flavours + install apport hooks - debian/sudo-ldap.dirs, debian/sudo.dirs: + add usr/share/apport/package-hooks - debian/sudo.pam: + Use pam_env to read /etc/environment and /etc/default/locale environment files. Reading ~/.pam_environment is not permitted due to security reasons. - debian/sudoers: + also grant admin group sudo access + include /snap/bin in the secure_path sudo (1.9.5p2-2) unstable; urgency=medium * patch from upstream repo to fix NO_ROOT_MAILER sudo (1.9.5p2-1) unstable; urgency=high * new upstream version, addresses CVE-2021-3156 sudo (1.9.5p1-1.1) unstable; urgency=high * Non-maintainer upload. * Heap-based buffer overflow (CVE-2021-3156) - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit - Add sudoedit flag checks in plugin that are consistent with front-end - Fix potential buffer overflow when unescaping backslashes in user_args - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL - Don't assume that argv is allocated as a single flat buffer sudo (1.9.5p1-1) unstable; urgency=medium * new upstream version, closes: #980028 sudo (1.9.5-1) unstable; urgency=medium * new upstream version sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER in plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium * SECURITY UPDATE: dir existence issue via sudoedit race - debian/patches/CVE-2021-23239.patch: fix potential directory existing info leak in sudoedit in src/sudo_edit.c. - CVE-2021-23239 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to MODE_NONINTERACTIVE for sudoedit in src/parse_args.c. - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in plugin in plugins/sudoers/policy.c. - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow when unescaping backslashes in plugins/sudoers/sudoers.c. - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL in plugins/sudoers/timestamp.c. - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is allocated as a single flat buffer in src/parse_args.c. - CVE-2021-3156 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
