From 35988b45d9ee10889d945a4a6045177ad9f81e3a Mon Sep 17 00:00:00 2001
From: Mateusz Malisz <maliszmat@outlook.com>
Date: Wed, 27 Jan 2021 08:38:46 -0800
Subject: [PATCH] Fix sudo CVE-2021-3156 and sudoer config. (#573)

* Fix CVE-2021-3156. Modify prompt.

* Update cgmanifest
---
 SPECS/sudo/sudo.signatures.json |  2 +-
 SPECS/sudo/sudo.spec            | 14 +++++++++-----
 cgmanifest.json                 |  4 ++--
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/SPECS/sudo/sudo.signatures.json b/SPECS/sudo/sudo.signatures.json
index 1a5c9928719..3b85090edcd 100644
--- a/SPECS/sudo/sudo.signatures.json
+++ b/SPECS/sudo/sudo.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "sudo-1.9.5p1.tar.gz": "4dddf37c22653defada299e5681e0daef54bb6f5fc950f63997bb8eb966b7882"
+  "sudo-1.9.5p2.tar.gz": "539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978"
  }
 }
diff --git a/SPECS/sudo/sudo.spec b/SPECS/sudo/sudo.spec
index 0337b7b3362..48672c010db 100644
--- a/SPECS/sudo/sudo.spec
+++ b/SPECS/sudo/sudo.spec
@@ -1,6 +1,6 @@
 Summary:        Sudo
 Name:           sudo
-Version:        1.9.5p1
+Version:        1.9.5p2
 Release:        1%{?dist}
 License:        ISC
 URL:            https://www.sudo.ws/
@@ -30,7 +30,7 @@ the ability to run some (or all) commands as root or another user while logging
     --with-all-insults \
     --with-env-editor \
     --with-pam \
-    --with-passprompt="[sudo] password for %p"
+    --with-passprompt="[sudo] password for %p: "
 
 make %{?_smp_mflags}
 
@@ -40,9 +40,9 @@ make install DESTDIR=%{buildroot}
 install -v -dm755 %{buildroot}/%{_docdir}/%{name}-%{version}
 find %{buildroot}/%{_libdir} -name '*.la' -delete
 find %{buildroot}/%{_libdir} -name '*.so~' -delete
-sed -i '/#includedir.*/i \
-%wheel ALL=(ALL) ALL \
-%sudo   ALL=(ALL) ALL' %{buildroot}/etc/sudoers
+# Add default user to sudoers group
+echo '%wheel ALL=(ALL) ALL' >> %{buildroot}/etc/sudoers
+echo '%sudo  ALL=(ALL) ALL' >> %{buildroot}/etc/sudoers
 install -vdm755 %{buildroot}/etc/pam.d
 cat > %{buildroot}/etc/pam.d/sudo << EOF
 #%%PAM-1.0
@@ -93,6 +93,10 @@ rm -rf %{buildroot}/*
 %exclude  /etc/sudoers.dist
 
 %changelog
+*   Tue Jan 26 2021 Mateusz Malisz <mamalisz@microsoft.com> 1.9.5p2-1
+-   Update to version 1.9.5.p2 to fix CVE-2021-3156.
+-   Change the password prompt to include ": " at the end.
+-   Unconditionally add wheel/sudo groups.
 *   Fri Jan 15 2021 Mateusz Malisz <mamalisz@microsoft.com> 1.9.5p1-1
 -   Update to version 1.9.5.p1 to fix CVE-2021-23240.
 *   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.8.31p1-4
diff --git a/cgmanifest.json b/cgmanifest.json
index adfcf9156cc..3f407ba39ee 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -6335,8 +6335,8 @@
         "type": "other",
         "other": {
           "name": "sudo",
-          "version": "1.9.5p1",
-          "downloadUrl": "https://www.sudo.ws/sudo/dist/sudo-1.9.5p1.tar.gz"
+          "version": "1.9.5p2",
+          "downloadUrl": "https://www.sudo.ws/sudo/dist/sudo-1.9.5p2.tar.gz"
         }
       }
     },