XPost: linux.debian.devel.release
From: mh+debian-packages@zugschlus.de
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: sudo@packages.debian.org
Control: affects -1 + src:sudo
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I am hereby submitting sudo 1.9.16p2-3+deb13u1 for pre-approval for
trixie-updates and the next point release.
[ Reason ]
#1124399 makes sudo segfault on some i386 hosts such as AMD Geode
#1126085 makes sudo fail on some DSA systems due to : in sudoers.d file
names
[ Impact ]
AMD Geode users will still be unable to use sudo on amd64
DSA will have to change their file names
[ Tests ]
A small Autopkgtest suite. Both fixes are in unstable and testing.
The complete testsuite was pulled from unstable. The testsuite we
released in trixie didn't work too well in the unshare backend of
autopkgtest.
[ Risks ]
Not sure. It's sudo.
[ Checklist ]
[X ] *all* changes are documented in the d/changelog
[X ] I reviewed all changes and I approve them
[X ] attach debdiff against the package in (old)stable
[X ] the issue is verified as fixed in unstable
[ Changes ]
An upstream patch was included to address #1126085
A patch submitted by Marcos Del Sol Vives fixes the Geode problem by
turning off an unneded hardenng on i386. That patch is already in
bookworm and it has passed a TC discussion
The testsuite was updated from unstable. This is the majority of the
attached debdiff.
diff -Nru sudo-1.9.16p2/debian/changelog sudo-1.9.16p2/debian/changelog
--- sudo-1.9.16p2/debian/changelog 2025-06-30 07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/changelog 2026-02-11 20:22:01.000000000 +0100
@@ -1,3 +1,14 @@
+sudo (1.9.16p2-3+deb13u1) trixie; urgency=medium
+
+ [ Marc Haber ]
+ * add upstream patch: Do not perform path expansion
+ Thanks to Adam D. Barratt" (Closes: #1126085)
+ * Enable Intel CET on amd64 only.
+ Thanks to Marcos Del Sol Vives (Closes: #1124339)
+ * Pull more robust test suite from unstable
+
+ -- Marc Haber Wed, 11 Feb 2026 20:22:01
+0100
+
sudo (1.9.16p2-3) unstable; urgency=high
* backport upstream patch for CVE-2025-32463
diff -Nru sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-
erform-path-expansion-on-files-.patch sudo-1.9.16p2/debian/patch
s/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
--- sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perfor
-path-expansion-on-files-.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perfor
-path-expansion-on-files-.patch 2026-02-11 20:22:01.000000000 +0100
@@ -0,0 +1,34 @@
+From: "Todd C. Miller"
+Date: Sat, 24 Jan 2026 11:30:06 -0700
+Subject: open_sudoers: Do not perform path expansion on files in an
+ includedir
+
+A file in an includedir containing one or more colons (':') in the
+name we was being expanded as a colon-separated path instead of
+being opened as-is. This fixes a regression introduced in
+sudo 1.9.14. Bug #1085
+---
+ plugins/sudoers/sudoers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 0f75c96..fecd279 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -1286,7 +1286,15 @@ open_sudoers(const char *path, char **outfile, bool
doedit, bool *keepopen)
+ int error, fd;
+ debug_decl(open_sudoers, SUDOERS_DEBUG_PLUGIN);
+
+- fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file);
++ if (outfile == NULL) {
++ /* Single file, do not treat as a path. */
++ fd = open_file(path, O_RDONLY|O_NONBLOCK);
++ if (fd != -1)
++ (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
++ } else {
++ /* Could be a colon-separated path of file names. */
++ fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file);
++ }
+ if (sudoers_ctx.parser_conf.ignore_perms) {
+ /* Skip sudoers security checks when ignore_perms is set. */
+ if (fd == -1 || fstat(fd, &sb) == -1)
diff -Nru sudo-1.9.16p2/debian/patches/amd64-ibt.diff sudo-1.9.1
p2/debian/patches/amd64-ibt.diff
--- sudo-1.9.16p2/debian/patches/amd64-ibt.diff 1970-01-01 01:00:00.000000000
+0100
+++ sudo-1.9.16p2/debian/patches/amd64-ibt.diff 2026-02-11 20:22:01.000000000
+0100
@@ -0,0 +1,28 @@
+From: Marcos Del Sol Vives
+Date: Tue, 2 Sep 2025 00:00:35 +0200
+Subject: Enable Intel CET on amd64 only
+
+---
+ m4/hardening.m4 | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/m4/hardening.m4 b/m4/hardening.m4
+index f7d2a8c..cc7ee01 100644
+--- a/m4/hardening.m4
++++ b/m4/hardening.m4
+@@ -105,6 +105,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ ])
+ fi
+
++ if test "$host_cpu" = "x86_64"; then
+ # Check for control-flow transfer instrumentation (Intel CET).
+ AX_CHECK_COMPILE_FLAG([-fcf-protection], [
+ AX_CHECK_LINK_FLAG([-fcf-protection], [
+@@ -112,6 +113,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+ ])
+ ])
++ fi
+ fi
+
+ # Linker-specific hardening flags.
diff -Nru sudo-1.9.16p2/debian/patches/series sudo-1.9.16p2/debi
n/patches/series
--- sudo-1.9.16p2/debian/patches/series 2025-06-30 07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/patches/series 2026-02-11 20:22:01.000000000 +0100
@@ -5,3 +5,5 @@
X11R6.patch
0007-upstream-patch-for-CVE-2025-32463.patch
0008-upstream-patch-for-CVE-2025-32462.patch
+0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
+amd64-ibt.diff
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
