From ce2f275d3581c97c5cfd765c2e82b0acdb595042 Mon Sep 17 00:00:00 2001
From: Dongsu Park <dongsu@kinvolk.io>
Date: Wed, 5 Feb 2020 10:33:50 +0100
Subject: [PATCH] app-admin/sudo: bump sudo to 1.8.31

Since sudo 1.8.28, every sudo started printing out a warning like
`/etc/environment: No such file or directory`, when `/etc/environment`
does not exist.

Also sudo <= 1.8.30 is affected by a pwfeedback vulnerability,
CVE-2019-18634. https://seclists.org/oss-sec/2020/q1/48

Update sudo to 1.8.31 from upstream Gentoo, to resolve the issues.

See also https://bugs.gentoo.org/698946.
---
 .../coreos-overlay/app-admin/sudo/Manifest    |  2 +-
 ...{sudo-1.8.28.ebuild => sudo-1.8.31.ebuild} | 20 +++++++++++++++----
 .../coreos/arm64/package.accept_keywords      |  2 +-
 3 files changed, 18 insertions(+), 6 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/app-admin/sudo/{sudo-1.8.28.ebuild => sudo-1.8.31.ebuild} (93%)

diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
index 5588247e26..d708aa4e31 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
@@ -1 +1 @@
-DIST sudo-1.8.28.tar.gz 3309744 BLAKE2B 191a1f4239bdd2c1889b2a9c372a6fc949975e54cb510d25602798ee2e6e7b253a18fef290bc324acd4abb3049bcab909fdaa512bb24c400a95cc0901b50ab37 SHA512 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7
+DIST sudo-1.8.31.tar.gz 3350674 BLAKE2B de5a968732fdd58933b4c513d13c43a08cb50075a00c3e0d338c9892570a416a2b3a8f19940c0893715f4eeab991e804831a87ef656ffd91e7f1ba047c119261 SHA512 b9e408a322938c7a712458e9012d8a5f648fba5b23a5057cf5d8372c7f931262595f1575c32c32b9cb1a04af670ff4611e7df48d197e5c4cc038d6b65439a28a
diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.28.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.31.ebuild
similarity index 93%
rename from sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.28.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.31.ebuild
index c0ce873467..5c6a768ae8 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.28.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.31.ebuild
@@ -22,7 +22,7 @@ else
 	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
 		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
 	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-solaris"
+		KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-solaris"
 	fi
 fi
 
@@ -36,7 +36,10 @@ DEPEND="
 	sys-libs/zlib:=
 	ldap? (
 		>=net-nds/openldap-2.1.30-r1
-		dev-libs/cyrus-sasl
+		sasl? (
+			dev-libs/cyrus-sasl
+			net-nds/openldap[sasl]
+		)
 	)
 	pam? ( sys-libs/pam )
 	sasl? ( dev-libs/cyrus-sasl )
@@ -139,8 +142,7 @@ src_configure() {
 		--with-env-editor
 		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
 		--with-rundir="${EPREFIX}"/run/sudo
-		$(use_with secure-path secure-path ${SECURE_PATH})
-		--with-secure-path="${SECURE_PATH}"
+		$(use_with secure-path secure-path "${SECURE_PATH}")
 		--with-vardir="${EPREFIX}"/var/db/sudo
 		--without-linux-audit
 		--without-opie
@@ -182,6 +184,14 @@ src_install() {
 		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
 		EOF
 
+		if use sasl ; then
+			cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
+			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+			EOF
+		fi
+
 		insinto /etc
 		doins "${T}"/ldap.conf.sudo
 		fperms 0440 /etc/ldap.conf.sudo
@@ -196,6 +206,8 @@ src_install() {
 	# Don't install into /run as that is a tmpfs most of the time
 	# (bug #504854)
 	rm -rf "${ED}"/run
+
+	find "${ED}" -type f -name "*.la" -delete || die #697812
 }
 
 pkg_postinst() {
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index c7af237e10..32c0460e21 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -1,7 +1,7 @@
 # arm64 keywords
 # Keep these in alphabetical order.
 
-=app-admin/sudo-1.8.28 ~arm64
+=app-admin/sudo-1.8.31 ~arm64
 =app-arch/bzip2-1.0.6-r8 ~arm64
 =app-arch/libarchive-3.3.1 ~arm64
 =app-crypt/mit-krb5-1.14.2 ~arm64