Debian Bug report logs -
#863731
sudo: CVE-2017-1000367: Potential overwrite of arbitrary files
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 30 May 2017 15:30:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version sudo/1.8.10p3-1
Fixed in versions sudo/1.8.10p3-1+deb8u4, sudo/1.8.20p1-1, sudo/1.8.19p1-2
Done: Bdale Garbee <bdale@gag.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863731; Package src:sudo.
(Tue, 30 May 2017 15:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bdale Garbee <bdale@gag.com>.
(Tue, 30 May 2017 15:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sudo
Version: 1.8.10p3-1
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole
Hi,
the following vulnerability was published for sudo.
CVE-2017-1000367[0]:
Potential overwrite of arbitrary files
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-1000367
[1] http://www.openwall.com/lists/oss-security/2017/05/30/16
[2] https://www.sudo.ws/alerts/linux_tty.html
[3] https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b
Regards,
Salvatore
Marked as fixed in versions sudo/1.8.10p3-1+deb8u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 30 May 2017 15:33:03 GMT) (full text, mbox, link).
Reply sent
to Bdale Garbee <bdale@gag.com>:
You have taken responsibility.
(Tue, 30 May 2017 21:21:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 30 May 2017 21:21:09 GMT) (full text, mbox, link).
Message #12 received at 863731-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.20p1-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863731@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 May 2017 14:41:58 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.20p1-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 863731
Changes:
sudo (1.8.20p1-1) unstable; urgency=high
.
* New upstream version with fix for CVE-2017-1000367, closes: #863731
Checksums-Sha1:
239d48f2af0632396afc65899c53b4addd05c2bd 1999 sudo_1.8.20p1-1.dsc
2138fca8c91c0504579aaf57fc39cee95486efd1 2930394 sudo_1.8.20p1.orig.tar.gz
5b824f96c1c38cf4d16b863f1137c0caea3100c1 23004 sudo_1.8.20p1-1.debian.tar.xz
ad0ec7e066cde24967ce968e1161e36e8e0faab3 765082 sudo-dbgsym_1.8.20p1-1_amd64.deb
366ef6229cc7de87f7f64d2efc1d733a37a5ca90 786094 sudo-ldap-dbgsym_1.8.20p1-1_amd64.deb
a071a61260739a81ace50ca4b817816297eded70 1109092 sudo-ldap_1.8.20p1-1_amd64.deb
0c6d00881e21e17df048f626d60bbec89072bb40 6909 sudo_1.8.20p1-1_amd64.buildinfo
84891b74f05edb8373c2ae16cd65df05165f4c55 1079036 sudo_1.8.20p1-1_amd64.deb
Checksums-Sha256:
3a9320911f325c4ff6b13354979630969781a41532bde4915bbd1fb7d26a55c3 1999 sudo_1.8.20p1-1.dsc
9e980eb23a60dd11f0f452e672e705d7a386882bc230c6e8483050e03182db1d 2930394 sudo_1.8.20p1.orig.tar.gz
0321906f38ab981393ca1facb0403f3136db7a644cd211fa6e6313ea6a077a32 23004 sudo_1.8.20p1-1.debian.tar.xz
0958711191b7f8f6b937d07db6dde5956ef72e5cdbcc8adb7ff05f496a64b19b 765082 sudo-dbgsym_1.8.20p1-1_amd64.deb
1c76d53f4282189bbbefb87a43167635952161fe358475e13f7a3be9b78a044d 786094 sudo-ldap-dbgsym_1.8.20p1-1_amd64.deb
61fce24df77df1a1735939433798fabdc637a328b20219330b672c7e635d1b7a 1109092 sudo-ldap_1.8.20p1-1_amd64.deb
9d45ad1819bdce6cc84932c95b2c8415466c8e43610cb46266c7bce32603df51 6909 sudo_1.8.20p1-1_amd64.buildinfo
da362970fb40a2790575a927c0b1a25bfc3f4052f10795aa397e58249e109808 1079036 sudo_1.8.20p1-1_amd64.deb
Files:
99ee91e103975854ca3e38329c54c8e4 1999 admin optional sudo_1.8.20p1-1.dsc
ac4878e052837019473103c6deb35621 2930394 admin optional sudo_1.8.20p1.orig.tar.gz
68476d6d8aef1853023668ec54c94102 23004 admin optional sudo_1.8.20p1-1.debian.tar.xz
6994e9768c4e5725a70cf1c44161c9cc 765082 debug extra sudo-dbgsym_1.8.20p1-1_amd64.deb
b6645380fe9a489b06d6ac0c35a04083 786094 debug extra sudo-ldap-dbgsym_1.8.20p1-1_amd64.deb
7e85e8934f826b4baf78eedefa52fd4e 1109092 admin optional sudo-ldap_1.8.20p1-1_amd64.deb
db2ec50de0b9688102d94dc384d968ba 6909 admin optional sudo_1.8.20p1-1_amd64.buildinfo
1c1e6a90bf5b05851659ffe0e145151b 1079036 admin optional sudo_1.8.20p1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhHDyCwYlkhh8unuzOpNhlsCV2UEFAlkt3P8ACgkQOpNhlsCV
2UEMdBAAvNuw+LuJihP1GGMNmtJ0w/ljtlU1jXRo4FrHeh7c06aAuNegNlwadhUt
0QGyOqVykBUVgjtmpY04mqxiQpXTrJtpL8z+BB6xsPMsyTS9OyLvYz1oAtPSvU1s
jMKqq88VkFmgdtu8wZs9x697pi0UkOa9/oVpDeuSayXHDrDYs5yN1M+vSwyJv7N6
sHqvIR08EsQRZr8PD4wf0wau/2fS4hD/NKZg3V5mDZR18ZUeOkHNApvY1ng8WdHK
NGF2MRq+0C9EZCMhMtLTCYzXGvvkKqZkAuHZzgjpmHGDbK2I8m6hf22VTuuy+GGp
0/NZOFtd/dG04Y+9C2KzWQMDgVrJzHzmTeSu0xTTTv2qox89vOhAfZzS5LzEoCRN
FKkU8qE4WEy8bcHJCXgfqmdeYa51kGcVPiuEj/uIUEkTXhG+JluKEQLd0/hjpWOk
ugRYPvTfij93kbtxQ7vZ491Y25cE4tGDviYARYHqsbaphM39QT5eDF7cAzqnq8f8
L54NzGwpVeT2SQbfqxYQfDIp4pvXoUvcMh4KxFpWBqoFtUcDng/VqvS6uhyg/90b
9UMQdgagA64HosTTrZQvLUkkh+5TdJuf5H00CoPjqae3WasFrLWA49kGRwBbTG/8
wBP4YvP1fPLd47cpejY547urKJxGeqI3yh9uFdfQ2/Qc94CXgUc=
=wsuR
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863731; Package src:sudo.
(Tue, 30 May 2017 21:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Tue, 30 May 2017 21:51:05 GMT) (full text, mbox, link).
Message #17 received at 863731@bugs.debian.org (full text, mbox, reply):
On Tue, May 30, 2017 at 09:18:39PM +0000, Bdale Garbee wrote:
> Source: sudo
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Tue, 30 May 2017 14:41:58 -0600
> Source: sudo
> Binary: sudo sudo-ldap
> Architecture: source amd64
> Version: 1.8.20p1-1
> Distribution: unstable
> Urgency: high
> Maintainer: Bdale Garbee <bdale@gag.com>
> Changed-By: Bdale Garbee <bdale@gag.com>
> Description:
> sudo - Provide limited super user privileges to specific users
> sudo-ldap - Provide limited super user privileges to specific users
> Closes: 863731
> Changes:
> sudo (1.8.20p1-1) unstable; urgency=high
Testing still has 1.8.19, what's the plan for stretch?
Cheers,
Moritz
Reply sent
to Bdale Garbee <bdale@gag.com>:
You have taken responsibility.
(Thu, 01 Jun 2017 03:09:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 01 Jun 2017 03:09:07 GMT) (full text, mbox, link).
Message #22 received at 863731-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.19p1-2
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863731@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 May 2017 22:35:01 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.19p1-2
Distribution: stretch
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 863731
Changes:
sudo (1.8.19p1-2) stretch; urgency=high
.
* patch from upstream to fix CVE-2017-1000367, closes: #863731
Checksums-Sha1:
fd1fd34356d5cf56ba28a3d58445543504a29e91 1999 sudo_1.8.19p1-2.dsc
5e198c5a04e9b818fa86fbf5ce3f727e413e926a 25140 sudo_1.8.19p1-2.debian.tar.xz
2b04e41d08e9dd3e3e330b8c557049d6e6a0bc02 724450 sudo-dbgsym_1.8.19p1-2_amd64.deb
bd63bfafcc11fd05a529fae8d9477fc897d444de 745066 sudo-ldap-dbgsym_1.8.19p1-2_amd64.deb
931c4713ecb1db8d4cfc90892ef06887c4c08bb4 1084130 sudo-ldap_1.8.19p1-2_amd64.deb
69eba8c75a6f4887941f3f534d76c7cc54aef171 6913 sudo_1.8.19p1-2_amd64.buildinfo
27354a076bf07d5618728f4ff3a8cf181e59494e 1054316 sudo_1.8.19p1-2_amd64.deb
Checksums-Sha256:
544819b1e2ba2f316108d4a469e0fb593d6ee9af7edc303f7b347af46e02b6b1 1999 sudo_1.8.19p1-2.dsc
f7308996990e681eff2bf9ecd19df32178099d061d833f810d89c2382bda3692 25140 sudo_1.8.19p1-2.debian.tar.xz
5f0209e779dc64281e7b3b116a1c3aa2ae2c7d6f5e3ec8f3ec3de9c19eb4a475 724450 sudo-dbgsym_1.8.19p1-2_amd64.deb
66640adc8be45a5ae91095b58df1bb5c7b15af942e63b3a42960a4dc2702d18f 745066 sudo-ldap-dbgsym_1.8.19p1-2_amd64.deb
a9d354122d5739954692d930efd39fa8327e1aedb4e736261bbb92ade2c7aaad 1084130 sudo-ldap_1.8.19p1-2_amd64.deb
ac1e5711f1ea9a64aaafe7a4cc632fcbabc9015913376368df29057f3ef76750 6913 sudo_1.8.19p1-2_amd64.buildinfo
916292c854a7ca67fc6d01f38d1a839347111d4df8fcc58d1515b27f3aa622a8 1054316 sudo_1.8.19p1-2_amd64.deb
Files:
c272703ab1f42a4f25f418a709004cd1 1999 admin optional sudo_1.8.19p1-2.dsc
67fbff0c484282a3d1fb0d69687b7909 25140 admin optional sudo_1.8.19p1-2.debian.tar.xz
5f32142bc2e9c02007fa02982605d0e2 724450 debug extra sudo-dbgsym_1.8.19p1-2_amd64.deb
e09212b4abf9d2a7949e6e83aee6731d 745066 debug extra sudo-ldap-dbgsym_1.8.19p1-2_amd64.deb
43fefaa9173e760a8659bc7b3e445ff2 1084130 admin optional sudo-ldap_1.8.19p1-2_amd64.deb
b754882165494c4c61af5608c2f8c6f7 6913 admin optional sudo_1.8.19p1-2_amd64.buildinfo
04e6563fbbc38568600e5bcd18f28a9d 1054316 admin optional sudo_1.8.19p1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhHDyCwYlkhh8unuzOpNhlsCV2UEFAlkvf4kACgkQOpNhlsCV
2UGwShAAl1hH4jpUk9mYp9aH+cIOBx0Oe7q8874+RuTSrklSQTnQQscu/0nBIq+d
0IPSajS+F7WzcZn0qbcb8P24USsgGT+29Z1uzOJzwIJXxziW2wkzLXCSvdOjj0Sa
CZjf4hFSVZ9DuB5f7r5JFjDh0+j6hZGXij15BIT2cDiq2WChPPlFKZ60oHg2mA21
7/BuKoH3MfV1cc/IjTXBpj6Yg+9OMVRWOTBxH36RotzZ9SDSZSHvs8CJu6L3EdmU
YotcT571OBBZUpUrs0cWy8Y0AcwKco5l8RpM+qKB9U1d/bKU3Gyr2ne8bfO0sfqY
YTAtUv5aMXv69u0qEuB1FFya5x7wfVXx8Nj97jI9cO81mD5Cqzxij2G96qXzFiyi
w5DADi3cn1tRKGR3sJn2UNtroZsGDzbFbB3/q209FNfoxV39jKslLo+Ml9asnkrL
pIxKoU6PtdqifcebAkCwJgjpjwEtohP8FomI3NvdazaAWQZZgxiX9Z9heXTHXYfZ
Bo5D11yvyyVUV4gzWgI3BYdNkS7jhtnLQVVlEzXnvO758lbki0byBshd39u/3jdF
QUVSyTsfpcP5LbVowJWNuX2sM1m3jkX23JDK3v6sfPREZw3OjqtQo4xHIHEhzvDw
9tyDOpfW9nYZAKRmEzahFs4GWgbXhUSGukTiWX0Ir0YpUm0B//8=
=fDh4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:36:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:12:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon