2023-03-04  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .hgtags:
	Added tag SUDO_1_9_13p3 for changeset 0bdd0b8469e3
	[fc4e872d6d89] [tip] <1.9>

	* NEWS, configure, configure.ac:
	Sudo 1.9.13p3
	[0bdd0b8469e3] [SUDO_1_9_13p3] <1.9>

2023-03-03  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/match.c, plugins/sudoers/parse.c,
	plugins/sudoers/parse.h:
	A user with "list" privs for root may not list all users. A user
	with "sudo ALL" for root _is_ allowed to list any user.
	[a3f7301ba4d3] <1.9>

	* plugins/sudoers/policy.c:
	sudoers_policy_list: do not set runas_pw to list_pw when listing
	This change introduced in sudo 1.9.13 is not actually needed. The
	"list" pseudo-command checks are performed via runas_matches_pw()
	which does not use runas_pw. GitHub issue #248
	[84effa5ffaa1] <1.9>

	* plugins/sudoers/logging.c, plugins/sudoers/parse.c,
	plugins/sudoers/sudoers.c:
	Fix "sudo -l command args", broken in sudo 1.9.13. The value of
	user_args should not contain the command to be run in "sudo -l
	command args", only the arguments of the command being checked. This
	restores the pre-1.9.13 behavior. GitHub issue #249
	[3e1225e7bf33] <1.9>

2023-03-01  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_nopty.c, src/exec_pty.c:
	write_callback: only enable /dev/tty reader if the command is
	running This fixes a hang when there is /dev/tty data in a buffer to
	be flushed by the final call to del_io_events(). We do not want to
	re-enable the reader when flushing the buffers as part of
	pty_finish(). See PR #247 for analysis of the problem and how to
	reproduce it.
	[b7ea5b5e6a88] <1.9>

2023-02-28  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/regress/testsudoers/test12.out.ok,
	plugins/sudoers/regress/testsudoers/test12.sh:
	Test non-fully qualified path name.
	[0a9e6e83fe15] <1.9>

	* plugins/sudoers/Makefile.in:
	Fix removal of y.tab.[ch] when generating gram.[ch].
	[f69c86ecae66] <1.9>

	* MANIFEST, plugins/sudoers/regress/sudoers/test30.in,
	plugins/sudoers/regress/sudoers/test30.json.ok,
	plugins/sudoers/regress/sudoers/test30.ldif.ok,
	plugins/sudoers/regress/sudoers/test30.ldif2sudo.ok,
	plugins/sudoers/regress/sudoers/test30.out.ok,
	plugins/sudoers/regress/sudoers/test30.sudo.ok,
	plugins/sudoers/regress/sudoers/test30.toke.ok:
	Add test for using "list" as user, runas and host.
	[ae2c84c73371] <1.9>

	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
	plugins/sudoers/toke.c, plugins/sudoers/toke.l:
	Move handling of the "list" pseudo-command from lexer to parser. The
	special handling of "list" in the lexer meant it could not be used
	as a user, group or host, which was unintentional. GitHub issue
	#246.
	[efb3a4dea1da] <1.9>

2023-02-27  Todd C. Miller  <Todd.Miller@sudo.ws>

	* include/sudo_compat.h:
	Make the check for HAVE_DECL_NSIG consistent with other decl checks.
	[616c42c4adce] <1.9>

2023-02-25  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .hgtags:
	Added tag SUDO_1_9_13p2 for changeset 2db7cee1cb77
	[b0af73801130] <1.9>

	* NEWS, configure, configure.ac:
	Sudo 1.9.13p2.
	[2db7cee1cb77] [SUDO_1_9_13p2] <1.9>

2023-02-23  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/lbuf.c:
	Add missing include of errno.h.
	[65ddd70d0c18] <1.9>

	* lib/util/lbuf.c:
	sudo_lbuf_expand: check for overflow when rounding to the nearest
	power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers
	fuzzer.
	[9357396fdaa0] <1.9>

	* src/load_plugins.c:
	Fix --enable-static-sudoers, broken in sudo 1.9.13.
	sudo_qualify_plugin() should not try to fully-qualify the path to a
	statically-compiled plugin. GitHub issue #245
	[eca5f1f6555e] <1.9>

2023-02-21  Todd C. Miller  <Todd.Miller@sudo.ws>

	* MANIFEST, plugins/sudoers/match_command.c,
	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
	plugins/sudoers/regress/testsudoers/test20.out.ok,
	plugins/sudoers/regress/testsudoers/test20.sh,
	plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
	Fix potential double free for rules that include a CHROOT= option.
	If a rule with a CHROOT= option matches the user, host and runas,
	the user_cmnd variable could be freed twice.
	[2c1477233f48] <1.9>

2023-02-16  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .hgtags:
	Added tag SUDO_1_9_13p1 for changeset 49e64402924f
	[97ae12488007] <1.9>

	* NEWS, configure, configure.ac:
	Merge sudo 1.9.13p1 from tip.
	[49e64402924f] [SUDO_1_9_13p1] <1.9>

	* NEWS, configure, configure.ac:
	Sudo 1.9.13p1
	[0a9817096e03]

	* configure.ac:
	Use m4_bmatch, m4_case does not support shell-style globbing.
	[b7a743baf22e]

	* configure, configure.ac:
	Allow configure.ac to be processed by autoconf 2.69. AC_PROG_CC_STDC
	is deprecated in autoconf 2.70 and above but it is necessary for
	autoconf 2.69.
	[324ba83acd63]

	* configure.ac:
	Only use AC_SYS_YEAR2038 if it is defined. Otherwise, use the method
	from 1.9.12. GitHub issue #242
	[16fcec5264cc]

2023-02-15  Todd C. Miller  <Todd.Miller@sudo.ws>

	* scripts/mkpkg:
	Sudo-specific executables moved to /usr/libexec/sudo starting in
	Debian 12 (Bookworm) and Ubuntu 22.04 (Jammy Jellyfish). Previously,
	they were stored in /usr/lib/sudo.
	[a2aa15b72312]

	* lib/eventlog/Makefile.in, lib/iolog/Makefile.in,
	lib/util/Makefile.in, logsrvd/Makefile.in,
	plugins/python/Makefile.in, plugins/sudoers/Makefile.in,
	src/Makefile.in:
	Handle "locale -a" returning both C.UTF-8 and C.utf8. It is possible
	to have mutiple matches from the output of "locale
	-a". Just take the first one. Fixes GitHub issue #241.
	[aeba71610439]

	* lib/util/Makefile.in, logsrvd/Makefile.in,
	plugins/sudoers/Makefile.in, src/Makefile.in:
	Add some missing files to the clean and distclean targets.
	[5dedbe519db1]

	* Merge pull request #240 from thesamesam/c23

	sudo_fatal: Fix build where compiler recognises [[noreturn]]
	attribut…
	[22ae0d4402ac]

2023-02-15  Sam James  <sam@gentoo.org>

	* include/sudo_fatal.h:
	sudo_fatal: Fix build where compiler recognises [[noreturn]]
	attribute (C23)

	If the compiler supports [[noreturn]] as a attribute as in C23, then
	we define sudo_noreturn to be it. When that's the case, we must
	place it at the beginning of the declaration, before any other
	*extension* attributes (__attribute(...)).

	A bug has been filed with GCC regarding rejecting/accepting mixed
	attribute styles.

	sudo_dso_public is always an extension attribute, while
	sudo_noreturn only might be, so put it first.

	This only shows up with GCC 13 so far (see the linked GCC bug for a
	bit more exploration). Clang 16 does support the attribute but
	doesn't let you use it for earlier language versions (need to pass
	explicit -std=c2x, unlike with GCC here).

	This is essentially a followup to
	e707ffe58b3ccfe5c72f54c38eac1d7069d5021e.

	Tested with GCC 13.0.1 20230212 (unreleased), GCC 12.2.1 20230211,
	Clang 16.0.0_rc2, and Clang 15.0.7.

	Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108796 Closes:
	https://github.com/sudo-project/sudo/issues/239 Fixes:
	e707ffe58b3ccfe5c72f54c38eac1d7069d5021e Fixes:
	16ae61dcd7d3cd8bf6eb10a22fa742d4505da4e9
	[806b5f3a6485]

2023-02-14  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac:
	Add missing '[' to AS_IF() call. Fixes GitHub issue #238.
	[48372d73d4bb]

	* .hgtags:
	Added tag SUDO_1_9_13 for changeset 813f6addf7cf
	[8df54fde3b7a] <1.9>

	* NEWS, config.h.in, configure, configure.ac, include/sudo_compat.h,
	lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c,
	plugins/sudoers/parse.c, plugins/sudoers/regress/fuzz/fuzz_policy.c,
	plugins/sudoers/sudoers.c, plugins/sudoers/visudo.c:
	Merge sudo 1.9.13 from tip.
	[813f6addf7cf] [SUDO_1_9_13] <1.9>

	* MANIFEST, plugins/sudoers/po/ka.mo:
	Add compiled version of the sudoers Georgian translation.
	[35007cc1c867]

	* .gitignore, .hgignore:
	Do not ignore .mo files. Otherwise we are likely to miss uncommitted
	changes in them.
	[d76a98baaf15]

	* plugins/sudoers/po/ru.mo, plugins/sudoers/po/zh_CN.mo, po/zh_CN.mo:
	Regenerate .mo files.
	[a7a708d8bf34]

2023-02-09  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
	No longer need to define sudoers_recovery here.
	[11a365a8a218]

	* NEWS:
	Mention that a missing include file is no longer fatal.
	[ba0bd554435e]

	* plugins/sudoers/gram.c, plugins/sudoers/gram.h,
	plugins/sudoers/gram.y, plugins/sudoers/policy.c:
	Recover from missing include file unless error_recovery is disabled.
	It is still treated as an error from a logging perspective, and mail
	is still sent.
	[e1cac68917cc]

	* include/sudo_eventlog.h, lib/eventlog/eventlog.c,
	plugins/sudoers/logging.c:
	Add eventlog_mail() to send a log message via mail. This is used by
	mail_parse_errors() to send multi-line messages. Previously, the
	newlines would be escaped as control characters.
	[97e516576212]

	* lib/eventlog/eventlog.c:
	send_mail: pass a single string instead of using varargs These days
	we only ever pass in a const string.
	[700e72ca42c0]

2023-02-05  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac:
	Use AS_IF instead of if; then where possible.
	[56946f4ac23a]

2023-02-03  Todd C. Miller  <Todd.Miller@sudo.ws>

	* NEWS:
	Mention the fix for GitHub #237.
	[70aafdaced09]

	* plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
	plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/fur.mo,
	po/fur.po, po/ja.mo, po/ja.po, po/zh_TW.mo, po/zh_TW.po:
	Updated translations from translationproject.org
	[c3be19c34043]

	* src/exec_pty.c, src/tgetpass.c:
	Display error in error message if we can't restore the terminal.
	[aa2c60802b33]

2023-02-02  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_pty.c, src/tgetpass.c:
	Display an error message if unable to restore terminal settings.
	[a1efb1dca169]

	* Makefile.in, etc/sudo.pp, plugins/sudoers/Makefile.in:
	Get rid of sudoersdir and just use sysconfdir. There is no need for
	sudoersdir when it is always just set to sysconfdir.
	[690b44edcec2]

	* src/exec_pty.c:
	pty_finish: only restore the terminal if sudo is the foreground
	process
	[357d90f11750]

	* src/exec_pty.c:
	Better background job detection when running a command in a pty. If
	sudo is not the process group leader and stdin is not a tty, we may
	be running as a background job via a shell script. Start the command
	in the background to avoid changing the terminal mode from a
	background process. GitHub issue #237
	[6c74910ea869]

	* src/exec_pty.c:
	suspend_sudo_pty: stop the process group even if sudo is not the
	leader. When sudo is not the process group leader, we still need to
	stop sudo's process group and not just the sudo process itself. If
	we only send the signal to sudo itself, the shell will not notice if
	it is not in monitor mode. This can happen when sudo is run from a
	shell script, for example. In this case we need to signal the shell
	itself. If the process group leader is no longer present, we must
	kill the command since there will be no one to resume us.
	[44bb3267a55e]

	* lib/util/term.c:
	Add debug tracing to tcsetattr_nobg().
	[b7a17174f1cf]

2023-01-31  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/regress/fuzz/fuzz_policy.c:
	Avoid compilation errors if getaddrinfo() or freeaddrinfo() are
	macros. If this is the case we probably can't stub out the functions
	but at least the fuzzer will compile.
	[2482db79d3b9]

	* src/net_ifs.c:
	Initialize the integer result parameter passed to SIOCGIFANUM. It
	appears that passing in a non-zero value causes the ioctl() to fail.
	From Tim Rice.
	[071633f9929c]

	* logsrvd/logsrvd.c, logsrvd/logsrvd_relay.c,
	plugins/sudoers/log_client.c:
	Protect use of AF_INET6 with HAVE_STRUCT_IN6_ADDR guards. From Tim
	Rice.
	[661c26064544]

	* config.h.in, configure, configure.ac, include/sudo_compat.h:
	Add configure test for NSIG, _NSIG or __NSIG. This is better than
	just defining NSIG in sudo_compat.h if it is not defined since
	signal.h may not have been included.
	[f1c94c5f825b]

	* logsrvd/logsrvd_conf.c:
	Avoid DNS lookups when fuzzing.
	[384ffdead655]

2023-01-30  Todd C. Miller  <Todd.Miller@sudo.ws>

	* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg,
	scripts/pp:
	No longer need to treat Rocky or Alma Linux specially. We now treat
	them the same as RHEL.
	[190afa102ca6]

2023-01-29  Todd C. Miller  <Todd.Miller@sudo.ws>

	* Merge pull request #230 from trackers-lover/main

	Return value does not match
	[1dc4317beaf7]

2023-01-29  bianguangze@uniontech.com  <bianguangze@uniontech.com>

	* lib/util/sudo_conf.c:
	Modify return value parameter
	[eb1e78bb2f91]

2023-01-27  Todd C. Miller  <Todd.Miller@sudo.ws>

	* scripts/build_pkgs:
	Store conf hash in vm_servers instead of vmid. Add a shutdown
	command fallback to the conf file.
	[2f7eeb5c3f04]

	* plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po,
	plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
	plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
	plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
	plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
	plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po,
	plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
	plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po,
	plugins/sudoers/po/ru.po, plugins/sudoers/po/sv.mo,
	plugins/sudoers/po/sv.po, plugins/sudoers/po/uk.mo,
	plugins/sudoers/po/uk.po, plugins/sudoers/po/zh_CN.po,
	plugins/sudoers/po/zh_TW.po, po/cs.mo, po/cs.po, po/de.mo, po/de.po,
	po/eo.mo, po/eo.po, po/fr.mo, po/fr.po, po/hr.mo, po/hr.po,
	po/ko.mo, po/ko.po, po/pl.mo, po/pl.po, po/ro.mo, po/ro.po,
	po/sv.mo, po/sv.po, po/uk.mo, po/uk.po, po/zh_CN.po, po/zh_TW.po:
	Updated translations from translationproject.org
	[fa9569203e16]

	* configure, m4/hardening.m4:
	Fix a typo.
	[ebf4c16e0079]

	* config.h.in, configure, scripts/config.guess, scripts/config.sub:
	Regen with latest autoconf git.
	[9a0bbbb682fc]

	* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/mkpkg,
	scripts/pp:
	Recognize Alma Linux and Rocky Linux (Open Source RHEL clones)
	[b1dbb7b75824]

	* NEWS:
	Mention the recent intercept/log_subcmds fix.
	[cbd60701de52]

	* scripts/mkpkg:
	Fix determination of the number of CPU cores on Linux.
	[6ac6a9b074bf]

2023-01-26  Todd C. Miller  <Todd.Miller@sudo.ws>

	* MANIFEST, plugins/sudoers/po/ka.po:
	New Georgian translation from translationproject.org
	[17681b870666]

	* Merge pull request #235 from kernelmethod/apparmor_dependencies

	Replace the Debian libselinux1 dependency with libapparmor1
	[ca29638c5c34]

2023-01-26  kernelmethod  <17100608+kernelmethod@users.noreply.github.com>

	* etc/sudo.pp:
	Replace the Debian libselinux1 dependency with libapparmor1

	Debian >= 10 uses AppArmor by default instead of SELinux, so
	SELinux-related sudo features are typically going to be unusable in
	Debian installs. This changes the dependency on libselinux1 to be a
	dependency on libapparmor1 for .deb packages built with `make
	package`.
	[5779ce23a161]

2023-01-25  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_ptrace.c:
	get_execve_info: defer setting pathname until argbuf is finalized If
	we reallocate the buffer (via growbuf()) in ptrace_read_vec(), the
	address of argbuf may change. If so, the value stored in pathname
	will no longer be valid. GitHub issue #194.
	[f75aa1eb5d95]

	* src/exec_intercept.c, src/exec_ptrace.c:
	Correct error message when command doesn't exist in intercept mode.
	Previously, we would always use EACCES, even when ENOENT was
	appropriate. This also affected log_subcmds.
	[5bc0ecd5d4e6]

2023-01-24  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
	Update .pot files for 1.9.13
	[c6a247e05a91]

2023-01-23  Todd C. Miller  <Todd.Miller@sudo.ws>

	* NEWS:
	Update for 1.9.13.
	[c9c5b6af5ea5]

	* src/exec_ptrace.h:
	Include elf.h, not linux/elf.h but define NT_ARM_SYSTEM_CALL if
	missing. Older kernel headers are missing the definition of EM_ARM
	in linux/elf.h. GitHub issue #232
	[8bed5e7f8857]

	* lib/util/regress/regex/regex_test.c:
	Add tests for escaped digits.
	[7e5b7e5e2409]

	* lib/util/regex.c:
	check_pattern: handle escaped digits since GNU libc accepts them.
	[a20d5a047963]

2023-01-22  Todd C. Miller  <Todd.Miller@sudo.ws>

	* include/sudo_eventlog.h, lib/eventlog/eventlog.c,
	plugins/sudoers/sudoreplay.c:
	Add eventlog_store_sudo() and use it in sudoreplay. This replaces
	the custom log formatting used by "sudoreplay -l".
	[26dd2367fbdd]

2023-01-21  Todd C. Miller  <Todd.Miller@sudo.ws>

	* scripts/build_pkgs, scripts/mkpkg:
	Add --build-only flag to skip building packages.
	[46c0213b2668]

2023-01-20  Todd C. Miller  <Todd.Miller@sudo.ws>

	* scripts/mkpkg, scripts/pp:
	Suport building packages on DragonFly BSD.
	[65920923add2]

	* configure, configure.ac, m4/visibility.m4:
	Try to link a simple shared object with -Wl,--no-undefined. This
	only works for gcc-style compilers, which should not be a problem.
	The source uses environ (FreeBSD) and errno (OpenBSD).
	[1c2d9f90bc6d]

	* scripts/build_pkgs:
	Pass the name to the config.cache file to the build script. If
	--cache-file is not specified, no config.cache file will be used.
	Add an "omit_artifacts" setting for platforms where we don't publish
	artifacts.
	[c87221f36bf4]

2023-01-19  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/regex.c:
	check_pattern: accept a backslash before the numeric bound like
	glibc. This helps avoid out-of-memory conditions when fuzzing on
	Linux.
	[07f14dba22ed]

	* configure, configure.ac:
	Don't use -Wl,--no-undefined with the sanitizers/fuzzers. It breaks
	linking when using -fsanitize with clang at least.
	[a6331135bd73]

	* docs/SECURITY.md:
	Add a link to the sudo security advisories archive.
	[7137d1d214e5]

	* config.h.in, configure, configure.ac:
	Eliminate usage of obsolete 2-argument AC_CHECK_TYPE macro.
	[96b37c574fc2]

	* config.h.in, configure, configure.ac, plugins/sudoers/starttime.c,
	src/regress/ttyname/check_ttyname.c, src/ttyname.c:
	Add support for the struct kinfo_proc on Dragonfly BSD.
	[4c1a7d223d66]

	* configure, configure.ac:
	Need to link sudo and sudoers with -lutil on Dragonfly BSD. It is
	safer to just search for setusercontext() in libc and libutil
	instead of matching on the operating system.
	[b91a288c9968]

	* configure, configure.ac:
	Elminate the $OS variable, we can just use $host_os instead.
	[0293bf9d4dd4]

	* plugins/sudoers/editor.c:
	Restore the line that set errno to ENOENT when find_path() fails.
	This was inadvertently removed when the "goto bad" was added.
	[b957909a1a75]

	* configure, configure.ac, m4/ldap.m4:
	Add -Wl,--no-undefined to LDFLAGS if it is supported. This will find
	missing symbols at build-time instead of run-time. Don't use it on
	FreeBSD where environ is filled in by the dynamic loader. We also
	need to pull in -llber with -lldap where possible (instead of
	relying on DT_NEEDED) to avoid undefined symbol errors when building
	with LDAP support.
	[c88bd9fd05c9]

	* plugins/sample/README:
	The sample plugin is now built by default to avoid bit rot. GitHub
	issue #234.
	[aac2a29136e1]

	* plugins/sample/sample_plugin.c:
	The change from sudo_printf -> sudo_plugin_printf was incomplete.
	Fixes GitHub issue #234.
	[4f8333e3f7b8]

2023-01-18  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, m4/pie.m4:
	Solaris: use lt_prog_compiler_pic instead of assuming -KPIC
	[36b94699ad63]

	* configure, m4/hardening.m4, m4/pie.m4:
	Solaris: the aslr, nxheap and nxstack link options are only for
	executables. Move them back to PIE_LDFLAGS, which is only used when
	linking a binary.
	[970d533cd9b2]

	* configure, m4/hardening.m4, m4/pie.m4:
	Solaris: move aslr linker option to hardening and try to build real
	PIEs These flags are specific to the Solaris linker.
	[c5439fec5cb3]

	* configure, m4/hardening.m4, m4/pie.m4:
	Enable non-executable heap and stack options for Solaris ld.
	[5be638b9bd79]

	* configure, configure.ac, m4/hardening.m4:
	Limit some of the hardening tests to compilers that define __GNUC__.
	This should avoid false positives on other compilers.
	[1b3b36a2ff2b]

	* plugins/python/regress/testdata/check_multiple_approval_plugin_and_a
	rguments.stdout:
	Update expected plugin version.
	[19b2963008a2]

	* docs/sudo_plugin.man.in, docs/sudo_plugin.mdoc.in,
	include/sudo_plugin.h, plugins/sudoers/policy.c,
	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h, src/sudo.c,
	src/sudo.h, src/sudo_edit.c:
	Pass back the number of files to edit when using sudoedit. The sudo
	front-end can use this to determine where the list of files to edit
	begins.
	[c9c1e6e81438]

	* docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in,
	docs/sudoreplay.mdoc.in, include/sudo_lbuf.h,
	lib/eventlog/eventlog.c, lib/iolog/iolog_json.c, lib/util/lbuf.c,
	lib/util/util.exp.in, plugins/sudoers/sudoreplay.c:
	Escape control characters in log messages and "sudoreplay -l"
	output. The log message contains user-controlled strings that could
	include things like terminal control characters. Space characters in
	the command path are now also escaped.

	Command line arguments that contain spaces are surrounded with
	single quotes and any literal single quote or backslash characters
	are escaped with a backslash. This makes it possible to distinguish
	multiple command line arguments from a single argument that contains
	spaces.

	Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv
	(https://synacktiv.com).
	[1cd37144190c]

	* NEWS:
	Merge in sudo 1.9.12p2 changes.
	[d5a2cd780f27]

	* .hgtags:
	Added tag SUDO_1_9_12p2 for changeset 05149e3ee7db
	[8763a9e70ddd] <1.9>

2023-01-17  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac:
	Add back the linker check for -fstack-clash-protection. This is
	expected to fix GitHub issue #231.
	[40bda374ae08] <1.9>

	* configure, m4/hardening.m4:
	Add back the linker check for -fstack-clash-protection. This is
	expected to fix GitHub issue #231.
	[c08c0a7c8613]

2023-01-17  trackers-love  <bianguangze@uniontech.com>

	* lib/util/sudo_conf.c:
	Return value does not match
	[2c7c350c3d97]

2023-01-16  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
	docs/sudo.conf.man.in, docs/sudo.conf.mdoc.in,
	docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in,
	docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in,
	docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/visudo.man.in,
	docs/visudo.mdoc.in:
	Stop using 8n width in tagged lists. Use either 4n, when the body is
	expected to wrap or the width of the longest tag when no wrapping is
	expected.
	[2b1bc5d31250]

	* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in, docs/sudo.man.in,
	docs/sudo.mdoc.in, docs/sudo_logsrvd.man.in,
	docs/sudo_logsrvd.mdoc.in, docs/sudo_sendlog.man.in,
	docs/sudo_sendlog.mdoc.in, docs/sudoreplay.man.in,
	docs/sudoreplay.mdoc.in, docs/visudo.man.in, docs/visudo.mdoc.in:
	Use -width Ds for the options list, not -width Fl.
	[598dbf3d2fea]

	* docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudo_logsrvd.conf.man.in,
	docs/sudo_logsrvd.conf.mdoc.in, docs/sudo_plugin_python.man.in,
	docs/sudo_plugin_python.mdoc.in:
	Reduce the offset of bullet lists to 1n.
	[893b6fd25564]

	* INSTALL.md:
	Shorten --with-passprompt and --with-mailsubject arguments to a
	single word. The script that generates the web version of this file
	doesn't expect options to include whitespace.
	[063dc2c168aa]

2023-01-15  Todd C. Miller  <Todd.Miller@sudo.ws>

	* INSTALL.md:
	Shorten --with-badpass-message argument to a single word. The
	fix_install script can't deal with whitespace in options.
	[17761c19a4b8]

	* LICENSE.md:
	Make numbered lists more markdown-friendly. Also add line breaks
	when there are multiple authors.
	[d22146e06e27]

	* INSTALL.md:
	Make lists of directories more markdown-friendly.
	[b3295e422b33]

2023-01-12  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
	Check for errors when removing the temp directory. If we cannot
	remove the directory tree that may indicate a file or directory mode
	problem.
	[4a162644b61f]

	* lib/iolog/iolog_mkdtemp.c:
	iolog_mkdtemp: fix pasto in last commit Set mode to iolog_dirmode,
	not iolog_filemode
	[9926f1c92729] <1.9>

	* lib/iolog/iolog_mkdtemp.c:
	iolog_mkdtemp: fix pasto in last commit Set mode to iolog_dirmode,
	not iolog_filemode
	[713773e23472]

	* NEWS, configure, configure.ac:
	Sudo 1.9.2p2
	[05149e3ee7db] [SUDO_1_9_12p2] <1.9>

	* plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
	plugins/sudoers/visudo.c:
	sudoedit: do not permit editor arguments to include "--"
	(CVE-2023-22809) We use "--" to separate the editor and arguments
	from the files to edit. If the editor arguments include "--", sudo
	can be tricked into allowing the user to edit a file not permitted
	by the security policy. Thanks to Matthieu Barjole and Victor
	Cutillas of Synacktiv (https://synacktiv.com) for finding this bug.
	[eb7f573a4a92] <1.9>

	* plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
	plugins/sudoers/visudo.c:
	sudoedit: do not permit editor arguments to include "--"
	(CVE-2023-22809) We use "--" to separate the editor and arguments
	from the files to edit. If the editor arguments include "--", sudo
	can be tricked into allowing the user to edit a file not permitted
	by the security policy. Thanks to Matthieu Barjole and Victor
	Cutillas of Synacktiv (https://synacktiv.com) for finding this bug.
	[2ca90805f471]

2023-01-09  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/sha2.c:
	In SHA256Pad and SHA512Pad use 511 and 1023 respectively for bitwise
	AND. Previously we were using 504 and 1016 which still produces the
	correct result since padding is done in 8-bit bytes. However, using
	size-1 for the bitwise AND makes the intent clearer and likely would
	have prevented the previous bug in SHA512Pad. From Matthieu Barjole
	and Victor Cutillas of Synacktiv (https://synacktiv.com)
	[4b6a50800ecd]

	* plugins/sudoers/env.c:
	env_file_next_local: change the order of the val_len check. It makes
	more sense to verify that val_len > 1 before using it. This is not a
	problem in practice because val[val_len - 1] is guaranteed not to
	underflow but it can confuse reviewers and static analyzers.
	[9d6bed4e3fd0]

	* plugins/sudoers/env.c:
	Fix typo in check for environment variables that start with '='.
	[6dc466c8bf82]

	* lib/util/lbuf.c:
	sudo_lbuf_print: no longer need to check for lbuf->len > 0. Now that
	lbuf length is unsigned the earlier check for len == 0 is
	sufficient.
	[bdfc863f5b5c]

	* lib/util/lbuf.c:
	Increase minimum allocation size from 256 to 1024 bytes.
	[0f49c8728151]

	* plugins/sudoers/sudoreplay.c:
	Fix IS_IDLOG macro, it was testing the wrong byte for the NUL. This
	causes the macro to evaluate to false even for valid TSIDs.
	[77686e4508d3]

2023-01-04  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
	sudoers_trace_print: this is a no-op if not debugging
	[df34de2e60f4]

	* lib/util/lbuf.c:
	sudo_lbuf_expand: don't allocate less than 256 bytes at a time.
	[a747682156e6]

2023-01-03  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/lbuf.c:
	sudo_lbuf_expand: round nearest power of two instead of multiple of
	256.
	[840855b501de]

	* LICENSE.md:
	Update copyright year.
	[5ff97b5e6bcd]

	* include/sudo_lbuf.h, lib/util/lbuf.c:
	sudo_lbuf_expand: check for possible integer overflow The numeric
	fields in struct sudo_lbuf are now unsigned so that wraparound is
	defined, this make the overflow checks simpler. Problem deteced by
	oss-fuzz using the fuzz_sudoers fuzzer.
	[6dc670d15276]

	* MANIFEST, lib/iolog/iolog_json.c,
	lib/iolog/regress/iolog_json/test3.in,
	lib/iolog/regress/iolog_json/test3.out.ok:
	Decode \u00XX in a JSON string now that we escape control chars. We
	don't write Unicode to the log.json file, only 8-bit ASCII.
	[83dcacb35309]

	* MANIFEST, include/sudo_util.h, lib/util/Makefile.in,
	lib/util/hexchar.c, lib/util/regress/hexchar/hexchar_test.c,
	lib/util/util.exp.in, plugins/sudoers/Makefile.in,
	plugins/sudoers/hexchar.c, plugins/sudoers/match_digest.c,
	plugins/sudoers/parse.h,
	plugins/sudoers/regress/parser/check_hexchar.c,
	plugins/sudoers/toke_util.c:
	Move hexchar() from the sudoers plugin to lib/util.
	[4a6c57c1b66a]

	* lib/util/mkdir_parents.c:
	sudo_open_parent_dir: adjust loop terminating condition Checking for
	ep < pathend should be a bit clearer than ep != '\0' and has the
	advantage of working when pathend doesn't point to a NUL byte. No
	intended change in behavior.
	[cee4e0c71070]

	* lib/iolog/iolog_mkdtemp.c:
	iolog_mkdtemp: fix failure when the specified path contains
	subdirectories. This fixes a bug introduced in sudo 1.9.12.
	[ac86f3b0d94b] <1.9>

	* lib/iolog/iolog_mkdtemp.c:
	iolog_mkdtemp: fix failure when the specified path contains
	subdirectories. This fixes a bug introduced in sudo 1.9.12.
	[3a1d5b01b446]

	* lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c:
	check_iolog_mkpath: fix exit value
	[9ac13d6657f6]

2023-01-02  Todd C. Miller  <Todd.Miller@sudo.ws>

	* Merge pull request #227 from sohomdatta1/integer_underflow

	Prevent integer underflow due to environment variable
	[c6c716352077]

2023-01-02  Sohom  <sohomdatta1+git@gmail.com>

	* plugins/sudoers/env.c:
	Prevent integer underflow due to environment variable

	Gaurd against replacing quotes when the environment variable val_len
	is 1.
	[1b926824dcf8]

2023-01-01  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/regex.c:
	glibc allows the ',' in {low,high} to be escaped with a backslash.
	Adjust bound parsing to match this.
	[b2bbac2bab6a]

2022-12-31  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac:
	Fix logic goof in 05781ba6f1f3, disable replacements when fuzzing.
	Not the other way around.
	[abcf2deb9d0e]

2022-12-30  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac, docs/sudo_plugin_python.man.in,
	docs/sudo_plugin_python.mdoc.in, docs/sudoers.man.in,
	docs/sudoers.mdoc.in:
	Substitute python plugin file name in sudo_plugin_python
	documentation. Also use prefix for group plugin fallback path
	section in sudoers manual.
	[e245808fbe74]

	* lib/iolog/Makefile.in,
	lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict,
	lib/iolog/regress/fuzz/fuzz_iolog_timing.dict:
	Use correct dictionary file format. Also use the new dictionaries in
	the Makefile fuzz target.
	[c39e699cb9b6]

	* MANIFEST, lib/iolog/regress/corpus/seed/log_legacy/less.log,
	lib/iolog/regress/corpus/seed/log_legacy/smtpctl.log,
	lib/iolog/regress/corpus/seed/log_legacy/vi.log,
	lib/iolog/regress/corpus/seed/timing/timing.5,
	lib/iolog/regress/corpus/seed/timing/timing.6,
	lib/iolog/regress/corpus/seed/timing/timing.7,
	lib/iolog/regress/corpus/seed/timing/timing.8,
	lib/iolog/regress/corpus/seed/timing/timing.9:
	Add some addition entries for the I/O log fuzzer seed corpus.
	[51d4bf5f014c]

	* MANIFEST, lib/iolog/regress/fuzz/fuzz_iolog_legacy.dict,
	lib/iolog/regress/fuzz/fuzz_iolog_timing.dict:
	Add dictionaries for fuzz_iolog_legacy and fuzz_iolog_timing.
	[84d1e53ea8eb]

	* include/sudo_fatal.h:
	Don't send warn/fatal output to the debug file when fuzzing.
	[968fedf79f23]

	* lib/util/getentropy.c:
	Back out the genentropy.c portion of c648cfe9ff0f We don't need to
	special-case FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION now that we
	use the glibc arc4random() where available.
	[7d69e44e3e9b]

2022-12-29  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/iolog/regress/fuzz/fuzz_iolog_json.c,
	lib/iolog/regress/fuzz/fuzz_iolog_legacy.c,
	lib/iolog/regress/fuzz/fuzz_iolog_timing.c,
	lib/util/regress/fuzz/fuzz_sudo_conf.c,
	logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
	plugins/sudoers/regress/fuzz/fuzz_policy.c,
	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
	plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c:
	Use initprogname(), not setprogname() in the fuzzers. This results
	in better coverage for progname.c.
	[dede53f4b0db]

	* lib/util/regress/sudo_conf/conf_test.c,
	lib/util/regress/sudo_conf/test1.out.ok,
	lib/util/regress/sudo_conf/test2.out.ok,
	lib/util/regress/sudo_conf/test3.out.ok,
	lib/util/regress/sudo_conf/test4.out.ok,
	lib/util/regress/sudo_conf/test5.out.ok,
	lib/util/regress/sudo_conf/test6.out.ok,
	lib/util/regress/sudo_conf/test7.out.ok:
	Add probe_interfaces and intercept_path.
	[f00ecf67a5e1]

	* lib/util/regress/fuzz/fuzz_sudo_conf.c:
	Exercise getter functions.
	[3208a9508724]

	* configure, configure.ac:
	Avoid using our function replacements when fuzzing (where possible).
	We don't want to fuzz the function replacements themselves as this
	can skew the coverage reports.
	[05781ba6f1f3]

	* plugins/python/regress/check_python_examples.c:
	Disable sudo_debug tests when fuzzing. The debug code is disable
	when fuzzing is enabled to avoid coverage issues.
	[2c90549a0918]

	* lib/util/fatal.c, lib/util/getentropy.c, lib/util/sudo_conf.c:
	Avoid compiling some code paths that are unreachable when fuzzing.
	[c648cfe9ff0f]

	* plugins/sudoers/regress/serialize_list/check_serialize_list.c:
	Plug memory leak.
	[6189ff1db193]

2022-12-28  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/regress/fuzz/fuzz_policy.dict:
	Update fuzz_policy keywords to match current policy settings.
	[0db960f83cf1]

	* plugins/sudoers/regress/fuzz/fuzz_sudoers.dict:
	Add example users and groups to the dictionary.
	[6fd8ad758aed]

	* plugins/sudoers/env.c, plugins/sudoers/sudoers.c, src/parse_args.c:
	parse_args: an environment variable may not start with '='. Also
	check VAR=val format in validate_env_vars() and add an error message
	if insert_env_vars() fails.
	[b9b9acae1671]
[--snip--]
