Debian Bug report logs -
#950371
sudo: CVE-2019-18634
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 31 Jan 2020 20:36:01 UTC
Severity: important
Tags: security, upstream
Found in versions sudo/1.8.27-1, sudo/1.8.19p1-2.1, sudo/1.8.27-1+deb10u1, sudo/1.8.29-1, sudo/1.8.19p1-2.1+deb9u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#950371; Package src:sudo.
(Fri, 31 Jan 2020 20:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>.
(Fri, 31 Jan 2020 20:36:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sudo
Version: 1.8.29-1
Severity: important
Tags: security upstream
Control: found -1 1.8.27-1+deb10u1
Control: found -1 1.8.27-1
Control: found -1 1.8.19p1-2.1+deb9u1
Control: found -1 1.8.19p1-2.1
Hi,
The following vulnerability was published for sudo.
CVE-2019-18634[0]:
| In Sudo before 1.8.31, if pwfeedback is enabled in /etc/sudoers, users
| can trigger a stack-based buffer overflow in the privileged sudo
| process. (pwfeedback is a default setting in Linux Mint and elementary
| OS; however, it is NOT the default for upstream and many other
| packages, and would exist only if enabled by an administrator.) The
| attacker needs to deliver a long string to the stdin of getln() in
| tgetpass.c.
Note that a change in 1.8.26 itself[4] made the bug unexploitable
starting from that version, but the issue itself is fixed upstream in
1.8.31. Could you please close this bug once sudo is rebased in
unstable to 1.8.31 or the bugfix still cherry-picked?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18634
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634
[1] https://www.sudo.ws/alerts/pwfeedback.html
[2] https://www.openwall.com/lists/oss-security/2020/01/30/6
[3] https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078
[4] https://www.openwall.com/lists/oss-security/2020/01/31/1
Regards,
Salvatore
Marked as found in versions sudo/1.8.27-1+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 31 Jan 2020 20:36:03 GMT) (full text, mbox, link).
Marked as found in versions sudo/1.8.27-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 31 Jan 2020 20:36:04 GMT) (full text, mbox, link).
Marked as found in versions sudo/1.8.19p1-2.1+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 31 Jan 2020 20:36:05 GMT) (full text, mbox, link).
Marked as found in versions sudo/1.8.19p1-2.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 31 Jan 2020 20:36:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 1 06:23:21 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon