This patch will upgrade Sudo version 1.8.4 patchlevel 1 to Sudo
version 1.8.4 patchlevel 2.  To apply:

    $ cd sudo-1.8.4p1
    $ patch -p1 < sudo-1.8.4p2.patch

diff -urNa sudo-1.8.4p1/ChangeLog sudo-1.8.4p2/ChangeLog
--- sudo-1.8.4p1/ChangeLog	Tue Feb 21 05:25:58 2012
+++ sudo-1.8.4p2/ChangeLog	Mon Feb 27 14:59:37 2012
@@ -1,8 +1,42 @@
+2012-02-27  Todd C. Miller  <Todd.Miller@courtesan.com>
+
+	* NEWS, configure, configure.in:
+	bump version to 1.8.4p2
+	[db564e1c02cf] [tip] <1.8>
+
+	* src/exec_pty.c:
+	Fix typo in safe_close() made while converting to debug framework
+	that prevented it from actually closing anything.
+	[833a8ce346d2] <1.8>
+
+	* common/Makefile.in, compat/Makefile.in, doc/Makefile.in,
+	include/Makefile.in:
+	We need sysconfdir in compat/Makfile to get the proper sudo.conf
+	path. Add standard prefix and foodir expansion in all Makefiles to
+	avoid this problem in the future.
+	[ce1caa89c24d] <1.8>
+
+2012-02-24  Todd C. Miller  <Todd.Miller@courtesan.com>
+
+	* plugins/sudoers/ldap.c:
+	When adding gids to the LDAP filter, only add the primary gid once.
+	This is consistent with the space computation/allocation. From Eric
+	Lakin
+	[229db740f035] <1.8>
+
+	* doc/TROUBLESHOOTING:
+	Add entry for AIX enhanced RBAC config.
+	[24f1e176e398] <1.8>
+
+	* mkpkg:
+	Target Mac OS X 10.5 when building packages.
+	[7b296251013d] <1.8>
+
 2012-02-21  Todd C. Miller  <Todd.Miller@courtesan.com>
 
 	* .hgtags:
 	Added tag SUDO_1_8_4p1 for changeset aeb6b9701150
-	[26bc7af7c304] [tip] <1.8>
+	[26bc7af7c304] <1.8>
 
 	* NEWS:
 	List 1.8.4p1
diff -urNa sudo-1.8.4p1/NEWS sudo-1.8.4p2/NEWS
--- sudo-1.8.4p1/NEWS	Tue Feb 21 05:25:10 2012
+++ sudo-1.8.4p2/NEWS	Mon Feb 27 14:57:34 2012
@@ -1,3 +1,14 @@
+What's new in Sudo 1.8.4p2?
+
+ * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
+   was allocated for group IDs in the LDAP filter.
+
+ * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
+   was "/sudo.conf" instead of "/etc/sudo.conf".
+
+ * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
+   when I/O logging is enabled and input is from a pipe or file.
+
 What's new in Sudo 1.8.4p1?
 
  * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
diff -urNa sudo-1.8.4p1/common/Makefile.in sudo-1.8.4p2/common/Makefile.in
--- sudo-1.8.4p1/common/Makefile.in	Mon Feb  6 16:01:58 2012
+++ sudo-1.8.4p2/common/Makefile.in	Mon Feb 27 14:45:08 2012
@@ -25,6 +25,16 @@
 top_srcdir = @top_srcdir@
 incdir = $(top_srcdir)/include
 
+# Where to install things...
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+sbindir = @sbindir@
+sysconfdir = @sysconfdir@
+libexecdir = @libexecdir@
+datarootdir = @datarootdir@
+localstatedir = @localstatedir@
+
 # Compiler & tools to use
 CC = @CC@
 LIBTOOL = @LIBTOOL@
diff -urNa sudo-1.8.4p1/compat/Makefile.in sudo-1.8.4p2/compat/Makefile.in
--- sudo-1.8.4p1/compat/Makefile.in	Tue Jan 17 10:28:14 2012
+++ sudo-1.8.4p2/compat/Makefile.in	Mon Feb 27 14:45:08 2012
@@ -25,6 +25,16 @@
 top_srcdir = @top_srcdir@
 incdir = $(top_srcdir)/include
 
+# Where to install things...
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+sbindir = @sbindir@
+sysconfdir = @sysconfdir@
+libexecdir = @libexecdir@
+datarootdir = @datarootdir@
+localstatedir = @localstatedir@
+
 # Compiler & tools to use
 CC = @CC@
 LIBTOOL = @LIBTOOL@
diff -urNa sudo-1.8.4p1/configure sudo-1.8.4p2/configure
--- sudo-1.8.4p1/configure	Tue Feb 21 05:17:59 2012
+++ sudo-1.8.4p2/configure	Mon Feb 27 14:46:52 2012
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for sudo 1.8.4p1.
+# Generated by GNU Autoconf 2.68 for sudo 1.8.4p2.
 #
 # Report bugs to <http://www.sudo.ws/bugs/>.
 #
@@ -570,8 +570,8 @@
 # Identity of this package.
 PACKAGE_NAME='sudo'
 PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.8.4p1'
-PACKAGE_STRING='sudo 1.8.4p1'
+PACKAGE_VERSION='1.8.4p2'
+PACKAGE_STRING='sudo 1.8.4p2'
 PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
 PACKAGE_URL=''
 
@@ -1447,7 +1447,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures sudo 1.8.4p1 to adapt to many kinds of systems.
+\`configure' configures sudo 1.8.4p2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1512,7 +1512,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of sudo 1.8.4p1:";;
+     short | recursive ) echo "Configuration of sudo 1.8.4p2:";;
    esac
   cat <<\_ACEOF
 
@@ -1730,7 +1730,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-sudo configure 1.8.4p1
+sudo configure 1.8.4p2
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2434,7 +2434,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by sudo $as_me 1.8.4p1, which was
+It was created by sudo $as_me 1.8.4p2, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -20506,7 +20506,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by sudo $as_me 1.8.4p1, which was
+This file was extended by sudo $as_me 1.8.4p2, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -20572,7 +20572,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-sudo config.status 1.8.4p1
+sudo config.status 1.8.4p2
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -urNa sudo-1.8.4p1/configure.in sudo-1.8.4p2/configure.in
--- sudo-1.8.4p1/configure.in	Tue Feb 21 05:17:48 2012
+++ sudo-1.8.4p2/configure.in	Mon Feb 27 14:46:46 2012
@@ -3,7 +3,7 @@
 dnl
 dnl Copyright (c) 1994-1996,1998-2012 Todd C. Miller <Todd.Miller@courtesan.com>
 dnl
-AC_INIT([sudo], [1.8.4p1], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.8.4p2], [http://www.sudo.ws/bugs/], [sudo])
 AC_CONFIG_HEADER([config.h pathnames.h])
 dnl
 dnl Note: this must come after AC_INIT
diff -urNa sudo-1.8.4p1/doc/Makefile.in sudo-1.8.4p2/doc/Makefile.in
--- sudo-1.8.4p1/doc/Makefile.in	Thu Feb  9 11:20:22 2012
+++ sudo-1.8.4p2/doc/Makefile.in	Mon Feb 27 14:45:08 2012
@@ -32,6 +32,11 @@
 
 # Where to install things...
 prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+sbindir = @sbindir@
+sysconfdir = @sysconfdir@
+libexecdir = @libexecdir@
 datarootdir = @datarootdir@
 localstatedir = @localstatedir@
 mandir = @mandir@
diff -urNa sudo-1.8.4p1/doc/TROUBLESHOOTING sudo-1.8.4p2/doc/TROUBLESHOOTING
--- sudo-1.8.4p1/doc/TROUBLESHOOTING	Wed Jan  4 12:47:41 2012
+++ sudo-1.8.4p2/doc/TROUBLESHOOTING	Fri Feb 24 17:31:05 2012
@@ -202,6 +202,17 @@
    Alternately, if you do not mind your password being echoed to the
    screen, you can use the "visiblepw" sudoers option to allow this.
 
+Q) When I run sudo on AIX I get the following error:
+    setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
+A) AIX's Enhanced RBAC is preventing sudo from running.  To fix
+   this, add the following entry to /etc/security/privcmds (adjust
+   the path to sudo as needed) and run the setkst command as root:
+
+    /usr/local/bin/sudo:
+	    accessauths = ALLOW_ALL
+	    innateprivs = PV_DAC_UID,PV_DAC_GID
+	    secflags = FSF_EPS
+
 Q) How do you pronounce `sudo'?
 A) The official pronunciation is soo-doo (for su "do").  However, an
    alternate pronunciation, a homophone of "pseudo", is also common.
diff -urNa sudo-1.8.4p1/include/Makefile.in sudo-1.8.4p2/include/Makefile.in
--- sudo-1.8.4p1/include/Makefile.in	Thu Feb  9 11:20:22 2012
+++ sudo-1.8.4p2/include/Makefile.in	Mon Feb 27 14:45:08 2012
@@ -29,6 +29,11 @@
 
 # Where to install things...
 prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+sbindir = @sbindir@
+sysconfdir = @sysconfdir@
+libexecdir = @libexecdir@
 datarootdir = @datarootdir@
 localstatedir = @localstatedir@
 
diff -urNa sudo-1.8.4p1/mkpkg sudo-1.8.4p2/mkpkg
--- sudo-1.8.4p1/mkpkg	Tue Feb  7 11:50:46 2012
+++ sudo-1.8.4p2/mkpkg	Fri Feb 24 17:30:23 2012
@@ -227,9 +227,11 @@
 		$configure_opts"
 	;;
     macos*)
-	# Build universal binaries, curently intel-only
-	export CFLAGS="-O2 -g -arch i386 -arch x86_64"
-	export LDFLAGS="-arch i386 -arch x86_64"
+	# Build universal binaries (intel-only) targetting Mac OS X 10.5
+	ARCH_FLAGS="-arch i386 -arch x86_64"
+	SDK_FLAGS="-isysroot /Developer/SDKs/MacOSX10.5.sdk -mmacosx-version-min=10.5"
+	export CFLAGS="-O2 -g $ARCH_FLAGS $SDK_FLAGS"
+	export LDFLAGS="$ARCH_FLAGS $SDK_FLAGS"
 	# Note, must indent with tabs, not spaces due to IFS trickery
 	configure_opts="--prefix=$prefix
 		--with-pam
diff -urNa sudo-1.8.4p1/plugins/sudoers/ldap.c sudo-1.8.4p2/plugins/sudoers/ldap.c
--- sudo-1.8.4p1/plugins/sudoers/ldap.c	Wed Jan  4 12:56:29 2012
+++ sudo-1.8.4p2/plugins/sudoers/ldap.c	Fri Feb 24 17:31:12 2012
@@ -1166,6 +1166,8 @@
 	    (void) strlcat(buf, ")", sz);
 	}
 	for (i = 0; i < grlist->ngids; i++) {
+	    if (pw->pw_gid == grlist->gids[i])
+		continue;
 	    (void) snprintf(gidbuf, sizeof(gidbuf), "%u",
 		(unsigned int)grlist->gids[i]);
 	    (void) strlcat(buf, "(sudoUser=%#", sz);
diff -urNa sudo-1.8.4p1/src/exec_pty.c sudo-1.8.4p2/src/exec_pty.c
--- sudo-1.8.4p1/src/exec_pty.c	Wed Jan 25 14:58:28 2012
+++ sudo-1.8.4p2/src/exec_pty.c	Mon Feb 27 14:46:29 2012
@@ -1251,5 +1251,5 @@
 	errno = EINVAL;
 	return -1;
     }
-    debug_return_int(fd);
+    debug_return_int(close(fd));
 }