sudoedit permission in sudoers grants permission to any sudoedit executables

Debian Bug report logs - #570737
sudoedit permission in sudoers grants permission to any sudoedit executables

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: neonsignal <neonsignal@memepress.org>

To: "Debian Bug Tracking System" <submit@bugs.debian.org>

Subject: sudoedit permission in sudoers grants permission to any sudoedit executables

Date: Sun, 21 Feb 2010 14:23:33 +1100

Package: sudo
Version: 1.6.9p17-2
Severity: grave
Tags: security
Justification: user security hole


My understanding is that permission to sudoedit is granted by a line in
the sudoer file like this:

     user1 ALL = sudoedit /etc/network/interfaces

This works as expected (because the string sudoedit is a special case), eg

     user1@host1:~$ sudoedit /etc/network/interfaces

However, it also appears to grant access to sudo any executable called
'sudoedit' (if the appropriate parameters are passed in). For example, a
user executable in the home directory called sudoedit:

     #!/bin/sh
     whoami

can be invoked (and reports 'root') using

     user1@host1:~$ sudo ./sudoedit /etc/network/interfaces

I had expected (because sudoedit is a special case string) that it should
not match anything apart from invoking /usr/bin/sudoedit.

This problem was encountered with build 1.6.9p17 of sudo on a Debian Lenny
system. The issue was pointed out by 'slouching' on linuxquestions.org.
He also reported that this problem did not occur on an earlier version
sudo-1.6.8p12-12.el5.

-- System Information:
Debian Release: 5.0.4
    APT prefers stable
    APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-bpo.1-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968)
(ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo depends on:
ii  libc6                     2.7-18lenny2   GNU C Library: Shared
libraries
ii  libpam-modules            1.0.1-5+lenny1 Pluggable Authentication
Modules f
ii  libpam0g                  1.0.1-5+lenny1 Pluggable Authentication
Modules l

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information

Message #10 received at 570737@bugs.debian.org (full text, mbox, reply):

From: Jan Lieskovsky <jlieskov@redhat.com>

To: 570737@bugs.debian.org

Subject: Re: sudoedit permission in sudoers grants permission to any sudoedit, executables

Date: Tue, 23 Feb 2010 11:47:22 +0100

Hi guys,

  CVE identifier of CVE-2010-0426 has been already assigned to this issue.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Message #15 received at 570737@bugs.debian.org (full text, mbox, reply):

From: neonsignal <neonsignal@memepress.org>

To: 570737@bugs.debian.org

Subject: Re: sudoedit permission in sudoers grants permission to any sudoedit executables

Date: Wed, 24 Feb 2010 09:15:23 +1100

Todd Miller has patched this in the upstream version (released as 1.7.2p4)

patch to 1.6 set
http://sudo.ws/repos/sudo/rev/f86e1b56d074

patch to 1.7 set
http://sudo.ws/repos/sudo/rev/88f3181692fe

Message #20 received at 570737@bugs.debian.org (full text, mbox, reply):

From: Jamie Strandboge <jamie@ubuntu.com>

To: Debian Bug Tracking System <570737@bugs.debian.org>

Subject: [PATCH] sudoedit permission in sudoers grants permission to any sudoedit executables

Date: Thu, 25 Feb 2010 17:17:54 -0600

[Message part 1 (text/plain, inline)]

Package: sudo
Version: 1.7.2p1-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch

In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command
    in match.c
    - http://sudo.ws/repos/sudo/rev/88f3181692fe
    - CVE-2010-0426

We thought you might be interested in doing the same.


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid-proposed'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-14-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[tmpGroKgS (text/x-diff, attachment)]

Message #27 received at 570737@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: 570737@bugs.debian.org, control@bugs.debian.org

Subject: Add patch tag

Date: Fri, 26 Feb 2010 06:50:29 -0800

tag 570737 patch
thanks

Hi,

I'm adding the patch tag since there's a patch which fixes this
problem linked to by the bug report.

-- 
Matt                                            http://ftbfs.org/kraai

Message #32 received at 570737@bugs.debian.org (full text, mbox, reply):

From: Matt Kraai <kraai@ftbfs.org>

To: 570737@bugs.debian.org

Subject: sudo: diff for NMU version 1.7.2p1-1.1

Date: Fri, 26 Feb 2010 07:08:17 -0800

[Message part 1 (text/plain, inline)]

Hi,

I've prepared an NMU for sudo (versioned as 1.7.2p1-1.1) and uploaded
it to DELAYED/5.  The diff is attached to this message.  If you'd
like me to cancel or reschedule the upload, please let me know.

It includes the upstream change to fix this problem shown at

 http://sudo.ws/repos/sudo/rev/88f3181692fe

-- 
Matt                                            http://ftbfs.org/kraai

[sudo-1.7.2p1-1.1-nmu.diff (text/x-diff, attachment)]

Message #37 received at 570737@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 570737@bugs.debian.org

Subject: NMU

Date: Tue, 02 Mar 2010 15:12:45 +0100

[Message part 1 (text/plain, inline)]

Hi,

Attached is a debdiff of the changes I made for 1.7.2p1-1.1 0-day NMU.

Cheers,
Giuseppe

[sudo_1.7.2p1-1.1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #42 received at 570737@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Giuseppe Iuculano <iuculano@debian.org>, 570737@bugs.debian.org, 570737@bugs.debian.org

Subject: Re: Bug#570737: NMU

Date: Tue, 02 Mar 2010 08:49:00 -0700

[Message part 1 (text/plain, inline)]

On Tue, 02 Mar 2010 15:12:45 +0100, Giuseppe Iuculano <iuculano@debian.org> wrote:
> Attached is a debdiff of the changes I made for 1.7.2p1-1.1 0-day NMU.

Thank you.

Bdale

[Message part 2 (application/pgp-signature, inline)]

Message #47 received at 570737-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 570737-close@bugs.debian.org

Subject: Bug#570737: fixed in sudo 1.7.2p1-1.2

Date: Tue, 02 Mar 2010 21:46:45 +0000

Source: sudo
Source-Version: 1.7.2p1-1.2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.7.2p1-1.2_i386.deb
  to main/s/sudo/sudo-ldap_1.7.2p1-1.2_i386.deb
sudo_1.7.2p1-1.2.diff.gz
  to main/s/sudo/sudo_1.7.2p1-1.2.diff.gz
sudo_1.7.2p1-1.2.dsc
  to main/s/sudo/sudo_1.7.2p1-1.2.dsc
sudo_1.7.2p1-1.2_i386.deb
  to main/s/sudo/sudo_1.7.2p1-1.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 570737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 02 Mar 2010 14:57:17 +0100
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.2p1-1.2
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 570737
Changes: 
 sudo (1.7.2p1-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2010-0426: verify path for the 'sudoedit' pseudo-command
     (Closes: #570737)
Checksums-Sha1: 
 bef937b63ce375f08adca5745a511becd15fa954 1019 sudo_1.7.2p1-1.2.dsc
 73bc550026087a946d7590a126336bb080ae6a3e 20929 sudo_1.7.2p1-1.2.diff.gz
 dbbb8984aee80d03705a95230cd12a9343569933 307152 sudo_1.7.2p1-1.2_i386.deb
 6a434a17a914e30628c7eee3cfc8860ba1ef8b8e 331348 sudo-ldap_1.7.2p1-1.2_i386.deb
Checksums-Sha256: 
 45731dc7b414befbf626c2071c18b9c725e6c429fc0fa41dd2e32cebd147037b 1019 sudo_1.7.2p1-1.2.dsc
 6aae87ba4529f3e80e877b2859e484a09555bcd54dbf8b6d2ba415736524bdd5 20929 sudo_1.7.2p1-1.2.diff.gz
 0654c02fe4ef66f1d7335693c22faa1388e07fb8a946e0c2ef6930f5d964a611 307152 sudo_1.7.2p1-1.2_i386.deb
 730a83755e2c080919b702a21e5aac8eacc48d45a9c4a59f22f07ddae78f3c3b 331348 sudo-ldap_1.7.2p1-1.2_i386.deb
Files: 
 8668204d997c4edab70ec115aa0ccecd 1019 admin optional sudo_1.7.2p1-1.2.dsc
 fa77830a7e7a23619fb56ab415f096bc 20929 admin optional sudo_1.7.2p1-1.2.diff.gz
 5260ede46dd575d64cf388a51ed977db 307152 admin optional sudo_1.7.2p1-1.2_i386.deb
 0967b64bb63c5ed3773a6274e7142031 331348 admin optional sudo-ldap_1.7.2p1-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuNa5UACgkQNxpp46476apv5gCdECC9xFkWRPq7gvJVI6xIN2/I
fgMAnjnD4OZFrSchmwMKjq94ytAdkQri
=NgEt
-----END PGP SIGNATURE-----

Message #52 received at 570737@bugs.debian.org (full text, mbox, reply):

From: neonsignal <neonsignal@memepress.org>

To: 570737@bugs.debian.org

Subject: checked

Date: Wed, 03 Mar 2010 09:13:04 +1100

The update has come through Debian Lenny, and sudoedit now works as  
expected (sudo version 1.6.9p17). Thanks for the fix.

Message #53 received at 570737-done@bugs.debian.org (full text, mbox, reply):

From: bdale@gag.com (Bdale Garbee)

To: 570737-done@bugs.debian.org

Subject: fixed

Date: Thu, 18 Mar 2010 23:37:04 -0600 (MDT)

Version 1.7.2p5-1 in unstable does not exhibit this problem.

Bdale

Message #60 received at 570737-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: 570737-close@bugs.debian.org

Subject: Bug#570737: fixed in sudo 1.6.9p17-2+lenny1

Date: Sat, 17 Apr 2010 19:52:50 +0000

Source: sudo
Source-Version: 1.6.9p17-2+lenny1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.9p17-2+lenny1_i386.deb
  to main/s/sudo/sudo-ldap_1.6.9p17-2+lenny1_i386.deb
sudo_1.6.9p17-2+lenny1.diff.gz
  to main/s/sudo/sudo_1.6.9p17-2+lenny1.diff.gz
sudo_1.6.9p17-2+lenny1.dsc
  to main/s/sudo/sudo_1.6.9p17-2+lenny1.dsc
sudo_1.6.9p17-2+lenny1_i386.deb
  to main/s/sudo/sudo_1.6.9p17-2+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 570737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 02 Mar 2010 15:22:43 +0100
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.6.9p17-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 570737
Changes: 
 sudo (1.6.9p17-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2010-0426: verify path for the 'sudoedit' pseudo-command
     (Closes: #570737)
   * Fixed CVE-2010-0427: When changing the runas user, reset any aux runas
     groups we have cached.
Checksums-Sha1: 
 bd1ab3e7bd362f06cca074fb1e7e0f33e3f87c6f 1032 sudo_1.6.9p17-2+lenny1.dsc
 576a584eee413e12294cbd2ca6f445e51a1cb103 593534 sudo_1.6.9p17.orig.tar.gz
 1be755452d4f19fab4907307e3ec93c0150716cd 22997 sudo_1.6.9p17-2+lenny1.diff.gz
 757f693d9510d24defcc58a1becc2801990b1e92 175988 sudo_1.6.9p17-2+lenny1_i386.deb
 42c03a061da577a60b306682047833fe257574d8 187528 sudo-ldap_1.6.9p17-2+lenny1_i386.deb
Checksums-Sha256: 
 6d1c4ffcf41c0d29110e49b00691e57875b35ca6f9ec4482ec8c3b7d4a780dce 1032 sudo_1.6.9p17-2+lenny1.dsc
 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596 593534 sudo_1.6.9p17.orig.tar.gz
 59993cd27e8051c99f8ed48ec2afb6ce192c8da18f982c23868fb20a0654fac5 22997 sudo_1.6.9p17-2+lenny1.diff.gz
 4c0418934e2671125b1ebce3aa0db78cd4458e6ae379bab1f2da13243441f7e2 175988 sudo_1.6.9p17-2+lenny1_i386.deb
 0ca4c94c80245ad2c754f0d1a0e199ef542325241535f901f22ee8b09df9bd03 187528 sudo-ldap_1.6.9p17-2+lenny1_i386.deb
Files: 
 fc42a6b45a2e2c114c14cba892635d22 1032 admin optional sudo_1.6.9p17-2+lenny1.dsc
 60daf18f28e2c1eb7641c4408e244110 593534 admin optional sudo_1.6.9p17.orig.tar.gz
 9980866e257817e8281fd036141ccbd0 22997 admin optional sudo_1.6.9p17-2+lenny1.diff.gz
 3d63bc2bc801dbc5ad696a002a250c1f 175988 admin optional sudo_1.6.9p17-2+lenny1_i386.deb
 70c225149240e5b20eae98ba82404de7 187528 admin optional sudo-ldap_1.6.9p17-2+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuNNZQACgkQNxpp46476apPWACfWHRt3Z0r9bw0fl3W31bEy3Mw
hCgAmgPcl9nZYTdSsMDDXPbLv3UDjPhW
=NaFZ
-----END PGP SIGNATURE-----

Message #71 received at 570737-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 570737-close@bugs.debian.org

Subject: Bug#570737: fixed in sudo 1.7.2p6-1

Date: Tue, 20 Apr 2010 03:33:07 +0000

Source: sudo
Source-Version: 1.7.2p6-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.7.2p6-1_i386.deb
  to main/s/sudo/sudo-ldap_1.7.2p6-1_i386.deb
sudo_1.7.2p6-1.debian.tar.gz
  to main/s/sudo/sudo_1.7.2p6-1.debian.tar.gz
sudo_1.7.2p6-1.dsc
  to main/s/sudo/sudo_1.7.2p6-1.dsc
sudo_1.7.2p6-1_i386.deb
  to main/s/sudo/sudo_1.7.2p6-1_i386.deb
sudo_1.7.2p6.orig.tar.gz
  to main/s/sudo/sudo_1.7.2p6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 570737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 Apr 2010 10:45:47 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.2p6-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 570737 578275
Changes: 
 sudo (1.7.2p6-1) unstable; urgency=low
 .
   * new upstream version fixing CVE-2010-1163, closes: #578275, #570737
Checksums-Sha1: 
 4bc4847a322646716af8609e5fdc2bd06216a48e 1669 sudo_1.7.2p6-1.dsc
 45976e82cc2ca9f34cad574629ddd998c377734e 771148 sudo_1.7.2p6.orig.tar.gz
 dd0f47032091456997fa7e55d799d06b2d18c318 21064 sudo_1.7.2p6-1.debian.tar.gz
 8db50462a048b81e417ea8757000845157501e8c 309468 sudo_1.7.2p6-1_i386.deb
 2cf883e763d131df2245c787817e2b0dcdffdfb1 333748 sudo-ldap_1.7.2p6-1_i386.deb
Checksums-Sha256: 
 aca61503dad001e1fa8fd967a41b820bd8a6a7fa5583d00c5289f4ab315a99d8 1669 sudo_1.7.2p6-1.dsc
 8104c5e0130f100bbdbfbc0318fea3024027929adaafd2018f1c96c94f771161 771148 sudo_1.7.2p6.orig.tar.gz
 c9c87d1a700bfb45cf214e42edae5a932191cb948e914776af3fd4ba5bc7fab5 21064 sudo_1.7.2p6-1.debian.tar.gz
 3571e36ebcbf6e1fec66ab62bdb0a5f0fcb85509ff07c2ad21a5a4d954b4cab7 309468 sudo_1.7.2p6-1_i386.deb
 7ae295a6e9384674955f457d5b3159e00bfe3cfad8cc4fd276f57222427e9b76 333748 sudo-ldap_1.7.2p6-1_i386.deb
Files: 
 ff7041a040d3ab34f8c62ac38d6dee89 1669 admin optional sudo_1.7.2p6-1.dsc
 c4f1a43e8ba94f6bf06d2211442148c4 771148 admin optional sudo_1.7.2p6.orig.tar.gz
 0af614180e532711ad4c846fc1308a3d 21064 admin optional sudo_1.7.2p6-1.debian.tar.gz
 9152461e4c861219eeafa33bf93d5b5b 309468 admin optional sudo_1.7.2p6-1_i386.deb
 fa3e98f8fe0fdb618ab9d8b775046877 333748 admin optional sudo-ldap_1.7.2p6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBS80YEDqTYZbAldlBAQpajQ//QmS58vecEbzrkTuQIYQnKfwtxPfRfR5e
v4V0cXjvOXhiyGqnCBk9pkdPuWjCHHqjgFEczJ4vPFu6FjTzWzv2/9BVjiRBfSVO
T3pjchZ2qlUjqZGf4g7N8Q1piLCKOBsB0m68BLqD4fGCffM6q5MbZhPPBT6JSw8b
2CgtLF+sKR7bHO2amrJSX7F5Ry6ZggFbVuFXEgYyzlfnzS7gN2Iwpl3UthgZXBiK
XvuHo/zQa//kCU1meubDBHNU0zkcDeTfJ5GhzLwpC7RJ0D++Cbbgtub9FTZ3gb31
0EqvM6mxn+rXxTOAWjL8I2tsZaksTAGHbi+brqYXzTrGEY3owzVHoH6+T2x50l9e
gl+XWTFs9VmPCaYPGAZgOGKKyubpFOmyHtWM0NGszpRNKjf53yx9xp0rfZdIOWBU
i1YMAfb1F7FgdQKk0xmCm4gPzMSMJ6MZJ9k0p2NQKxvfQGSkJbDtoDfT8HHc+tIq
iuPh4XHKbk619miMns1AbkSxFIhmDtfh45/J9o6HlaYWAzwg+HKoSSIzyPENqqR2
CwAsL0iT5SRLyWI3z9xs63ifYDEIN6O+MK5rSfTwyFCLF7fRTCx8HY6/rbLg8qxE
kcFgUCOfXkKOoaBS3AeLstHHCshFrMvJza/qSzGy2pKHY596yjdwrrZllljNZ6b2
CWFyFwOVfwY=
=gGs5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.