Merge sudo 1.9.17 from branch 'main' into sudo-1.9

Author: millert

.github/workflows/codeql-analysis.yml

@@ -9,7 +9,7 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL"
+name: "CodeQL Advanced"
 
 on:
   push:
@@ -22,51 +22,69 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: Analyze (${{ matrix.language }})
+    runs-on: 'ubuntu-latest'
     permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
       actions: read
       contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'cpp', 'python' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
+        include:
+        - language: c-cpp
+          build-mode: autobuild
+        - language: python
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
 
-        
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
 
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/main.yml

@@ -37,14 +37,14 @@ jobs:
         fuzz-seconds: 600
         output-sarif: true
     - name: Upload Crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts
         path: ./out/artifacts
     - name: Upload Sarif
       if: always() && steps.build.outcome == 'success'
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
       with:
         # Path to SARIF file relative to the root of the repository
         sarif_file: cifuzz-sarif/results.sarif

.gitignore

@@ -98,3 +98,5 @@ plugins/sudoers/regress/testsudoers/test3.d/root
 plugins/python/__pycache__
 plugins/python/regress/__pycache__
 plugins/python/check_python_examples
+
+scripts/check_man

.hgignore

@@ -77,3 +77,5 @@ Makefile$
 ^plugins/python/__pycache__
 ^plugins/python/regress/__pycache__
 ^plugins/python/check_python_examples$
+
+^scripts/check_man$

INSTALL.md

@@ -736,6 +736,14 @@ Defaults are listed in brackets after the description.
         of the "env_reset" Defaults option in sudoers to false.
         Sudoers option: !env_reset
 
+    --disable-ignore-dot
+        By default, sudo will not search for a command in the current
+        working directory, even if "." or "" in present in the PATH
+        environment variable.  If this option is disabled, sudo
+        will check the current directory last if it appears anywhere
+        in PATH.  The PATH variable itself is not modified.
+        Sudoers option: ignore_dot
+
     --disable-path-info
         Normally, sudo will tell the user when a command could not be found
         in their $PATH.  Some sites may wish to disable this as it could
@@ -876,11 +884,6 @@ Defaults are listed in brackets after the description.
         You must either specify --with-insults or enable insults in the
         sudoers file for this to have any effect.
 
-    --with-ignore-dot
-        If set, sudo will ignore "." or "" (current dir) in $PATH.
-        The $PATH itself is not modified.
-        Sudoers option: ignore_dot
-
     --with-insults
         Define this if you want to be insulted by default for typing
         an incorrect password just like the original sudo(8).

LICENSE.md

@@ -1,6 +1,6 @@
 Sudo is distributed under the following license:
 
-    Copyright (c) 1994-1996, 1998-2024
+    Copyright (c) 1994-1996, 1998-2025
         Todd C. Miller <[email protected]>
 
     Permission to use, copy, modify, and distribute this software for any

MANIFEST

@@ -275,6 +275,7 @@ lib/util/lbuf.c
 lib/util/localtime_r.c
 lib/util/locking.c
 lib/util/logfac.c
+lib/util/login_max.c
 lib/util/logpri.c
 lib/util/memrchr.c
 lib/util/mkdir_parents.c
@@ -1274,10 +1275,13 @@ po/uk.mo
 po/uk.po
 po/vi.mo
 po/vi.po
+po/yue.mo
+po/yue.po
 po/zh_CN.mo
 po/zh_CN.po
 po/zh_TW.mo
 po/zh_TW.po
+scripts/check_man.in
 scripts/config.guess
 scripts/config.sub
 scripts/generate_test_coverage.sh

Makefile.in

@@ -96,7 +96,7 @@ XGETTEXT_OPTS = -F -k_ -kN_ -kU_ --copyright-holder="Todd C. Miller" \
 		--flag sudo_lbuf_append_quoted:3:c-format --foreign-user
 
 # Default cppcheck options when run from the top-level Makefile
-CPPCHECK_OPTS = -q --enable=warning,performance,portability --suppress=constStatement --suppress=compareBoolExpressionWithInt --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64
+CPPCHECK_OPTS = -q --enable=warning,performance,portability --suppress=constStatement --suppress=compareBoolExpressionWithInt --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_PATH_MAX -U__NBBY
 
 # Default splint options when run from the top-level Makefile
 SPLINT_OPTS = -D__restrict= -checks

NEWS

@@ -1,3 +1,69 @@
+What's new in Sudo 1.9.17
+
+ * Sudo now uses the NODEV macro consistently. Bug #1074.
+
+ * Fixed a bug where the "ALL" command in a sudoers rule would
+   override a previous NOSETENV tag.  Command tags are inherited
+   from previous Cmnds in a Cmnd_Spec_List.  There is a special
+   case for the SETENV tag with the "ALL" command, where SETENV is
+   implied if no explicit SETENV or NOSETENV tag is specified.  This
+   special case did not take into account that a NOSETENV tag that
+   was inherited should override this behavior.
+
+ * If sudo is run via ssh without a terminal and a password is
+   required, it now suggest using ssh's "-t" option.
+
+ * Fixed the display of timeout values in the "sudo -V" output
+   on systems without a C99-compliant snprintf() function.
+
+ * Quieted a number of minor Coverity warnings.
+
+ * Fixed a problem running sudo from a serial console on Linux when
+   the command is run in a pseudo-terminal (the default).
+
+ * Fixed a crash in sudo which could occur if there was a fatal
+   error after the user was validated but before the command was
+   actually run.
+
+ * Fixed a number of man page style warnings.  The "lint" make target
+   in the docs directory will now run groff with warnings enabled
+   if it is available.  Bug #1075.
+
+ * The "ignore_dot" sudoers setting is now on by default.  There
+   is now a "--disable-ignore-dot" configure option to disable it.
+   The "--with-ignore-dot" configure option has been deprecated.
+
+ * Fixed a problem with the "pwfeedback" option where an initial
+   backspace would reduce the maximum length allowed for the password.
+   GitHub issue #439.
+
+ * Fixed minor grammar and spelling problems in the man pages.
+
+ * Fixed a bug where a user could avoid entering a password for
+   "sudo -l command" if they specified their own user or group name
+   via the "-u" or "-g" options.
+
+ * Avoid potential password guessing based on timing attacks on
+   the strcmp() function on systems without PAM or a crypt() function
+   where plaintext passwords are stored in the shadow password file.
+
+ * Fixed a potential information leak where "sudo -l command" could
+   be used to determine whether an executable exists in a directory
+   that they do not have search access to.
+
+ * Sudo uses TCSAFLUSH, not TCSADRAIN, when disabling echo once
+   again.  A long time ago sudo changed from using TCSAFLUSH to
+   TCSADRAIN due to some systems having bugs related to TCSAFLUSH.
+   That should no longer be a concern.  Using TCSAFLUSH ensures
+   that password input that has been received by the kernel, but
+   not yet read by sudo, will be discarded and not echoed.
+
+ * Added the SUDO_TTY environment variable if the user has a terminal.
+   This can be used to find the user's original tty device when sudo
+   runs the command in its own pseudo-terminal.  GitHub issue #447.
+
+ * New Cantonese translation for sudo.
+
 What's new in Sudo 1.9.16p2
 
  * Sudo now passes the terminal device number to the policy plugin
@@ -2285,7 +2351,7 @@ What's new in Sudo 1.8.22
    of the session leader.  When the "timestamp_type" option is set
    to "ppid" or when no terminal is available, the start time of
    the parent process is used instead.  This significantly reduces
-   the likelihood of a time stamp record being re-used when a user
+   the likelihood of a time stamp record being reused when a user
    logs out and back in again.  Bug #818.
 
  * The sudoers time stamp file format is now documented in the new

aclocal.m4

@@ -1,6 +1,6 @@
-# generated automatically by aclocal 1.16.5 -*- Autoconf -*-
+# generated automatically by aclocal 1.17 -*- Autoconf -*-
 
-# Copyright (C) 1996-2021 Free Software Foundation, Inc.
+# Copyright (C) 1996-2024 Free Software Foundation, Inc.
 
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,