2025-07-24  Todd C. Miller  <Todd.Miller@sudo.ws>

	* :
	Merge sudo 1.9.17p2 from branch 'main' into sudo-1.9
	[d1b48c651]

	* configure, configure.ac:
	Fix check for which man page type to use with nroff

	Fixes a bug where configure would use *.man instead of *.mdoc on
	systems without mandoc. Bug #1077.
	[aa2498e46]

	* plugins/sudoers/log_client.c:
	client_msg_cb: make warning match the function that failed
	[f73162df3]

2025-07-23  Todd C. Miller  <Todd.Miller@sudo.ws>

	* NEWS, configure, configure.ac:
	Sudo 1.9.17p2
	[f0e1a5ca3]

	* plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c:
	digest_matches: plug fd leak on snprinf() failure
	[26a1a7529]

2025-07-21  Todd C. Miller  <Todd.Miller@sudo.ws>

	* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp,
	scripts/mkpkg:
	Add a way to override pp_rpm_arch when building rpms

	This will be used to build x86_64_v2 packages for Alma Linux.
	[55d3c99c4]

	* configure, configure.ac:
	Fix check for which man page type to use with nroff

	Fixes a bug where configure would use *.man instead of *.mdoc on
	systems without mandoc.
	[2dc10cfbd]

	* plugins/sudoers/timestamp.c:
	ts_write: call lseek after fruncate on short write

	We need to make sure the file position is reset to the old EOF on
	error.
	[8e7e0e23f]

2025-07-20  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_ptrace.c:
	ptrace_readv_string: quiet sign-compare warning
	[fac2a49e7]

	* src/exec_ptrace.c:
	ptrace_readv_string: properly handle reads of more than one page

	When the "intercept" and "intercept_verify" options are enabled and
	either argv[] or envp[] contains a string larger than the page size
	(usually 4096), ptrace_readv_string() would fill the buffer with
	mutiple copies of the same string. Fixes GitHub issue #453.
	[2e93eabed]

2025-07-14  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_pty.c:
	revoke_pty: use killpg() not kill() to send HUP to the process group

	Also make sure we never call killpg(-1, SIGHUP), which would send
	SIGHUP to process 1 (init). It is possible for cmnd_pid to be -1 in
	certain error conditions where sudo killed the command itself. This
	may explain GitHub issue #458.
	[fb208d383]

2025-07-08  Todd C. Miller  <Todd.Miller@sudo.ws>

	* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/pp:
	Don't assume RHEL major version is only a single digit

	Fixes handling of RHEL 10 and higher.
	[e5d953f33]

	* plugins/sudoers/visudo.c:
	visudo: create temporary file as mod 0600 not 0700

	This was due to a typo in the mode field when the temporary file was
	created. Noticed by Bjorn Baron of the sudo-rs project.
	[1c254b330]

2025-06-30  Todd C. Miller  <Todd.Miller@sudo.ws>

	* Makefile.in:
	We now build sudo releases from git, not mercurial
	[cb4e26734]

2025-06-28  Todd C. Miller  <Todd.Miller@sudo.ws>

	* NEWS, configure, configure.ac:
	Sudo 1.9.17p1
	[a377770c6]

	* NEWS, configure, configure.ac:
	Sudo 1.9.17p1
	[23aff2b37]

2025-06-07  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudoers.man.in,
	docs/sudoers.mdoc.in, plugins/sudoers/gram.c,
	plugins/sudoers/gram.y,
	plugins/sudoers/regress/sudoers/test24.toke.ok,
	plugins/sudoers/regress/testsudoers/test20.out.ok,
	plugins/sudoers/regress/testsudoers/test26.out.ok,
	plugins/sudoers/visudo_cb.c, src/parse_args.c:
	Deprecate chroot support
	[7a6ee32a9]

2025-04-06  Todd C. Miller  <Todd.Miller@sudo.ws>

	* MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/editor.c,
	plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c,
	plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c,
	plugins/sudoers/parse.h, plugins/sudoers/pivot.c,
	plugins/sudoers/pivot.h,
	plugins/sudoers/regress/editor/check_editor.c,
	plugins/sudoers/regress/fuzz/fuzz_policy.c,
	plugins/sudoers/regress/fuzz/fuzz_stubs.c,
	plugins/sudoers/resolve_cmnd.c, plugins/sudoers/stubs.c,
	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
	plugins/sudoers/testsudoers.c:
	Revert pivot_root and go back to prepending the new root directory.

	We cannot perform passwd/group lookups _after_ changing the root
	directory. This does mean that symbolic links in a path are not
	currently handled properly when matching chroot()ed commands.

	Fixes a local privilege escalation vulnerability where a user could
	craft their own nsswitch.conf file to load a shared library of their
	choosing and run arbitrary code. CVE-2025-32463

	Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
	[fffcc07c5]

2025-04-01  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/sudoers.c:
	Only allow a remote host to be specified when listing privileges.

	This fixes a bug where a user with sudoers privileges on a different
	host could execute a command on the local host, even if the sudoers
	file would not otherwise allow this. CVE-2025-32462

	Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
	[f8ff956e1]

2025-06-07  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo.man.in, docs/sudo.mdoc.in, docs/sudoers.man.in,
	docs/sudoers.mdoc.in, plugins/sudoers/gram.c,
	plugins/sudoers/gram.y,
	plugins/sudoers/regress/sudoers/test24.toke.ok,
	plugins/sudoers/regress/testsudoers/test20.out.ok,
	plugins/sudoers/regress/testsudoers/test26.out.ok,
	plugins/sudoers/visudo_cb.c, src/parse_args.c:
	Deprecate chroot support
	[bc88e5cbd]

2025-04-06  Todd C. Miller  <Todd.Miller@sudo.ws>

	* MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/editor.c,
	plugins/sudoers/find_path.c, plugins/sudoers/goodpath.c,
	plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c,
	plugins/sudoers/parse.h, plugins/sudoers/pivot.c,
	plugins/sudoers/pivot.h,
	plugins/sudoers/regress/editor/check_editor.c,
	plugins/sudoers/regress/fuzz/fuzz_policy.c,
	plugins/sudoers/regress/fuzz/fuzz_stubs.c,
	plugins/sudoers/resolve_cmnd.c, plugins/sudoers/stubs.c,
	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
	plugins/sudoers/testsudoers.c:
	Revert pivot_root and go back to prepending the new root directory.

	We cannot perform passwd/group lookups _after_ changing the root
	directory. This does mean that symbolic links in a path are not
	currently handled properly when matching chroot()ed commands.

	Fixes a local privilege escalation vulnerability where a user could
	craft their own nsswitch.conf file to load a shared library of their
	choosing and run arbitrary code. CVE-2025-32463

	Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
	[fdafc2ceb]

2025-04-01  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/sudoers.c:
	Only allow a remote host to be specified when listing privileges.

	This fixes a bug where a user with sudoers privileges on a different
	host could execute a command on the local host, even if the sudoers
	file would not otherwise allow this. CVE-2025-32462

	Reported by Rich Mirch @ Stratascale Cyber Research Unit (CRU).
	[d53036782]

2025-06-21  Todd C. Miller  <Todd.Miller@sudo.ws>

	* MANIFEST:
	Add missing tests
	[51c348810]

2025-06-17  Todd C. Miller  <Todd.Miller@sudo.ws>

	* :
	Merge sudo 1.9.17 from branch 'main' into sudo-1.9
	[84e7ca675]

2025-06-17  Rose  <gfunni234@gmail.com>

	* lib/iolog/iolog_write.c, plugins/python/regress/iohelpers.c,
	plugins/sudoers/sudo_printf.c, src/conversation.c:
	Properly check against errors against fwrite

	fwrite is not the same as write; you have to explicitly compare
	against the length to detect errors, and sometimes number of items
	is mistaken for length.
	[5fad16bda]

2025-06-12  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/CONTRIBUTING.md:
	No more mercurial repo, point to git.sudo.ws instead.
	[e6cf241b0]

2025-06-09  Todd C. Miller  <Todd.Miller@sudo.ws>

	* NEWS:
	fix typo
	[fd6aa4932]

2025-06-08  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/po/ca.mo, plugins/sudoers/po/ca.po,
	plugins/sudoers/po/fur.mo, plugins/sudoers/po/fur.po,
	plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
	plugins/sudoers/po/it.mo, plugins/sudoers/po/it.po,
	plugins/sudoers/po/pt.mo, plugins/sudoers/po/pt.po,
	plugins/sudoers/po/pt_BR.mo, plugins/sudoers/po/pt_BR.po,
	plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po,
	plugins/sudoers/po/zh_TW.mo, plugins/sudoers/po/zh_TW.po, po/ca.mo,
	po/ca.po, po/fur.mo, po/fur.po, po/hr.mo, po/hr.po, po/it.mo,
	po/it.po, po/pt.mo, po/pt.po, po/pt_BR.mo, po/pt_BR.po, po/sr.mo,
	po/sr.po, po/yue.mo, po/zh_TW.mo, po/zh_TW.po:
	Updated translations from translationproject.org
	[04a811750]

	* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
	Update .pot files for 1.9.17
	[d861a00a6]

	* NEWS, configure, configure.ac:
	Sudo 1.9.17
	[cb3355e9d]

	* MANIFEST:
	Add Cantonese translation from GitHub
	[60fff3a3d]

	* scripts/check_man.in:
	Fix typo
	[57f67f67f]

2025-03-13  cantonese-sra  <cantonese.sra@proton.me>

	* po/yue.mo, po/yue.po:
	yue translation
	[666d8c175]

2025-06-08  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/env.c:
	Fix typo
	[ee1383e31]

2025-06-07  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo.man.in, docs/sudo.mdoc.in, plugins/sudoers/env.c:
	Add SUDO_TTY environment variable if the user has a tty

	This can be used to find the user's original tty device when sudo
	runs the command in its own pty. GitHub issue #447.
	[afd01d856]

2025-06-04  Rose  <gfunni234@gmail.com>

	* lib/iolog/regress/iolog_path/check_iolog_path.c,
	logsrvd/iolog_writer.c:
	Restrict-qualify a few methods that are listed as such
	[a925829e6]

2025-05-22  Todd C. Miller  <Todd.Miller@sudo.ws>

	* include/sudo_util.h, lib/util/term.c, lib/util/util.exp.in,
	src/tgetpass.c:
	Use TCSAFLUSH not TCSADRAIN when disabling echo

	A long time ago this was changed from TCSAFLUSH to TCSADRAIN due to
	some systems having problems with TCSAFLUSH. That should no longer
	be a concern. Using TCSAFLUSH ensures that password input that has
	been received by the kernel, but not yet read by sudo, will be
	discarded and not echoed.
	[77fe6ae51]

2025-04-30  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/logging.c:
	log_failure: only display "command not found" if running a command

	If the user is not allowed to run a command, we try to give them a
	more useful message than "Sorry, user foo may not run sudo on bar."
	However, this should only be done when running, not listing, a
	command. Otherwise, it would be possible for a user with no sudo
	privileges to use "sudo -l /path/to/some/command" to determine
	whether an executable exists in a directory that they do not have
	search access to.
	[82ebb1eaa]

2025-03-30  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/auth/passwd.c:
	Use constant-time string compare for plain text password check.

	Avoid potential password guessing based on timing attacks on the
	strcmp() function. Reported by Quarkslab.
	[111fd83fb]

2025-04-30  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/check.c:
	check_user: refactor the "running as self" check into its own
	function
	[a294a8be0]

	* plugins/sudoers/check.c:
	check_user: restrict the special case for running as the invoking
	user

	The intent is to allow the user to run a command or edit a file as
	themself without entering a password. It should not apply to listing
	a command via "sudo -l command".
	[28837b2af]

2025-04-28  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/cvtsudoers.man.in, docs/sudo.conf.man.in, docs/sudo.man.in,
	docs/sudo_logsrv.proto.man.in, docs/sudo_logsrvd.conf.man.in,
	docs/sudo_logsrvd.man.in, docs/sudo_plugin.man.in,
	docs/sudo_plugin_python.man.in, docs/sudo_sendlog.man.in,
	docs/sudoers.ldap.man.in, docs/sudoers.man.in,
	docs/sudoers_timestamp.man.in, docs/sudoreplay.man.in,
	docs/visudo.man.in:
	Regenerate man format manuals
	[9c98d0f4a]

	* docs/sudo.conf.mdoc.in, examples/sudo.conf.in:
	Sync "Path intercept" comment with default sudo.conf and man page
	[b876e3bbf]

2025-04-28  peppapig450  <peppapig450@pm.me>

	* docs/sudo_logsrv.proto.mdoc.in:
	Fix typo and update Protocol Buffers URL in sudo_logsrv.proto man
	page

	- Remove duplicate "The" in description of log_id field. - Update
	outdated Protocol Buffers link from
	https://developers.google.com/protocol-buffers/ to
	https://protobuf.dev, the new canonical URL.

	Signed-off-by: peppapig450 <peppapig450@pm.me>
	[d173674c2]

	* docs/sudoers.ldap.mdoc.in:
	Fix minor grammar errors in sudoers.ldap man page

	Signed-off-by: peppapig450 <peppapig450@pm.me>
	[334e23183]

	* docs/cvtsudoers.mdoc.in, docs/sudo.mdoc.in,
	docs/sudo_logsrv.proto.mdoc.in, docs/sudo_logsrvd.conf.mdoc.in,
	docs/sudo_logsrvd.mdoc.in, docs/sudo_plugin.mdoc.in,
	docs/sudo_plugin_python.mdoc.in, docs/sudo_sendlog.mdoc.in,
	docs/sudoers.ldap.mdoc.in, docs/sudoers.mdoc.in,
	docs/sudoers_timestamp.mdoc.in, docs/sudoreplay.mdoc.in,
	docs/visudo.mdoc.in:
	Fix typo: 'Please not report' → 'Please do not report' in
	documentation

	Signed-off-by: peppapig450 <peppapig450@pm.me>
	[aa5d4b2b4]

	* docs/sudo.conf.mdoc.in:
	Fix minor grammar and spelling issues in sudo.conf man page

	Signed-off-by: peppapig450 <peppapig450@pm.me>
	[2f4d6bfe2]

2025-03-31  Todd C. Miller  <Todd.Miller@sudo.ws>

	* logsrvd/iolog_writer.c, logsrvd/logsrvd_local.c,
	plugins/audit_json/audit_json.c:
	Free existing contents of struct eventlog before overwriting.

	In the unlikely event that there are duplicate keys in info_msgs,
	free the old string before overwriting with the new one.
	[ce0ec8ddc]

	* src/tgetpass.c:
	Use a pointer to end of buffer instead of tracking space left.

	Fixes a problem in feedback mode where an initial backspace would
	reduce the effective buffer size. GitHub issue #439
	[e8695d536]

2025-03-09  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .gitignore, .hgignore:
	Ignore scripts/check_man
	[627ae4b09]

2025-03-08  Todd C. Miller  <Todd.Miller@sudo.ws>

	* INSTALL.md, config.h.in, configure, configure.ac,
	plugins/sudoers/defaults.c:
	Make ignore_dot the default

	Add --disable-ignore-dot to disable it and deprecate
	--with-ignore-dot.
	[fce45b276]

2025-02-27  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo_logsrv.proto.man.in, docs/sudo_logsrv.proto.mdoc.in,
	docs/sudo_logsrvd.conf.man.in, docs/sudo_logsrvd.conf.mdoc.in,
	docs/sudoers.man.in, docs/sudoers.mdoc.in, docs/sudoreplay.man.in,
	docs/sudoreplay.mdoc.in:
	Dash/hyphen related style fixes from check_man.
	[ff3c2185f]

	* scripts/check_man.in:
	Add hyphen/dash checks
	[eae70b05c]

2025-02-24  Todd C. Miller  <Todd.Miller@sudo.ws>

	* MANIFEST, configure, configure.ac, docs/Makefile.in,
	scripts/check_man.in:
	Add check_man script to check for man page warnings.
	[c2e77b713]

2025-02-26  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
	Sync sudo.DEBUG descriptions with comments in sudo_debug.h.
	[38c0bdd7a]

2025-02-23  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo.conf.man.in, docs/sudo.conf.man.in.sed,
	docs/sudo.man.in, docs/sudo.man.in.sed, docs/sudoers.man.in,
	docs/sudoers.man.in.sed:
	Sync sed scripts that add back troff conditionals.

	The sudo manuals contain conditional to avoid describing
	system-specific behavior on systems that don't support it. When we
	convert from mdoc to man format we lose those conditionals, these
	sed scripts add them back. Changes to the mdoc files can prevent the
	regexps from matching so they need to be updated periodically.
	[cf1b87c71]

2025-02-22  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/cvtsudoers.man.in, docs/cvtsudoers.mdoc.in,
	docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in:
	Fix some style warnings from "mandoc -Tlint"
	[4d331e602]

	* docs/sudoers.man.in, docs/sudoers.mdoc.in:
	Style fixes from Bjarni Ingi Gislason.
	[3ba525a34]

2025-02-14  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudoers.man.in, docs/sudoers.mdoc.in:
	Most Defaults entries are applied in order.

	The exceptions are command-specific Defaults (which cannot be
	applied until the command's path is resolved) and a small number of
	"early" defaults that affect other entries.
	[b04386f63]

2025-02-11  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/Makefile.in, lib/util/mksiglist.c, lib/util/mksigname.c:
	Only use system includes for mksiglist and mksigname.

	These are standalone programs that run on the host system (which may
	differ from the target system) so we should not include config.h and
	sudo_compat.h.
	[1bdead1bb]

	* Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in,
	lib/iolog/Makefile.in, lib/logsrv/Makefile.in,
	lib/protobuf-c/Makefile.in, lib/ssl_compat/Makefile.in,
	lib/util/Makefile.in, logsrvd/Makefile.in,
	plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in,
	plugins/python/Makefile.in, plugins/sample/Makefile.in,
	plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in,
	plugins/system_group/Makefile.in, src/Makefile.in:
	No longer need to define NSIG for cppcheck.

	There is now a configure check that defines it as needed.
	[b0d94331c]

2025-02-08  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c:
	Split the code to fill an exec closure into two functions.

	This lets us initialize the exec closure early and fill in the
	events later. It also makes things consistent with the exec_pty
	version.
	[1032030f8]

2025-02-10  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac, docs/Makefile.in:
	Run groff with warnings enabled for "make lint".
	[a4a999b5e]

	* lib/util/getentropy.c, src/sudo.c:
	Prefer POSIX getpgrp() to getpgid(0).

	We use getpgrp() in most place so prefer it for consistency with the
	rest of the code base.
	[257a078a8]

	* docs/sudo.man.in, docs/sudo_logsrv.proto.man.in,
	docs/sudoers.man.in, docs/visudo.man.in:
	regen
	[8feff96d3]

	* docs/visudo.mdoc.in:
	Make DIAGNOSTICS descriptions indent consistent with sudo.mdoc.in.
	[d3293c528]

2025-02-09  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo.mdoc.in, docs/visudo.mdoc.in:
	Avoid using ".It Li foo ..." in sudo manuals.

	The .Li macro is deprecated and makes no difference on terminal
	devices. Also avoid using items greater than 80 characters which
	will wrap incorrectly. Bug #1075.
	[dc0f16dbc]

	* docs/sudo.mdoc.in, docs/sudo_logsrv.proto.mdoc.in,
	docs/sudoers.mdoc.in:
	Fix warnings from groff -mandoc -t -K utf8 -rF0 -rHY=0 -ww -b -z

	Specify list offset and width in ens where applicable. Shorten the
	ttyname description in sudo_logsrv.proto.mdoc.in. Bug #1075.
	[aad69105d]

2025-02-08  Todd C. Miller  <Todd.Miller@sudo.ws>

	* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp:
	Only package parent directories that match a non-default prefix

	For example, if sudo is installed into /opt/sudo we only want to
	package directories under /opt and not /var.
	[a9e112079]

	* plugins/sudoers/Makefile.in:
	regen
	[43f16c1d2]

	* MANIFEST:
	Add lib/util/login_max.c
	[4bb4c6a15]

2025-01-21  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec_pty.c:
	Initialize exec closure before calling
	sudo_fatal_callback_register()

	The pty_cleanup() function, which may be called via
	fatal()/fatalx(), expects that ec->details is set. If there is a
	fatal error after the cleanup hook is registered but before the exec
	closure it filled in, pty_cleanup() would dereference a NULL
	pointer. Reported by Bjorn Baron.
	[0be9f0f94]

2025-01-17  Mateusz Piotrowski  <0mp@FreeBSD.org>

	* src/exec_pty.c:
	Fix a typo in the description of exec_pty()
	[6fc816d90]

2025-01-16  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/util/ttyname_dev.c:
	Quiet a -Wconversion warning.
	[a5bca1b94]

2025-01-14  Todd C. Miller  <Todd.Miller@sudo.ws>

	* lib/fuzzstub/fuzzstub.c, lib/iolog/iolog_nextid.c,
	lib/iolog/regress/iolog_filter/check_iolog_filter.c,
	lib/util/event.c, lib/util/regress/fuzz/fuzz_sudo_conf.c,
	logsrvd/logsrvd.c, logsrvd/logsrvd_local.c, logsrvd/logsrvd_relay.c,
	logsrvd/regress/fuzz/fuzz_logsrvd_conf.c, logsrvd/sendlog.c,
	plugins/sudoers/ldap.c, plugins/sudoers/log_client.c,
	plugins/sudoers/timestamp.c, plugins/sudoers/tsdump.c,
	plugins/sudoers/visudo.c, src/conversation.c, src/copy_file.c,
	src/exec_monitor.c, src/exec_ptrace.c, src/sudo_intercept_common.c,
	src/tgetpass.c, src/ttyname.c:
	Check for negative return value of read, write and lseek instead of
	-1

	The return values are used in ways that assume they are positive. In
	practice, it is not possible to have a negative return value other
	than -1 due to the size of the buffers being read from or written
	to. Also add overflow checks when updating the buffer len. Quiets
	several coverity warnings.
	[a27b989c9]

2025-01-16  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .github/workflows/main.yml:
	Switch to upload-sarif v3
	[6df96785f]

	* .github/workflows/codeql-analysis.yml:
	Update codeql GitHub actions to a non-deprecated version.
	[7cc0a0cc4]

	* .github/workflows/main.yml:
	Use upload-artifact@v4, v3 is deprecated.
	[c5b86f06e]

2025-01-15  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
	Check the controlling tty to determine if a tty belongs to the user.

	Previously, we compared the terminal device number returned by
	get_process_ttyname() with that of stdin, stdout and stderr. This
	causes problems on Linux if the user is logged in on the console,
	which is a virtual device that may correspond to one of several
	different terminal devices. In this specific case, there is a
	mismatch between the controlling terminal listed in /proc/self/stat
	(which corresponds to the underlying terminal device) and the device
	number of stdin, stdout and stderr (which is that of /dev/console).
	[fd3ff3a0b]

	* lib/util/login_max.c, plugins/sudoers/cvtsudoers_pwutil.c,
	plugins/sudoers/pwutil_impl.c:
	Move LOGIN_NAME_MAX compat define to login_max.c
	[a3cd820d2]

2025-01-14  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/toke_util.c:
	copy_string: use an end pointer to quiet a coverity warning

	Instead of modifying the len parameter and using it for bounds
	checking, compute the end of the source string and bound check on
	that instead. Also simplify the code slightly and enable debugging.
	[e3753309f]

	* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
	expand_include: initialize dst_size to 1 to quiet coverity warning

	This could only be an issue if the sudoers file was an empty string,
	which is not possible.
	[af4634a1c]

	* plugins/sudoers/match_digest.c:
	digest_matches: don't initialize digest_len to -1

	This was done to quiet a coverity warning but newer coverity now
	warns about this instead.
	[34a3c84de]

	* lib/util/setgroups.c:
	Check for sysconf() negative return value instead of -1

	Quiets a coverity warning.
	[0fdbb6e2e]

	* include/sudo_util.h, lib/util/Makefile.in, lib/util/gethostname.c,
	lib/util/login_max.c, lib/util/util.exp.in,
	plugins/sudoers/cvtsudoers_pwutil.c, plugins/sudoers/match.c,
	plugins/sudoers/pwutil_impl.c:
	Add sudo_login_name_max() and sudo_host_name_max()

	These convenience functions cache the value and handle any potenial
	errors from sysconf().
	[405070d48]

	* config.h.in, configure, configure.ac, include/sudo_util.h:
	Add an OFF_T_MAX define

	This will be used for integer overflow checks when copying files.
	[7c075c100]

2025-01-15  Todd C. Miller  <Todd.Miller@sudo.ws>

	* LICENSE.md:
	Update copyright year
	[30729312c]

2025-01-15  Ignacy Gawędzki  <ignacy.gawedzki@green-communications.fr>

	* src/ttyname.c:
	Fix getting ppid in get_process_ttyname for Linux.

	The ppid field in /proc/self/stat is the fourth and not the third.
	The latter is the process state (S, R, etc.).

	Signed-off-by: Ignacy Gawędzki
	<ignacy.gawedzki@green-communications.fr>
	[5794e511d]

2025-01-05  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/def_data.c, plugins/sudoers/def_data.in,
	plugins/sudoers/defaults.c:
	Format T_TIMESPEC as "%d.%d" instead of "%.1f"

	This fixes the display of the timeout values in the "sudo -V" output
	on systems without a C99-compliant snprintf(). The snprintf()
	replacement sudo ships with does not support floating point.
	[01b1410d6]

2024-12-22  vayers  <violetlastname@gmail.com>

	* plugins/sudoers/sudoers.in:
	Replace tab with space

	A line in the sudoers file contains a tab where a space seems to be
	more appropriate.
	[7c121ff83]

2025-01-04  Todd C. Miller  <Todd.Miller@sudo.ws>

	* configure, configure.ac:
	Newer macOS deprecates -force_flat_namespace for -flat_namespace

	The linker warns about -force-flat_namespace and uses
	-flat_namespace instead. Check for -flat_namespace if
	-force-flat_namespace is not found.
	[103af8cb2]

	* scripts/build_pkgs:
	build_pkgs: adapt to work with a git repo
	[46831d6ef]

	* scripts/log2cl.pl:
	Remove unused -b option
	[b52ef1fbb]

2025-01-03  Todd C. Miller  <Todd.Miller@sudo.ws>

	* aclocal.m4, configure, m4/libtool.m4, m4/ltoptions.m4,
	m4/ltsugar.m4, m4/ltversion.m4, m4/lt~obsolete.m4,
	scripts/ltmain.sh:
	Update to libtool 2.5.3
	[355c82a1d]

2025-01-01  Todd C. Miller  <Todd.Miller@sudo.ws>

	* scripts/log2cl.pl:
	Add markdown mode for use with the sudo web site.
	[e13163ce0]

2024-12-27  Todd C. Miller  <Todd.Miller@sudo.ws>

	* scripts/log2cl.pl:
	Use Text::Wrap::fill() for ChangeLog body, not wrap().
	[a3c1cbd88]

2024-12-20  Todd C. Miller  <Todd.Miller@sudo.ws>

	* docs/sudo_sendlog.man.in, docs/sudo_sendlog.mdoc.in:
	Sort entries in the "SEE ALSO" section.
	[e670d2a85]

	* docs/sudo.man.in, docs/sudo.mdoc.in, src/tgetpass.c:
	If sudo is run without a tty via ssh, suggest using "ssh -t"

	The current warning message mentions using sudo's -S option but this
	will cause the password to be echoed without a terminal. In most
	cases, the user just needs to run ssh with the -t option.
	[516f72960]

	* plugins/sudoers/gram.c, plugins/sudoers/gram.h,
	plugins/sudoers/gram.y:
	The "ALL" command should not override a previous NOSETENV tag in a
	rule.

	Command tags are inherited from previous Cmnds in a Cmnd_Spec_List.
	There is a special case of the SETENV tag for the "ALL" command,
	where SETENV is implied if no explicit SETENV or NOSETENV tag is
	specified. The code to inherit the SETENV tag didn't take into
	account that an implied value for SETENV should also be overridden
	by an explicit SETENV or NOSETENV tag in the previous Cmnd in the
	Cmnd_Spec_List.
	[4dbb07c19]

2024-12-01  Todd C. Miller  <Todd.Miller@sudo.ws>

	* Makefile.in, lib/eventlog/Makefile.in, lib/fuzzstub/Makefile.in,
	lib/iolog/Makefile.in, lib/logsrv/Makefile.in,
	lib/protobuf-c/Makefile.in, lib/ssl_compat/Makefile.in,
	lib/util/Makefile.in, logsrvd/Makefile.in,
	plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in,
	plugins/python/Makefile.in, plugins/sample/Makefile.in,
	plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in,
	plugins/system_group/Makefile.in, src/Makefile.in:
	Don't need to undef _POSIX_HOST_NAME_MAX, it is not used.
	[de3b179a0]

2024-11-29  Todd C. Miller  <Todd.Miller@sudo.ws>

	* etc/codespell.ignore, src/exec_ptrace.h:
	Quiet codespell 2.3.0 complaints.
	[3226c60e6]

2024-11-28  Todd C. Miller  <Todd.Miller@sudo.ws>

	* include/sudo_compat.h, lib/util/ttyname_dev.c,
	plugins/sudoers/policy.c, plugins/sudoers/timestamp.c,
	src/regress/ttyname/check_ttyname.c, src/sudo.c, src/ttyname.c:
	Use NODEV macro instead of explicit (dev_t)-1.

	Also fix an assignment of dev_t to -1 that should be NODEV. Bug
	#1074.
	[d5028a00c]

2024-11-25  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .hgtags:
	Added tag SUDO_1_9_16p2 for changeset 3c721fa0ff0c
	[015a0d717]

	* :
	Merge sudo 1.9.16p2 from tip.
	[172cbd968]

	* NEWS, configure, configure.ac:
	Sudo 1.9.16p2
	[73cbe4e7e]

2024-11-18  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/sudoreplay.c:
	Work around a bug in UBSan that is causing CI failures.

	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116834
	[f8987fc0b]

2024-11-17  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/cvtsudoers_pwutil.c,
	plugins/sudoers/pwutil_impl.c:
	Avoid multiple calls to sysonf() via the MAX macro.

	The expansion of MAX would result in multiple calls to sysconf(). It
	is less error-prone to store the result of sysconf() in a long.
	[da20ccec0]

	* lib/util/setgroups.c, plugins/sudoers/sudo_printf.c,
	src/conversation.c:
	Add some casts to quiet -Wconversion
	[3d85f2e98]

2024-11-16  Todd C. Miller  <Todd.Miller@sudo.ws>

	* include/sudo_plugin.h, plugins/sudoers/policy.c, src/hooks.c:
	Cast hook functions to sudo_hook_fn_t to fix C23 compile error.

	The sudo plugin API defines sudo_hook_fn_t as a function with
	unspecified arguments. This is no longer supported in C23 so use a
	variadic function for sudo_hook_fn_t instead. Moving to a union may
	be a better long-term fix. GitHub issue #420.
	[9613ef944]

	* lib/util/regress/parse_gids/parse_gids_test.c:
	Use NULL, not false, in the terminating entry of test_data[].
	[4c99e29bb]

	* plugins/sudoers/cvtsudoers_ldif.c:
	Pass NULL, not false, to sudoers_format_default_line().
	[9c63ff0e1]

	* lib/util/ttyname_dev.c:
	sudo_ttyname_dev: On Linux try to use /proc/self/fd/{0,1,2} if
	possible.

	If one of std{in,out,err} matches the specified device, try to
	resolve it to a path by using /proc/self/fd/{0,1,2}. This avoids
	searching all of /dev and works in a chroot where /proc is mounted
	but /dev/pts is not. GitHub issue #421.
	[b7efb8ab5]

2024-11-15  Todd C. Miller  <Todd.Miller@sudo.ws>

	* src/sudo.c, src/ttyname.c:
	get_process_ttyname: always return the terminal device if we find
	one.

	If sudo cannot map the device number to a device file, set name to
	the empty string. The caller now checks for an empty name and only
	passes the tty path to the plugin if it is non-empty. This allows
	sudo to run without warnings in a chroot() jail where the terminal
	device files are not present. GitHub issue #421.
	[7e8f00688]

2024-11-12  Todd C. Miller  <Todd.Miller@sudo.ws>

	* .hgtags:
	Added tag SUDO_1_9_16p1 for changeset d6059bdf2a76
	[1fbc14667]

	* :
	Merge sudo 1.9.16p1 from tip.
	[7b41190db]

	* NEWS, configure, configure.ac:
	Sudo 1.9.16p1
	[abc0baffc]

2024-11-11  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/auth/pam.c:
	pam_get_item() takes a void ** arg, not const void **, on Solaris
	[0f41cd717]

	* docs/sudoers.man.in, docs/sudoers.mdoc.in:
	Shell-style substitution is not supported in env_file.

	Also document that comments are supported.
	[8b5375716]

2024-10-29  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/logging.c:
	Do not send mail for "sudo -nv" or "sudo -nl"

	This avoids sending mail for users running "sudo -nv" or "sudo -nl"
	even when mail_badpass or mail_always are enabled. We already avoid
	logging in that case but mailing was not disabled when that change
	was made. Bug #1072.
	[116115229]

2024-10-28  Todd C. Miller  <Todd.Miller@sudo.ws>

	* NEWS, README.LDAP.md, docs/Makefile.in, docs/SECURITY.md,
	docs/TROUBLESHOOTING.md, docs/UPGRADE.md:
	Run igor on other docs too, not just man pages
	[9d49f861c]

	* INSTALL.md, LICENSE.md, docs/CONTRIBUTING.md, docs/UPGRADE.md:
	Remove trailing whitespace
	[5180dd802]

2024-10-28  Ikko Eltociear Ashimine  <eltociear@gmail.com>

	* NEWS:
	docs: update NEWS

	minor fix
	[28df79a24]

2024-10-05  Todd C. Miller  <Todd.Miller@sudo.ws>

	* plugins/sudoers/auth/pam.c:
	sudo_pam_verify: move PAM_USER after getpass_error check

	Move it into the PAM_SUCCESS case of the switch *pam_status switch.
	[17aa7688c]

	* plugins/sudoers/auth/pam.c:
	Fix indentation
	[52c73b8f5]
