From 0e8f2ca6bbfaa008ecdfe807a6121066980a0808 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 1 Jul 2025 13:38:59 +0200
Subject: [PATCH 1/4] app-admin/sudo: Sync with Gentoo

It's from Gentoo commit 45a501b67600b00178fb68ce2bf8b8516eb28cc5.
---
 .../coreos-overlay/app-admin/sudo/Manifest    |  4 +-
 .../coreos-overlay/app-admin/sudo/README.md   |  8 ----
 ...1.9.15_p5.ebuild => sudo-1.9.17_p1.ebuild} | 39 ++++++++-----------
 3 files changed, 18 insertions(+), 33 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
 rename sdk_container/src/third_party/coreos-overlay/app-admin/sudo/{sudo-1.9.15_p5.ebuild => sudo-1.9.17_p1.ebuild} (89%)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
index 90f9f2b10c..67dd2c6a6c 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
@@ -1,2 +1,2 @@
-DIST sudo-1.9.15p5.tar.gz 5306611 BLAKE2B 73ee598c2a2848d5be24f97492b13eba2f326c514799220e43a1aeafc6692224a7555fb7cc0a96a2720751d3e4d98e752804db589ac3c1476f24e71f5b9bc720 SHA512 ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
-DIST sudo-1.9.15p5.tar.gz.sig 566 BLAKE2B ddd8fed1b3721aafdb32b762834168063c3f0f003ef5d83f1883615320da6fe89b08d72c8e893c8b2bf9fd892a40e47cc77d72672e43b5a24db50e7194d9bc4c SHA512 97480a3d27b546a93e997c3a1e8169904a7625ab8fa6198d0b7e1d2d040f55b2d58462cd08e5cc97c2f1c817b12343e35cdd7db207aee42785f2b95b17c600b0
+DIST sudo-1.9.17p1.tar.gz 5449076 BLAKE2B 21771348a8de392767c366bb938951327dcc64a4cedee716a802435899e5135c218468271833a9e3ab9d90bda29e36c0870e27dd333d3a5c64fb8e3a5ebbff58 SHA512 1a9fb27a117b54adf5c99443b3375f7e0eaaf3a2d5a3d409f7c7b10c43432eb301d721df93fb1a8a2e45bf4a4957288d4f153359fc018af00973be57f62a1ebc
+DIST sudo-1.9.17p1.tar.gz.sig 566 BLAKE2B b6380c84b82740455a28388925d27bdf9296ddef943653c1883af3c7684ab53571053ef333ac9747ee11330b06fd23adf477856f70bd5fcaa6dbda1c9e432675 SHA512 714ce7c613683689e9d166171b04c03220e21d06f2e66d800f2d075927830014447611933d7293d9c763beeea66fc02255d8175c9ac8cba6d62166750aab50a6
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
deleted file mode 100644
index c90febe8b2..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
+++ /dev/null
@@ -1,8 +0,0 @@
-## Flatcar changes
-- Remove Perl Runtime Dependency
-- Remove OpenLDAP schema files for sudo
-```
-insinto /etc/openldap/schema
-newins doc/schema.OpenLDAP sudo.schema
-```
-- Remove sudo.conf file as it is shipped via baselayout
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
similarity index 89%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
index 376fb5ea52..9d6ed763c8 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.15_p5.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2024 Gentoo Authors
+# Copyright 1999-2025 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
 
-inherit pam libtool tmpfiles toolchain-funcs
+inherit pam tmpfiles toolchain-funcs
 
 MY_P="${P/_/}"
 MY_P="${MY_P/beta/b}"
@@ -12,11 +12,11 @@ DESCRIPTION="Allows users or groups to run commands as other users"
 HOMEPAGE="https://www.sudo.ws/"
 
 if [[ ${PV} == 9999 ]] ; then
-	inherit mercurial
+	inherit autotools mercurial
 	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
 else
 	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
-	inherit verify-sig
+	inherit libtool verify-sig
 
 	uri_prefix=
 	case ${P} in
@@ -25,15 +25,13 @@ else
 
 	SRC_URI="
 		https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
 		verify-sig? (
 			https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
-			ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
 		)
 	"
 
 	if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+		KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
 	fi
 
 	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
@@ -63,14 +61,13 @@ DEPEND="
 	selinux? ( sys-libs/libselinux )
 	skey? ( >=sys-auth/skey-1.1.5-r1 )
 	ssl? ( dev-libs/openssl:= )
-	sssd? ( sys-auth/sssd[sudo] )
+	sssd? ( sys-auth/sssd[sudo(+)] )
 "
-#Flatcar: Remove Perl runtime dependency
-#  ldap? ( dev-lang/perl )
 RDEPEND="
 	${DEPEND}
 	>=app-misc/editor-wrapper-3
 	virtual/editor
+	ldap? ( dev-lang/perl )
 	pam? ( sys-auth/pambase )
 	selinux? ( sec-policy/selinux-sudo )
 	sendmail? ( virtual/mta )
@@ -90,7 +87,11 @@ MAKEOPTS+=" SAMPLES="
 src_prepare() {
 	default
 
-	elibtoolize
+	if [[ ${PV} == 9999 ]] ; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
 }
 
 set_secure_path() {
@@ -179,7 +180,8 @@ src_configure() {
 		$(use_with offensive all-insults)
 		$(use_with pam)
 		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
+		$(use_with secure-path)
+		"$(use_with secure-path secure-path-value "${SECURE_PATH}")"
 		$(use_with selinux)
 		$(use_with sendmail)
 		$(use_with skey)
@@ -216,8 +218,8 @@ src_install() {
 		doins "${T}"/ldap.conf.sudo
 		fperms 0440 /etc/ldap.conf.sudo
 
-		#Flatcar: we don't ship OpenLDAP schemas
-
+		insinto /etc/openldap/schema
+		newins docs/schema.OpenLDAP sudo.schema
 	fi
 
 	if use pam ; then
@@ -236,15 +238,6 @@ src_install() {
 
 	# bug #697812
 	find "${ED}" -type f -name "*.la" -delete || die
-
-	# Flatcar: Remove sudo.conf as it is shipped via baselayout
-	rm "${ED}/etc/sudo.conf" || die
-
-	# Flatcar: Build system installs /etc/sudoers.d, let's make
-	# sure we keep having it.
-	#
-	# Upstream PR: https://github.com/gentoo/gentoo/pull/37397
-	keepdir /etc/sudoers.d
 }
 
 pkg_postinst() {

From 6605a25cc834ec3738b4447d216be8fdacaa028c Mon Sep 17 00:00:00 2001
From: Sayan Chowdhury <schowdhury@microsoft.com>
Date: Mon, 20 Jun 2022 21:01:24 +0530
Subject: [PATCH 2/4] app-admin/sudo: Apply Flatcar patches

- Remove Perl Runtime Dependency
- Remove OpenLDAP schema files for sudo
- Remove sudo.conf file as it is shipped via baselayout

Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
 .../coreos-overlay/app-admin/sudo/README.md           |  8 ++++++++
 .../app-admin/sudo/sudo-1.9.17_p1.ebuild              | 11 ++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md

diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
new file mode 100644
index 0000000000..c90febe8b2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/README.md
@@ -0,0 +1,8 @@
+## Flatcar changes
+- Remove Perl Runtime Dependency
+- Remove OpenLDAP schema files for sudo
+```
+insinto /etc/openldap/schema
+newins doc/schema.OpenLDAP sudo.schema
+```
+- Remove sudo.conf file as it is shipped via baselayout
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
index 9d6ed763c8..71a60c624d 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
@@ -63,11 +63,12 @@ DEPEND="
 	ssl? ( dev-libs/openssl:= )
 	sssd? ( sys-auth/sssd[sudo(+)] )
 "
+#Flatcar: Remove Perl runtime dependency
+#  ldap? ( dev-lang/perl )
 RDEPEND="
 	${DEPEND}
 	>=app-misc/editor-wrapper-3
 	virtual/editor
-	ldap? ( dev-lang/perl )
 	pam? ( sys-auth/pambase )
 	selinux? ( sec-policy/selinux-sudo )
 	sendmail? ( virtual/mta )
@@ -218,8 +219,8 @@ src_install() {
 		doins "${T}"/ldap.conf.sudo
 		fperms 0440 /etc/ldap.conf.sudo
 
-		insinto /etc/openldap/schema
-		newins docs/schema.OpenLDAP sudo.schema
+		#Flatcar: we don't ship OpenLDAP schemas
+
 	fi
 
 	if use pam ; then
@@ -238,6 +239,10 @@ src_install() {
 
 	# bug #697812
 	find "${ED}" -type f -name "*.la" -delete || die
+
+	# Flatcar: Remove sudo.conf as it is shipped via baselayout
+	rm "${ED}/etc/sudo.conf" || die
+
 }
 
 pkg_postinst() {

From de19afb90255c5faf0e79a33587fc59d5749f58e Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 1 Jul 2024 15:21:28 +0200
Subject: [PATCH 3/4] overlay app-admin/sudo: Keep /etc/sudoers.d directory

It seems to be randomly kept or removed during installation, and we
need the directory when creating the SDK container.
---
 .../coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild      | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
index 71a60c624d..42d0796ff6 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.9.17_p1.ebuild
@@ -243,6 +243,11 @@ src_install() {
 	# Flatcar: Remove sudo.conf as it is shipped via baselayout
 	rm "${ED}/etc/sudo.conf" || die
 
+	# Flatcar: Build system installs /etc/sudoers.d, let's make
+	# sure we keep having it.
+	#
+	# Upstream PR: https://github.com/gentoo/gentoo/pull/37397
+	keepdir /etc/sudoers.d
 }
 
 pkg_postinst() {

From b839f633ec8d4ddcaeae01ab56d0ea980cf70b4d Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 1 Jul 2025 13:10:39 +0200
Subject: [PATCH 4/4] changelog: Add entries

---
 changelog/security/2025-07-01-sudo.md | 1 +
 changelog/updates/2025-07-01-sudo.md  | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 changelog/security/2025-07-01-sudo.md
 create mode 100644 changelog/updates/2025-07-01-sudo.md

diff --git a/changelog/security/2025-07-01-sudo.md b/changelog/security/2025-07-01-sudo.md
new file mode 100644
index 0000000000..ca7ef802a8
--- /dev/null
+++ b/changelog/security/2025-07-01-sudo.md
@@ -0,0 +1 @@
+- sudo ([CVE-2025-32462](https://www.cve.org/CVERecord?id=CVE-2025-32462), [CVE-2025-32463](https://www.cve.org/CVERecord?id=CVE-2025-32463))
diff --git a/changelog/updates/2025-07-01-sudo.md b/changelog/updates/2025-07-01-sudo.md
new file mode 100644
index 0000000000..daaeea7f29
--- /dev/null
+++ b/changelog/updates/2025-07-01-sudo.md
@@ -0,0 +1 @@
+- sudo ([1.9.17p1](https://www.sudo.ws/releases/stable/#1.9.17p1))