Non-maintainer commit: Revision bump to fix CVE-2010-2956 (bug 335381). Removing vulnerable versions.

(Portage version: 2.2_rc67/cvs/Linux x86_64, RepoMan options: --force)
author: Alex Legler <a3li@gentoo.org> 2010-09-07 12:00:59 +0000
committer: Alex Legler <a3li@gentoo.org> 2010-09-07 12:00:59 +0000
commit: 479c8139afcfa60adcb39d1697657cbf15738646 (patch)
tree: a5d81903c708ddc802bf1b134c8ec0d95760eb10
parent: Revision bump to fix bug #299362 following upstream indications and applying ... (diff)
download: gentoo-2-479c8139afcfa60adcb39d1697657cbf15738646.tar.gz
gentoo-2-479c8139afcfa60adcb39d1697657cbf15738646.tar.bz2
gentoo-2-479c8139afcfa60adcb39d1697657cbf15738646.zip
5 files changed, 115 insertions, 448 deletions
diff --git a/app-admin/sudo/ChangeLog b/app-admin/sudo/ChangeLog
index 90f96f416d9d..8f8f359fc580 100644
--- a/app-admin/sudo/ChangeLog
+++ b/app-admin/sudo/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-admin/sudo
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.242 2010/09/06 20:46:37 ranger Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.243 2010/09/07 12:00:58 a3li Exp $
+
+*sudo-1.7.4_p3-r1 (07 Sep 2010)
+
+  07 Sep 2010; Alex Legler <a3li@gentoo.org> -sudo-1.7.2_p7.ebuild,
+  -sudo-1.7.3.ebuild, -sudo-1.7.4_p3.ebuild, +sudo-1.7.4_p3-r1.ebuild,
+  +files/sudo-CVE-2010-2956.patch:
+  Non-maintainer commit: Revision bump to fix CVE-2010-2956 (bug 335381).
+  Removing vulnerable versions.
 
   06 Sep 2010; Brent Baude <ranger@gentoo.org> sudo-1.7.3.ebuild:
   Marking sudo-1.7.3 ppc64 for bug 330827
diff --git a/app-admin/sudo/files/sudo-CVE-2010-2956.patch b/app-admin/sudo/files/sudo-CVE-2010-2956.patch
new file mode 100644
index 000000000000..1fda2fb790fa
--- /dev/null
+++ b/app-admin/sudo/files/sudo-CVE-2010-2956.patch
@@ -0,0 +1,102 @@
+diff -r 24a695707b67 match.c
+--- a/match.c	Thu Aug 26 11:36:47 2010 -0400
++++ b/match.c	Mon Aug 30 07:22:49 2010 -0400
+@@ -170,15 +170,9 @@
+ {
+     struct member *m;
+     struct alias *a;
+-    int rval, matched = UNSPEC;
+-
+-    if (runas_gr != NULL) {
+-	if (tq_empty(group_list))
+-	    return(DENY); /* group was specified but none in sudoers */
+-	if (runas_pw != NULL && strcmp(runas_pw->pw_name, user_name) &&
+-	    tq_empty(user_list))
+-	    return(DENY); /* user was specified but none in sudoers */
+-    }
++    int rval;
++    int user_matched = UNSPEC;
++    int group_matched = UNSPEC;
+ 
+     if (tq_empty(user_list) && tq_empty(group_list))
+ 	return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw));
+@@ -187,59 +181,67 @@
+ 	tq_foreach_rev(user_list, m) {
+ 	    switch (m->type) {
+ 		case ALL:
+-		    matched = !m->negated;
++		    user_matched = !m->negated;
+ 		    break;
+ 		case NETGROUP:
+ 		    if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
+-			matched = !m->negated;
++			user_matched = !m->negated;
+ 		    break;
+ 		case USERGROUP:
+ 		    if (usergr_matches(m->name, runas_pw->pw_name, runas_pw))
+-			matched = !m->negated;
++			user_matched = !m->negated;
+ 		    break;
+ 		case ALIAS:
+ 		    if ((a = alias_find(m->name, RUNASALIAS)) != NULL) {
+ 			rval = _runaslist_matches(&a->members, &empty);
+ 			if (rval != UNSPEC)
+-			    matched = m->negated ? !rval : rval;
++			    user_matched = m->negated ? !rval : rval;
+ 			break;
+ 		    }
+ 		    /* FALLTHROUGH */
+ 		case WORD:
+ 		    if (userpw_matches(m->name, runas_pw->pw_name, runas_pw))
+-			matched = !m->negated;
++			user_matched = !m->negated;
+ 		    break;
+ 	    }
+-	    if (matched != UNSPEC)
++	    if (user_matched != UNSPEC)
+ 		break;
+ 	}
+     }
+ 
+     if (runas_gr != NULL) {
++	if (user_matched == UNSPEC) {
++	    if (runas_pw == NULL || strcmp(runas_pw->pw_name, user_name) == 0)
++		user_matched = ALLOW;	/* only changing group */
++	}
+ 	tq_foreach_rev(group_list, m) {
+ 	    switch (m->type) {
+ 		case ALL:
+-		    matched = !m->negated;
++		    group_matched = !m->negated;
+ 		    break;
+ 		case ALIAS:
+ 		    if ((a = alias_find(m->name, RUNASALIAS)) != NULL) {
+ 			rval = _runaslist_matches(&a->members, &empty);
+ 			if (rval != UNSPEC)
+-			    matched = m->negated ? !rval : rval;
++			    group_matched = m->negated ? !rval : rval;
+ 			break;
+ 		    }
+ 		    /* FALLTHROUGH */
+ 		case WORD:
+ 		    if (group_matches(m->name, runas_gr))
+-			matched = !m->negated;
++			group_matched = !m->negated;
+ 		    break;
+ 	    }
+-	    if (matched != UNSPEC)
++	    if (group_matched != UNSPEC)
+ 		break;
+ 	}
+     }
+ 
+-    return(matched);
++    if (user_matched == DENY || group_matched == DENY)
++	return(DENY);
++    if (user_matched == group_matched || runas_gr == NULL)
++	return(user_matched);
++    return(UNSPEC);
+ }
+ 
+ int
+
diff --git a/app-admin/sudo/sudo-1.7.2_p7.ebuild b/app-admin/sudo/sudo-1.7.2_p7.ebuild
deleted file mode 100644
index 407e0d8bdcc8..000000000000
--- a/app-admin/sudo/sudo-1.7.2_p7.ebuild
+++ /dev/null
@@ -1,221 +0,0 @@
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.2_p7.ebuild,v 1.8 2010/06/25 09:25:27 pva Exp $
-
-inherit eutils pam confutils
-
-MY_P=${P/_/}
-MY_P=${MY_P/beta/b}
-
-case "${P}" in
-	*_beta* | *_rc*)
-		uri_prefix=beta/
-		;;
-	*)
-		uri_prefix=""
-		;;
-esac
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="http://www.sudo.ws/"
-SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="as-is BSD"
-SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="pam skey offensive ldap selinux"
-
-DEPEND="pam? ( virtual/pam )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1
-		dev-libs/cyrus-sasl
-	)
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	app-editors/gentoo-editor
-	virtual/editor
-	virtual/mta"
-RDEPEND="selinux? ( sec-policy/selinux-sudo )
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	${DEPEND}"
-DEPEND="${DEPEND} sys-devel/bison"
-
-S=${WORKDIR}/${MY_P}
-
-pkg_setup() {
-	confutils_use_conflict skey pam
-}
-
-src_unpack() {
-	unpack ${A}; cd "${S}"
-
-	# compatability fix.
-	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
-
-	# additional variables to disallow, should user disable env_reset.
-
-	# NOTE: this is not a supported mode of operation, these variables
-	#       are added to the blacklist as a convenience to administrators
-	#       who fail to heed the warnings of allowing untrusted users
-	#       to access sudo.
-	#
-	#       there is *no possible way* to foresee all attack vectors in
-	#       all possible applications that could potentially be used via
-	#       sudo, these settings will just delay the inevitable.
-	#
-	#       that said, I will accept suggestions for variables that can
-	#       be misused in _common_ interpreters or libraries, such as
-	#       perl, bash, python, ruby, etc., in the hope of dissuading
-	#       a casual attacker.
-
-	# XXX: perl should be using suid_perl.
-	# XXX: users can remove/add more via env_delete and env_check.
-	# XXX: <?> = probably safe enough for most circumstances.
-
-	einfo "Blacklisting common variables (env_delete)..."
-		sudo_bad_var() {
-			local target='env.c' marker='\*initial_badenv_table\[\]'
-
-			ebegin "	$1"
-			sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}
-			eend $?
-		}
-
-		sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.
-		sudo_bad_var 'FPATH'          # ksh, search path for functions.
-		sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>
-		sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>
-		sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>
-		sudo_bad_var 'PYTHONHOME'     # python, module search path.
-		sudo_bad_var 'PYTHONPATH'     # python, search path.
-		sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.
-		sudo_bad_var 'RUBYLIB'        # ruby, lib load path.
-		sudo_bad_var 'RUBYOPT'        # ruby, cl options.
-		sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.
-	einfo "...done."
-
-	# prevent binaries from being stripped.
-	sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in
-}
-
-src_compile() {
-	local line ROOTPATH
-
-	# FIXME: secure_path is a compile time setting. using ROOTPATH
-	# is not perfect, env-update may invalidate this, but until it
-	# is available as a sudoers setting this will have to do.
-	einfo "Setting secure_path..."
-
-		# why not use grep? variable might be expanded from other variables
-		# declared in that file. cannot just source the file, would override
-		# any variables already set.
-		eval `PS4= bash -x /etc/profile.env 2>&1 | \
-			while read line; do
-				case $line in
-					ROOTPATH=*) echo $line; break;;
-					*) continue;;
-				esac
-			done`  && einfo "	Found ROOTPATH..." || \
-				ewarn "	Failed to find ROOTPATH, please report this."
-
-		# remove duplicate path entries from $1
-		cleanpath() {
-			local i=1 x n IFS=:
-			local -a paths;	paths=($1)
-
-			for ((n=${#paths[*]}-1;i<=n;i++)); do
-				for ((x=0;x<i;x++)); do
-					test "${paths[i]}" == "${paths[x]}" && {
-						einfo "	Duplicate entry ${paths[i]} removed..." 1>&2
-						unset paths[i]; continue 2; }
-				done; # einfo "	Adding ${paths[i]}..." 1>&2
-			done; echo "${paths[*]}"
-		}
-
-		ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
-
-		# strip gcc path (bug #136027)
-		rmpath() {
-			declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
-			shift
-			for thisp in $oldpath; do
-				for e; do [[ $thisp == $e ]] && continue 2; done
-				newpath=$newpath:$thisp
-			done
-			eval $PATHvar='${newpath#:}'
-		}
-
-		rmpath ROOTPATH '*/gcc-bin/*'
-
-	einfo "...done."
-
-	# XXX: --disable-path-info closes an info leak, but may be confusing.
-	econf --with-secure-path="${ROOTPATH}" \
-		--with-editor=/usr/libexec/gentoo-editor \
-		--with-env-editor \
-		$(use_with offensive insults) \
-		$(use_with offensive all-insults) \
-		$(use_with pam) \
-		$(use_with skey) \
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
-		$(use_with ldap) || die
-
-	emake || die
-}
-
-src_install() {
-	emake DESTDIR="${D}" install || die
-	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
-		UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
-
-	if use ldap; then
-		dodoc README.LDAP schema.OpenLDAP
-		dosbin sudoers2ldif
-
-		cat - > "${T}"/ldap.conf.sudo <<EOF
-# See ldap.conf(5) and README.LDAP for details\n"
-# This file should only be readable by root\n\n"
-# supported directives: host, port, ssl, ldap_version\n"
-# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
-# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
-EOF
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-	fi
-
-	pamd_mimic system-auth sudo auth account password session
-
-	insinto /etc
-	doins "${S}"/sudoers
-	fperms 0440 /etc/sudoers
-}
-
-pkg_postinst() {
-	if use ldap; then
-		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.7.3.ebuild b/app-admin/sudo/sudo-1.7.3.ebuild
deleted file mode 100644
index 08c0fcea1ff7..000000000000
--- a/app-admin/sudo/sudo-1.7.3.ebuild
+++ /dev/null
@@ -1,224 +0,0 @@
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.3.ebuild,v 1.8 2010/09/06 20:46:37 ranger Exp $
-
-inherit eutils pam confutils
-
-MY_P=${P/_/}
-MY_P=${MY_P/beta/b}
-
-case "${P}" in
-	*_beta* | *_rc*)
-		uri_prefix=beta/
-		;;
-	*)
-		uri_prefix=""
-		;;
-esac
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="http://www.sudo.ws/"
-SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="as-is BSD"
-SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
-IUSE="pam skey offensive ldap selinux"
-
-DEPEND="pam? ( virtual/pam )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1
-		dev-libs/cyrus-sasl
-	)
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	app-editors/gentoo-editor
-	virtual/editor
-	virtual/mta"
-RDEPEND="selinux? ( sec-policy/selinux-sudo )
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	${DEPEND}"
-DEPEND="${DEPEND} sys-devel/bison"
-
-S=${WORKDIR}/${MY_P}
-
-pkg_setup() {
-	confutils_use_conflict skey pam
-}
-
-src_unpack() {
-	unpack ${A}; cd "${S}"
-
-	# compatability fix.
-	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
-
-	# additional variables to disallow, should user disable env_reset.
-
-	# NOTE: this is not a supported mode of operation, these variables
-	#       are added to the blacklist as a convenience to administrators
-	#       who fail to heed the warnings of allowing untrusted users
-	#       to access sudo.
-	#
-	#       there is *no possible way* to foresee all attack vectors in
-	#       all possible applications that could potentially be used via
-	#       sudo, these settings will just delay the inevitable.
-	#
-	#       that said, I will accept suggestions for variables that can
-	#       be misused in _common_ interpreters or libraries, such as
-	#       perl, bash, python, ruby, etc., in the hope of dissuading
-	#       a casual attacker.
-
-	# XXX: perl should be using suid_perl.
-	# XXX: users can remove/add more via env_delete and env_check.
-	# XXX: <?> = probably safe enough for most circumstances.
-
-	einfo "Blacklisting common variables (env_delete)..."
-		sudo_bad_var() {
-			local target='env.c' marker='\*initial_badenv_table\[\]'
-
-			ebegin "	$1"
-			sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}
-			eend $?
-		}
-
-		sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.
-		sudo_bad_var 'FPATH'          # ksh, search path for functions.
-		sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>
-		sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>
-		sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>
-		sudo_bad_var 'PYTHONHOME'     # python, module search path.
-		sudo_bad_var 'PYTHONPATH'     # python, search path.
-		sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.
-		sudo_bad_var 'RUBYLIB'        # ruby, lib load path.
-		sudo_bad_var 'RUBYOPT'        # ruby, cl options.
-		sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.
-	einfo "...done."
-
-	# prevent binaries from being stripped.
-	sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in
-}
-
-src_compile() {
-	local line ROOTPATH
-
-	# FIXME: secure_path is a compile time setting. using ROOTPATH
-	# is not perfect, env-update may invalidate this, but until it
-	# is available as a sudoers setting this will have to do.
-	einfo "Setting secure_path..."
-
-		# why not use grep? variable might be expanded from other variables
-		# declared in that file. cannot just source the file, would override
-		# any variables already set.
-		eval `PS4= bash -x /etc/profile.env 2>&1 | \
-			while read line; do
-				case $line in
-					ROOTPATH=*) echo $line; break;;
-					*) continue;;
-				esac
-			done`  && einfo "	Found ROOTPATH..." || \
-				ewarn "	Failed to find ROOTPATH, please report this."
-
-		# remove duplicate path entries from $1
-		cleanpath() {
-			local i=1 x n IFS=:
-			local -a paths;	paths=($1)
-
-			for ((n=${#paths[*]}-1;i<=n;i++)); do
-				for ((x=0;x<i;x++)); do
-					test "${paths[i]}" == "${paths[x]}" && {
-						einfo "	Duplicate entry ${paths[i]} removed..." 1>&2
-						unset paths[i]; continue 2; }
-				done; # einfo "	Adding ${paths[i]}..." 1>&2
-			done; echo "${paths[*]}"
-		}
-
-		ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
-
-		# strip gcc path (bug #136027)
-		rmpath() {
-			declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
-			shift
-			for thisp in $oldpath; do
-				for e; do [[ $thisp == $e ]] && continue 2; done
-				newpath=$newpath:$thisp
-			done
-			eval $PATHvar='${newpath#:}'
-		}
-
-		rmpath ROOTPATH '*/gcc-bin/*'
-
-	einfo "...done."
-
-	# XXX: --disable-path-info closes an info leak, but may be confusing.
-	# audit: somebody got to explain me how I can test this before I
-	# enable it.. — Diego
-	econf --with-secure-path="${ROOTPATH}" \
-		--with-editor=/usr/libexec/gentoo-editor \
-		--with-env-editor \
-		$(use_with offensive insults) \
-		$(use_with offensive all-insults) \
-		$(use_with pam) \
-		$(use_with skey) \
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
-		$(use_with ldap) \
-		--without-linux-audit
-
-	emake || die
-}
-
-src_install() {
-	emake DESTDIR="${D}" install || die
-	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
-		UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
-
-	if use ldap; then
-		dodoc README.LDAP schema.OpenLDAP
-		dosbin sudoers2ldif
-
-		cat - > "${T}"/ldap.conf.sudo <<EOF
-# See ldap.conf(5) and README.LDAP for details\n"
-# This file should only be readable by root\n\n"
-# supported directives: host, port, ssl, ldap_version\n"
-# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
-# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
-EOF
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-	fi
-
-	pamd_mimic system-auth sudo auth account password session
-
-	insinto /etc
-	doins "${S}"/sudoers
-	fperms 0440 /etc/sudoers
-}
-
-pkg_postinst() {
-	if use ldap; then
-		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.7.4_p3.ebuild b/app-admin/sudo/sudo-1.7.4_p3-r1.ebuild
index 3b3bd1b89bc5..af0ae6c65016 100644
--- a/app-admin/sudo/sudo-1.7.4_p3.ebuild
+++ b/app-admin/sudo/sudo-1.7.4_p3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2010 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.4_p3.ebuild,v 1.1 2010/08/19 12:03:59 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.4_p3-r1.ebuild,v 1.1 2010/09/07 12:00:58 a3li Exp $
 
 inherit eutils pam
 
@@ -26,7 +26,7 @@ SRC_URI="http://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
 LICENSE="as-is BSD"
 
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+KEYWORDS="alpha amd64 arm hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
 IUSE="pam skey offensive ldap selinux"
 
 DEPEND="pam? ( virtual/pam )
@@ -60,6 +60,8 @@ src_unpack() {
 	# compatability fix.
 	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
 
+	epatch "${FILESDIR}"/${PN}-CVE-2010-2956.patch
+
 	# additional variables to disallow, should user disable env_reset.
 
 	# NOTE: this is not a supported mode of operation, these variables
author	Alex Legler <a3li@gentoo.org>	2010-09-07 12:00:59 +0000
committer	Alex Legler <a3li@gentoo.org>	2010-09-07 12:00:59 +0000
commit	479c8139afcfa60adcb39d1697657cbf15738646 (patch)
tree	a5d81903c708ddc802bf1b134c8ec0d95760eb10
parent	Revision bump to fix bug #299362 following upstream indications and applying ... (diff)
download	gentoo-2-479c8139afcfa60adcb39d1697657cbf15738646.tar.gz gentoo-2-479c8139afcfa60adcb39d1697657cbf15738646.tar.bz2 gentoo-2-479c8139afcfa60adcb39d1697657cbf15738646.zip