head 1.6; access; symbols pkgsrc-2013Q2:1.6.0.24 pkgsrc-2013Q2-base:1.6 pkgsrc-2012Q4:1.6.0.22 pkgsrc-2012Q4-base:1.6 pkgsrc-2011Q4:1.6.0.20 pkgsrc-2011Q4-base:1.6 pkgsrc-2011Q2:1.6.0.18 pkgsrc-2011Q2-base:1.6 pkgsrc-2009Q4:1.6.0.16 pkgsrc-2009Q4-base:1.6 pkgsrc-2008Q4:1.6.0.14 pkgsrc-2008Q4-base:1.6 pkgsrc-2008Q3:1.6.0.12 pkgsrc-2008Q3-base:1.6 cube-native-xorg:1.6.0.10 cube-native-xorg-base:1.6 pkgsrc-2008Q2:1.6.0.8 pkgsrc-2008Q2-base:1.6 pkgsrc-2008Q1:1.6.0.6 pkgsrc-2008Q1-base:1.6 pkgsrc-2007Q4:1.6.0.4 pkgsrc-2007Q4-base:1.6 pkgsrc-2007Q3:1.6.0.2 pkgsrc-2007Q3-base:1.6 pkgsrc-2007Q2:1.5.0.2 pkgsrc-2007Q2-base:1.5 pkgsrc-2007Q1:1.4.0.10 pkgsrc-2007Q1-base:1.4 pkgsrc-2006Q4:1.4.0.8 pkgsrc-2006Q4-base:1.4 pkgsrc-2006Q3:1.4.0.6 pkgsrc-2006Q3-base:1.4 pkgsrc-2006Q2:1.4.0.4 pkgsrc-2006Q2-base:1.4 pkgsrc-2006Q1:1.4.0.2 pkgsrc-2006Q1-base:1.4 pkgsrc-2005Q4:1.2.0.2 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.1.0.2; locks; strict; comment @# @; 1.6 date 2007.07.23.16.38.37; author tls; state dead; branches; next 1.5; 1.5 date 2007.06.25.09.53.42; author tls; state Exp; branches; next 1.4; 1.4 date 2006.01.15.11.32.07; author adrianp; state Exp; branches 1.4.10.1; next 1.3; 1.3 date 2006.01.09.15.53.40; author cube; state dead; branches; next 1.2; 1.2 date 2005.11.12.14.17.46; author adrianp; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2005.10.25.22.05.55; author cube; state Exp; branches 1.1.2.1; next ; 1.4.10.1 date 2007.06.26.11.59.28; author ghen; state Exp; branches; next ; 1.2.2.1 date 2006.01.15.15.04.48; author salo; state Exp; branches; next ; 1.1.2.1 date 2005.10.25.22.05.55; author snj; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2005.10.26.04.37.23; author snj; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2005.11.15.12.15.16; author salo; state Exp; branches; next ; desc @@ 1.6 log @Update sudo to 1.6.9. We don't take the new default of PAM and no other authentication; that can be enabled by adding pam to the package options if users desire. @ text @$NetBSD: patch-ah,v 1.5 2007/06/25 09:53:42 tls Exp $ --- env.c.orig 2005-11-08 13:21:33.000000000 -0500 +++ env.c 2007-06-25 04:44:24.000000000 -0400 @@@@ -105,14 +105,14 @@@@ #ifdef __APPLE__ "DYLD_*", #endif -#ifdef HAVE_KERB4 +#if defined(HAVE_KERB4) || defined(HAVE_KERB5) "KRB_CONF*", "KRBCONFDIR", "KRBTKFILE", -#endif /* HAVE_KERB4 */ -#ifdef HAVE_KERB5 "KRB5_CONFIG*", -#endif /* HAVE_KERB5 */ + "KRB5_KTNAME", + "KRB5CCNAME", +#endif /* HAVE_KERB4 || HAVE_KERB5 */ #ifdef HAVE_SECURID "VAR_ACE", "USR_ACE", @@@@ -130,6 +130,7 @@@@ "PERLLIB", "PERL5LIB", "PERL5OPT", + "PYTHONINSPECT", NULL }; @ 1.5 log @Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos: cleanse environment of variables that alter behavior of Kerberos library so the user can't override the default keytab location, and do *not* ignore missing keytab errors. Prevents root compromise via spoofed KDC on systems with Kerberos libraries but no host key in keytab, no keytab, or keytab overidden via environment. Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES only. Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch of sudo (presently beta) but equivalent (though not as clean). @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.4 2006/01/15 11:32:07 adrianp Exp $ @ 1.4 log @Add PYTHONINSPECT to the list of environment variables to clean Fix for http://secunia.com/advisories/18358/ Bump to nb1 @ text @d1 1 a1 1 $NetBSD$ d3 22 a24 3 --- env.c.orig 2005-11-08 18:21:33.000000000 +0000 +++ env.c @@@@ -130,6 +130,7 @@@@ static const char *initial_badenv_table[ @ 1.4.10.1 log @Pullup ticket 2121, 2122 - requested by tls security fix for sudo - pkgsrc/security/sudo/Makefile 1.90 - pkgsrc/security/sudo/distinfo 1.35 - pkgsrc/security/sudo/patches/patch-ah 1.5 - pkgsrc/security/sudo/patches/patch-ai 1.1 Module Name: pkgsrc Committed By: tls Date: Mon Jun 25 09:53:42 UTC 2007 Modified Files: pkgsrc/security/sudo: Makefile distinfo pkgsrc/security/sudo/patches: patch-ah Log Message: Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos: cleanse environment of variables that alter behavior of Kerberos library so the user can't override the default keytab location, and do *not* ignore missing keytab errors. Prevents root compromise via spoofed KDC on systems with Kerberos libraries but no host key in keytab, no keytab, or keytab overidden via environment. Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES only. Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch of sudo (presently beta) but equivalent (though not as clean). --- Module Name: pkgsrc Committed By: tls Date: Mon Jun 25 23:53:28 UTC 2007 Added Files: pkgsrc/security/sudo/patches: patch-ai Log Message: Add file omitted from previous commit. @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.4 2006/01/15 11:32:07 adrianp Exp $ d3 3 a5 22 --- env.c.orig 2005-11-08 13:21:33.000000000 -0500 +++ env.c 2007-06-25 04:44:24.000000000 -0400 @@@@ -105,14 +105,14 @@@@ #ifdef __APPLE__ "DYLD_*", #endif -#ifdef HAVE_KERB4 +#if defined(HAVE_KERB4) || defined(HAVE_KERB5) "KRB_CONF*", "KRBCONFDIR", "KRBTKFILE", -#endif /* HAVE_KERB4 */ -#ifdef HAVE_KERB5 "KRB5_CONFIG*", -#endif /* HAVE_KERB5 */ + "KRB5_KTNAME", + "KRB5CCNAME", +#endif /* HAVE_KERB4 || HAVE_KERB5 */ #ifdef HAVE_SECURID "VAR_ACE", "USR_ACE", @@@@ -130,6 +130,7 @@@@ @ 1.3 log @Sync with latest sudo release (1.6.8pl12). The actual diff is one line long. PR#32378 by Stefan Krüger. Changes: Added PS4 and SHELLOPTS to the list of variables to remove from the environment. (Already in pkgsrc) Added JAVA_TOOL_OPTIONS to the list of variables to remove from the environment. Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to remove from the environment. (Already in pkgsrc) @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.2 2005/11/12 14:17:46 adrianp Exp $ d3 1 a3 1 --- env.c.orig 2005-02-06 15:37:01.000000000 +0000 d5 5 a9 16 @@@@ -89,6 +89,8 @@@@ static char *format_env __P((char *, .. static const char *initial_badenv_table[] = { "IFS", "CDPATH", + "SHELLOPTS", + "PS4", "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", @@@@ -124,6 +126,9 @@@@ static const char *initial_badenv_table[ "TERMCAP", /* XXX - only if it starts with '/' */ "ENV", "BASH_ENV", + "PERLLIB", + "PERL5LIB", + "PERL5OPT", @ 1.2 log @Update sudo to nb2 to address the recent secuity issue: - http://www.sudo.ws/sudo/alerts/perl_env.html - Add "PERLLIB", "PERL5LIB" and the "PERL5OPT" to the list of environment variables to be cleaned. @ text @d1 1 a1 1 $NetBSD$ @ 1.2.2.1 log @Pullup ticket 1032 - requested by Adrian Portelli security update for sudo Revisions pulled up: - pkgsrc/security/sudo/Makefile 1.86, 1.87 - pkgsrc/security/sudo/distinfo 1.33, 1.34 - pkgsrc/security/sudo/patches/patch-ah 1.4 Module Name: pkgsrc Committed By: cube Date: Mon Jan 9 15:53:40 UTC 2006 Modified Files: pkgsrc/security/sudo: Makefile distinfo Removed Files: pkgsrc/security/sudo/patches: patch-ah Log Message: Sync with latest sudo release (1.6.8pl12). The actual diff is one line long. PR#32378 by Stefan Krüger. Changes: Added PS4 and SHELLOPTS to the list of variables to remove from the environment. (Already in pkgsrc) Added JAVA_TOOL_OPTIONS to the list of variables to remove from the environment. Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to remove from the environment. (Already in pkgsrc) --- Module Name: pkgsrc Committed By: adrianp Date: Sun Jan 15 11:32:07 UTC 2006 Modified Files: pkgsrc/security/sudo: Makefile distinfo Added Files: pkgsrc/security/sudo/patches: patch-ah Log Message: Add PYTHONINSPECT to the list of environment variables to clean Fix for http://secunia.com/advisories/18358/ Bump to nb1 @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.4 2006/01/15 11:32:07 adrianp Exp $ d3 1 a3 1 --- env.c.orig 2005-11-08 18:21:33.000000000 +0000 d5 16 a20 5 @@@@ -130,6 +130,7 @@@@ static const char *initial_badenv_table[ "PERLLIB", "PERL5LIB", "PERL5OPT", + "PYTHONINSPECT", @ 1.1 log @Add a patch for CVE-2005-2959: SHELLOPTS and PS4 have to be cleared from the environment before letting the user execute bash scripts. Bump PKGREVISION. From Debian. @ text @d3 1 a3 1 --- env.c.orig 2005-02-06 16:37:01.000000000 +0100 d14 10 @ 1.1.2.1 log @file patch-ah was added on branch pkgsrc-2005Q3 on 2005-10-25 22:05:55 +0000 @ text @d1 13 @ 1.1.2.2 log @Pullup ticket 855 - requested by Quentin Garnier security fix for sudo Revisions pulled up: - pkgsrc/security/sudo/Makefile 1.82 - pkgsrc/security/sudo/distinfo 1.31 - pkgsrc/security/sudo/patches/patch-ah 1.1 Module Name: pkgsrc Committed By: cube Date: Tue Oct 25 22:05:55 UTC 2005 Modified Files: pkgsrc/security/sudo: Makefile distinfo Added Files: pkgsrc/security/sudo/patches: patch-ah Log Message: Add a patch for CVE-2005-2959: SHELLOPTS and PS4 have to be cleared from the environment before letting the user execute bash scripts. Bump PKGREVISION. >From Debian. @ text @a0 13 $NetBSD: patch-ah,v 1.1.2.1 2005/10/26 04:37:23 snj Exp $ --- env.c.orig 2005-02-06 16:37:01.000000000 +0100 +++ env.c @@@@ -89,6 +89,8 @@@@ static char *format_env __P((char *, .. static const char *initial_badenv_table[] = { "IFS", "CDPATH", + "SHELLOPTS", + "PS4", "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", @ 1.1.2.3 log @Pullup ticket 909 - requested by Adrian Portelli security fix for sudo Revisions pulled up: - pkgsrc/security/sudo/Makefile 1.83 - pkgsrc/security/sudo/distinfo 1.32 - pkgsrc/security/sudo/patches/patch-ah 1.2 Module Name: pkgsrc Committed By: adrianp Date: Sat Nov 12 14:17:46 UTC 2005 Modified Files: pkgsrc/security/sudo: Makefile distinfo pkgsrc/security/sudo/patches: patch-ah Log Message: Update sudo to nb2 to address the recent secuity issue: - http://www.sudo.ws/sudo/alerts/perl_env.html - Add "PERLLIB", "PERL5LIB" and the "PERL5OPT" to the list of environment variables to be cleaned. @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.1.2.2 2005/11/15 12:15:16 salo Exp $ d3 1 a3 1 --- env.c.orig 2005-02-06 15:37:01.000000000 +0000 a13 10 @@@@ -124,6 +126,9 @@@@ static const char *initial_badenv_table[ "TERMCAP", /* XXX - only if it starts with '/' */ "ENV", "BASH_ENV", + "PERLLIB", + "PERL5LIB", + "PERL5OPT", NULL }; @