[Bug 1915307] Re: Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Fri Feb 12 01:24:22 UTC 2021

Hi, this looks mostly very good! I have some tiny nitpicks:

1) It's good to mention the patches that are being dropped in the changelog entry.
2) There are some whitespace changes in the bottom of the changelog that you could drop if you felt like it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1915307

Title:
  Please merge sudo 1.9.5p2-2 (main) from Debian unstable (main)

Status in sudo package in Ubuntu:
  In Progress

Bug description:
  This requires a merge because there are changes in the Ubuntu version
  not present in the Debian version.

  ------ Justification of patches removed from debian/patches/series ------
  * typo-in-classic-insults.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * paths-in-samples.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * Whitelist-DPKG_COLORS-environment-variable.diff
    * This exact patch is present in upstream version 1.9.5p2-2
  * CVE-2021-23239.patch
    * This exact patch is NOT present in upstream version 1.9.5p2-2
      * The patch is made to address a vulnerability wherein users
        were able to gain information about what directories existed
        that they should not have had access to.
      * Upstream version 1.9.5p2-2 addresses this vulnerability using
        the function sudo_edit_parent_valid in the file src/sudo_edit.c
      * Since the vulnerability is addressed in upstream version
        1.9.5p2-2 it can safely be dropped
  * CVE-2021-3156-1.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-2.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-3.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-4.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * CVE-2021-3156-5.patch
    * The code from this patch already exitsts in upstream
      version 1.9.5p2-2
  * ineffective_no_root_mailer.patch
    * This exact patch is present in upstream version 1.9.5p2-2
      under the name fix-no-root-mailer.diff

  Changes:
    * Merge from Debian unstable. (LP: #1915307)
      Remaining changes:
      - debian/rules:
        + use dh-autoreconf
      - debian/rules: stop shipping init scripts, as they are no longer
        necessary.
      - debian/rules:
        + compile with --without-lecture --with-tty-tickets --enable-admin-flag
        + install man/man8/sudo_root.8 in both flavours
        + install apport hooks
      - debian/sudo-ldap.dirs, debian/sudo.dirs:
        + add usr/share/apport/package-hooks
      - debian/sudo.pam:
        + Use pam_env to read /etc/environment and /etc/default/locale
          environment files. Reading ~/.pam_environment is not permitted due
          to security reasons.
      - debian/sudoers:
        + also grant admin group sudo access
        + include /snap/bin in the secure_path

  sudo (1.9.5p2-2) unstable; urgency=medium

    * patch from upstream repo to fix NO_ROOT_MAILER

  sudo (1.9.5p2-1) unstable; urgency=high

    * new upstream version, addresses CVE-2021-3156

  sudo (1.9.5p1-1.1) unstable; urgency=high

    * Non-maintainer upload.
    * Heap-based buffer overflow (CVE-2021-3156)
      - Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
      - Add sudoedit flag checks in plugin that are consistent with front-end
      - Fix potential buffer overflow when unescaping backslashes in user_args
      - Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
      - Don't assume that argv is allocated as a single flat buffer

  sudo (1.9.5p1-1) unstable; urgency=medium

    * new upstream version, closes: #980028

  sudo (1.9.5-1) unstable; urgency=medium

    * new upstream version

  sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium

    * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
      - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
        in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
      - No CVE number

  sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium

    * SECURITY UPDATE: dir existence issue via sudoedit race
      - debian/patches/CVE-2021-23239.patch: fix potential directory existing
        info leak in sudoedit in src/sudo_edit.c.
      - CVE-2021-23239
    * SECURITY UPDATE: heap-based buffer overflow
      - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
        MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
      - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
        plugin in plugins/sudoers/policy.c.
      - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
        when unescaping backslashes in plugins/sudoers/sudoers.c.
      - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
        converting a v1 timestamp to TS_LOCKEXCL in
        plugins/sudoers/timestamp.c.
      - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
        allocated as a single flat buffer in src/parse_args.c.
      - CVE-2021-3156

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1915307/+subscriptions