Debian Bug report logs -
#595935
CVE-2010-1646: Flaw in Runas group matching
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Tue, 7 Sep 2010 12:39:01 UTC
Severity: grave
Tags: security, sid, squeeze
Found in version sudo/1.6.9p17-2
Fixed in version sudo/1.7.4p4-1
Done: Bdale Garbee <bdale@gag.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#595935; Package sudo.
(Tue, 07 Sep 2010 12:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Bdale Garbee <bdale@gag.com>.
(Tue, 07 Sep 2010 12:39:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sudo
Version: 1.6.9p17-2
Severity: grave
Tags: security
Justification: user security hole
Please see http://www.sudo.ws/sudo/alerts/runas_group.html for
details. Stable is not affected.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#595935; Package sudo.
(Tue, 07 Sep 2010 12:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <muehlenhoff@univention.de>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Tue, 07 Sep 2010 12:54:07 GMT) (full text, mbox, link).
Message #10 received at 595935@bugs.debian.org (full text, mbox, reply):
Hi,
Am Dienstag 07 September 2010 14:37:35 schrieb Moritz Muehlenhoff:
> Package: sudo
> Version: 1.6.9p17-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see http://www.sudo.ws/sudo/alerts/runas_group.html for
> details. Stable is not affected.
The CVE ID should be CVE-2010-2956, the given ID is incorrect.
Cheers,
Moritz
--
Moritz Mühlenhoff muehlenhoff@univention.de
Open Source Software Engineer and Consultant
Univention GmbH Linux for Your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
http://www.univention.de
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#595935; Package sudo.
(Tue, 07 Sep 2010 15:09:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list.
(Tue, 07 Sep 2010 15:09:10 GMT) (full text, mbox, link).
Message #15 received at 595935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 7 Sep 2010 14:45:59 +0200, Moritz Mühlenhoff <muehlenhoff@univention.de> wrote:
> Hi,
>
> Am Dienstag 07 September 2010 14:37:35 schrieb Moritz Muehlenhoff:
> > Package: sudo
> > Version: 1.6.9p17-2
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Please see http://www.sudo.ws/sudo/alerts/runas_group.html for
> > details. Stable is not affected.
>
> The CVE ID should be CVE-2010-2956, the given ID is incorrect.
I'm on it, I'll make a 1.7.4p4 upload sometime today.
Bdale
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Bdale Garbee <bdale@gag.com>:
You have taken responsibility.
(Tue, 07 Sep 2010 18:51:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 07 Sep 2010 18:51:13 GMT) (full text, mbox, link).
Message #20 received at 595935-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.7.4p4-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo-ldap_1.7.4p4-1_i386.deb
to main/s/sudo/sudo-ldap_1.7.4p4-1_i386.deb
sudo_1.7.4p4-1.debian.tar.gz
to main/s/sudo/sudo_1.7.4p4-1.debian.tar.gz
sudo_1.7.4p4-1.dsc
to main/s/sudo/sudo_1.7.4p4-1.dsc
sudo_1.7.4p4-1_i386.deb
to main/s/sudo/sudo_1.7.4p4-1_i386.deb
sudo_1.7.4p4.orig.tar.gz
to main/s/sudo/sudo_1.7.4p4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595935@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Sep 2010 12:22:42 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.4p4-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 585514 593579 595935
Changes:
sudo (1.7.4p4-1) unstable; urgency=high
.
* new upstream version, urgency high due to fix for flaw in Runas group
matching (CVE-2010-2956), closes: #595935
* handle transition of /var/run/sudo to /var/lib/sudo better, to avoid
re-lecturing existing users, and to clean up after ourselves on upgrade,
and remove the RAMRUN section from README.Debian since the new state dir
should fix the original problem, closes: #585514
* deliver README.Debian to both package flavors, closes: #593579
Checksums-Sha1:
7377ad03028b524060f7c59177dec2084ebc415f 1669 sudo_1.7.4p4-1.dsc
c873f509f80d5722989a912a42a61ad27b71453f 963663 sudo_1.7.4p4.orig.tar.gz
18f9b133992bc9319ac353e7839d12268eea8e7b 20540 sudo_1.7.4p4-1.debian.tar.gz
fbfb849e28bc01fbe67ee7264519455424d40d24 593020 sudo_1.7.4p4-1_i386.deb
abd59170bb040936a4b8509f9f1c02965820eb19 618108 sudo-ldap_1.7.4p4-1_i386.deb
Checksums-Sha256:
8c1e64db55f5a710bb189ca5f5c5a42b57e7971833b2d586ea743932de46b2a1 1669 sudo_1.7.4p4-1.dsc
38de3c3e08346b2b8dcb3cf7ed0813300d1a1d5696d0f338ea8a4ef232aacf97 963663 sudo_1.7.4p4.orig.tar.gz
69ac8c9f6eac67ae70852b64cb42652ec68db77fa8a16e49e26b51743ac900cd 20540 sudo_1.7.4p4-1.debian.tar.gz
58d36ee52632801ea1c2c8c5b618ecfeeecfb07e574261ed63105f6554ed9103 593020 sudo_1.7.4p4-1_i386.deb
a727f634b9f54acc2757cb8457f0f4853e8e797bc80ed409bb1a6eb9e91861f1 618108 sudo-ldap_1.7.4p4-1_i386.deb
Files:
21044faa8d9bbe17cefe14ca2cfca167 1669 admin optional sudo_1.7.4p4-1.dsc
55d9906535d70a1de347cd3d3550ee87 963663 admin optional sudo_1.7.4p4.orig.tar.gz
dba734590b5fc4144a6d152828f20b84 20540 admin optional sudo_1.7.4p4-1.debian.tar.gz
c55337a17a171c36f79b3f35d428052c 593020 admin optional sudo_1.7.4p4-1_i386.deb
1554dd1f110ad0afc0957ad9e189229f 618108 admin optional sudo-ldap_1.7.4p4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBTIaEmDqTYZbAldlBAQpzFw/+Mza268fxxzwVusVu6a3tCrCwwLMkEo0g
v83AaiyqQOEzezyhaYAlCzj1fBK2aNviVp5LAz8uKy4fxhlR/gNZ2VNfzsfUTf6z
3bbCANSiExxsHKrRlfSGVss6iLhtmqG6yAsVAIHj1Xd1vn0trJBBUgmBcAUhBhfI
sBL7Ow1zDhE0M45Y0N+5Jx/5k7cNPOmZ/GfX2ED+5relMpFiZEyvzUMvI6wa+2tg
4ObvGFqfxPcrBWUYWD0OVc98mE0wU0Y0ktowXSiXx+FrH4s03ieI4BeZNQRXKpz0
Sm+CUEqlQXN8XsoILzMbd6w1Nl4Benc8f6+3lqYMTEUNbhHJ6T8/ZV+Gt2LVJ6KX
u0ZPJKgtc3JjyUZD+jGl78yLQ6urFcqEk4gcPYOfJRWQGCAraubslvebDCBErl42
S7CNws2YYaOIicUgiA6iNqLzjpz+W2hma0iPIZIjjVjtDQ2Fer+YUknpJ4UI54yb
i2mneHkkDBMAa8uETrgG0LJ3r5RYLQIfhvHCQ9VwIiBqmyxrDILmOXhAUgGDnnit
vSIpouaSjrqI5uC9QXR6IccmwjEaxk1xYyNdtWFvg46gRa5Lw8SKvJJC/O5jSZ0i
1JiluOBUjpKC++ehSNsOwiZFn0kj+kK0fJx1LD5AzKH/45Sydgv9PBb29+hnHd+2
2SaHxcXdZAs=
=kJpr
-----END PGP SIGNATURE-----
Added tag(s) sid and squeeze.
Request was from Gerfried Fuchs <rhonda@debian.at>
to control@bugs.debian.org.
(Wed, 13 Oct 2010 08:00:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Feb 2011 07:57:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:18:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon