sudo: Update to 1.8.15, CVE-2015-5602

[neverpanic (Clemens Lang)]

Hi,

sudo has version 1.8.15 available. It attempts to fix CVE-2015-5602, but the problem is actually still present after that [1,2,3]. Please update sudo to 1.8.15 and consider backporting the change that fixes the CVE and has been committed for sudo 1.8.16 [4].

Here's a patch that does the gruntwork, I haven't looked into backporting the patch, though.

Portfile

@@ -5 +5 @@
 
 name                sudo
 epoch               1
-version             1.8.14p3
-revision            1
+version             1.8.15
 categories          sysutils security
 license             ISC
 maintainers         gmail.com:youvegotmoxie
@@ -24 +23 @@
 master_sites        ${homepage}dist/ \
                     ${homepage}dist/OLD/
 
-checksums           rmd160  209554c44467da8ebeeecc2134edbf42fce2244e \
-                    sha256  a8a697cbb113859058944850d098464618254804cf97961dee926429f00a1237
+checksums           rmd160  676ee3249c2ddacd64de54d6555b820912b56f6f \
+                    sha256  4316381708324da8b6cb151f655c1a11855207c7c02244d8ffdea5104d7cc308
 
 patchfiles          patch-sudoers.in.diff
 

I'm leaving this at normal priority, since the CVE doesn't affect our default installation.

[1] ​https://www.debian.org/security/2016/dsa-3440
[2] ​https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804149
[3] ​https://bugzilla.sudo.ws/show_bug.cgi?id=707
[4] ​https://www.sudo.ws/repos/sudo/rev/c2e36a80a279

[youvegotmoxie@…]

Thank you, please do push this patch through as I am on holiday.

[youvegotmoxie@…]

I will work on the backport from .16 to .15 when I get back.

[neverpanic (Clemens Lang)]

Committed this patch in 145046, I'll leave the ticket open for the backport (or your decision not to).

[neverpanic (Clemens Lang)]

This has long been solved.