app-admin/sudo: Sync latest version from Gentoo

Fixes CVE-2019-14287.
2025-08-19 05:21:23 +02:00 · 2019-10-14 13:52:57 -04:00 · 2019-10-14 13:52:57 -04:00 · edb72c51ff
commit edb72c51ff
parent f55193d9dc
3 changed files with 51 additions and 33 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest
@ -1 +1 @@
-DIST sudo-1.8.25p1.tar.gz 3189951 BLAKE2B ebfedaad62e60f625db8c46a5c8f19977a5ec0a86bab3b34d91096c08e8b8ece056ba312f9fecd4cdd704fc17d49a36681b41cd40269df7c67cd66d80c0d8efb SHA512 b1445be688d3c1dd7efbdfab68977a7a9b6fd6887191dc99ca717117eec0a550492642556cd55ca5873d054ddc5ccc2b87b2c34602e1ffc729ab6fbc4e523a72
+DIST sudo-1.8.28.tar.gz 3309744 BLAKE2B 191a1f4239bdd2c1889b2a9c372a6fc949975e54cb510d25602798ee2e6e7b253a18fef290bc324acd4abb3049bcab909fdaa512bb24c400a95cc0901b50ab37 SHA512 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml
@ -12,11 +12,16 @@
 		arguments.
 	</longdescription>
 	<use>
-		<flag name="gcrypt">Use SHA2 from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's internal SHA2</flag>
+		<flag name="gcrypt">Use message digest functions from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's</flag>
 		<flag name="libressl">Use message digest functions from <pkg>dev-libs/libressl</pkg> instead of sudo's</flag>
 		<flag name="offensive">Let sudo print insults when the user types the wrong password</flag>
 		<flag name="openssl">Use SHA2 from <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2</flag>
 		<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
 		<flag name="sssd">Add System Security Services Daemon support</flag>
 		<flag name="secure-path">Replace PATH variable with compile time secure paths</flag>
 		<flag name="system-digest">
 			Use message digest functions from <pkg>dev-libs/libgcrypt</pkg>, <pkg>dev-libs/libressl</pkg>
 			or <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2 implementation
 		</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
--- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.25_p1-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.25_p1-r1.ebuild
@ -1,29 +1,28 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
-EAPI=6
+EAPI=7
-inherit eutils pam multilib libtool tmpfiles
+inherit pam multilib libtool tmpfiles
 if [[ ${PV} == "9999" ]] ; then
 	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
 	inherit mercurial
 fi
-MY_P=${P/_/}
+MY_P="${P/_/}"
-MY_P=${MY_P/beta/b}
+MY_P="${MY_P/beta/b}"
 uri_prefix=
 case ${P} in
 	*_beta*|*_rc*) uri_prefix=beta/ ;;
 esac
 DESCRIPTION="Allows users or groups to run commands as other users"
 HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} != "9999" ]] ; then
+if [[ ${PV} == "9999" ]] ; then
 	inherit mercurial
 	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
 else
 	uri_prefix=
 	case ${P} in
 		*_beta*|*_rc*) uri_prefix=beta/ ;;
 	esac
 	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
 		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
 	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris"
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-solaris"
 	fi
 fi
@ -31,31 +30,36 @@ fi
 # 3-clause BSD license
 LICENSE="ISC BSD"
 SLOT="0"
-IUSE="gcrypt ldap nls offensive openssl pam sasl selinux +sendmail skey sssd"
+IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
-CDEPEND="
+DEPEND="
 	sys-libs/zlib:=
 	gcrypt? ( dev-libs/libgcrypt:= )
 	ldap? (
 		>=net-nds/openldap-2.1.30-r1
 		dev-libs/cyrus-sasl
 	)
-	openssl? ( dev-libs/openssl:0= )
+	pam? ( sys-libs/pam )
 	pam? ( virtual/pam )
 	sasl? ( dev-libs/cyrus-sasl )
 	skey? ( >=sys-auth/skey-1.1.5-r1 )
 	sssd? ( sys-auth/sssd[sudo] )
 	system-digest? (
 		gcrypt? ( dev-libs/libgcrypt:= )
 		!gcrypt? (
 			!libressl? ( dev-libs/openssl:0= )
 			libressl? ( dev-libs/libressl:0= )
 		)
 	)
 "
 RDEPEND="
-	${CDEPEND}
+	${DEPEND}
 	>=app-misc/editor-wrapper-3
 	virtual/editor
 	ldap? ( dev-lang/perl )
 	pam? ( sys-auth/pambase )
 	selinux? ( sec-policy/selinux-sudo )
 	sendmail? ( virtual/mta )
 "
-DEPEND="
+BDEPEND="
 	${CDEPEND}
 	sys-devel/bison
 "
@ -64,7 +68,6 @@ S="${WORKDIR}/${MY_P}"
 REQUIRED_USE="
 	pam? ( !skey )
 	skey? ( !pam )
 	?? ( gcrypt openssl )
 "
 MAKEOPTS+=" SAMPLES="
@ -98,7 +101,7 @@ set_secure_path() {
 		local newpath thisp IFS=:
 		for thisp in $1 ; do
 			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:$thisp
+				newpath+=:${thisp}
 			else
 				einfo "   Duplicate entry ${thisp} removed..."
 			fi
@ -111,8 +114,8 @@ set_secure_path() {
 	rmpath() {
 		local e newpath thisp IFS=:
 		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ $thisp == $e ]] && continue 2 ; done
+			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
-			newpath+=:$thisp
+			newpath+=:${thisp}
 		done
 		SECURE_PATH=${newpath#:}
 	}
@ -137,13 +140,13 @@ src_configure() {
 		--with-env-editor
 		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
 		--with-rundir="${EPREFIX}"/run/sudo
 		$(use_with secure-path secure-path ${SECURE_PATH})
 		--with-secure-path="${SECURE_PATH}"
 		--with-vardir="${EPREFIX}"/var/db/sudo
 		--without-linux-audit
 		--without-opie
 		$(use_enable gcrypt)
 		$(use_enable nls)
 		$(use_enable openssl)
 		$(use_enable sasl)
 		$(use_with offensive insults)
 		$(use_with offensive all-insults)
@ -155,6 +158,13 @@ src_configure() {
 		$(use_with selinux)
 		$(use_with sendmail)
 	)
 	if use system-digest && ! use gcrypt; then
 		myeconfargs+=("--enable-openssl")
 	else
 		myeconfargs+=("--disable-openssl")
 	fi
 	econf "${myeconfargs[@]}"
 }
@ -176,6 +186,9 @@ src_install() {
 		insinto /etc
 		doins "${T}"/ldap.conf.sudo
 		fperms 0440 /etc/ldap.conf.sudo
 		insinto /etc/openldap/schema
 		newins doc/schema.OpenLDAP sudo.schema
 	fi
 	pamd_mimic system-auth sudo auth account session
@ -186,7 +199,7 @@ src_install() {
 	# Don't install into /run as that is a tmpfs most of the time
 	# (bug #504854)
-	rm -rf "${ED%/}"/run
+	rm -rf "${ED}"/run
 }
 pkg_postinst() {
`@ -1 +1 @@`
	`DIST sudo-1.8.25p1.tar.gz 3189951 BLAKE2B ebfedaad62e60f625db8c46a5c8f19977a5ec0a86bab3b34d91096c08e8b8ece056ba312f9fecd4cdd704fc17d49a36681b41cd40269df7c67cd66d80c0d8efb SHA512 b1445be688d3c1dd7efbdfab68977a7a9b6fd6887191dc99ca717117eec0a550492642556cd55ca5873d054ddc5ccc2b87b2c34602e1ffc729ab6fbc4e523a72`	`DIST sudo-1.8.28.tar.gz 3309744 BLAKE2B 191a1f4239bdd2c1889b2a9c372a6fc949975e54cb510d25602798ee2e6e7b253a18fef290bc324acd4abb3049bcab909fdaa512bb24c400a95cc0901b50ab37 SHA512 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7`