Debian Bug report logs -
#863897
sudo: CVE-2017-1000368: Arbitrary terminal access due to issue in parsing /proc/[pid]/stat when process name contains newline
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 1 Jun 2017 18:45:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version sudo/1.8.10p3-1
Fixed in versions sudo/1.8.20p1-1.1, sudo/1.8.19p1-2.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863897; Package src:sudo.
(Thu, 01 Jun 2017 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>.
(Thu, 01 Jun 2017 18:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sudo
Version: 1.8.10p3-1
Severity: important
Tags: patch upstream
Hi
sudo 1.8.20p2 fixes an issue in parsing /proc/[pid]/stat when the
process name contains a newline.
The bug is not exploitable due to the changes in how /dev is traversed
made in sudo 1.8.20p1 for CVE-2017-1000367.
Still it is probably good to have it fixed in a point release as well
for stable releases (or if accepted by the release team as well
targetted for stretch).
Announce:
https://www.sudo.ws/pipermail/sudo-announce/2017-May/000155.html
Regards,
Salvatore
Changed Bug title to 'sudo: Further issue in parsing /proc/[pid]/stat when process name contains newline' from 'sudo: Further /proc/[pid]/stat when process name contains newline'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 01 Jun 2017 18:57:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 01 Jun 2017 18:57:07 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jun 2017 05:51:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863897; Package src:sudo.
(Fri, 02 Jun 2017 19:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Fri, 02 Jun 2017 19:00:04 GMT) (full text, mbox, link).
Message #16 received at 863897@bugs.debian.org (full text, mbox, reply):
Control: severity -1 grave
Hi Bdale!
On Thu, Jun 01, 2017 at 08:42:30PM +0200, Salvatore Bonaccorso wrote:
> Source: sudo
> Version: 1.8.10p3-1
> Severity: important
> Tags: patch upstream
>
> Hi
>
> sudo 1.8.20p2 fixes an issue in parsing /proc/[pid]/stat when the
> process name contains a newline.
>
> The bug is not exploitable due to the changes in how /dev is traversed
> made in sudo 1.8.20p1 for CVE-2017-1000367.
>
> Still it is probably good to have it fixed in a point release as well
> for stable releases (or if accepted by the release team as well
> targetted for stretch).
>
> Announce:
> https://www.sudo.ws/pipermail/sudo-announce/2017-May/000155.html
This was as the writing of this bugreport, but ths was proven wrong
and there is another attack vector, explained in
http://www.openwall.com/lists/oss-security/2017/06/02/7
I thus tend to make the severity RC and think this additional fix
should go as well to stretch.
https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 863897-submit@bugs.debian.org.
(Fri, 02 Jun 2017 19:00:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863897; Package src:sudo.
(Sun, 04 Jun 2017 18:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Sun, 04 Jun 2017 18:39:06 GMT) (full text, mbox, link).
Message #23 received at 863897@bugs.debian.org (full text, mbox, reply):
Hi Bdale
Since time is pressing a bit for the release of stretch, any problem
in if I would prepare a NMU for both stretch (targetted) and sid for
this issue?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863897; Package src:sudo.
(Mon, 05 Jun 2017 03:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Mon, 05 Jun 2017 03:27:04 GMT) (full text, mbox, link).
Message #28 received at 863897@bugs.debian.org (full text, mbox, reply):
Hi
Correct commit is obviously not the one posted, but rather
https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd
Regards,
Salvatore
Changed Bug title to 'sudo: CVE-2017-1000368: Arbitrary terminal access due to issue in parsing /proc/[pid]/stat when process name contains newline' from 'sudo: Further issue in parsing /proc/[pid]/stat when process name contains newline'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 05 Jun 2017 03:36:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863897; Package src:sudo.
(Mon, 05 Jun 2017 04:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Mon, 05 Jun 2017 04:36:02 GMT) (full text, mbox, link).
Message #35 received at 863897@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi!
On Sun, Jun 04, 2017 at 08:35:05PM +0200, Salvatore Bonaccorso wrote:
> Hi Bdale
>
> Since time is pressing a bit for the release of stretch, any problem
> in if I would prepare a NMU for both stretch (targetted) and sid for
> this issue?
Attached attempt/proposed debdiff for stretch.
Regards,
Salvatore
[sudo_1.8.19p1-2.1.debdiff (text/plain, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 05 Jun 2017 12:51:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 05 Jun 2017 12:51:13 GMT) (full text, mbox, link).
Message #40 received at 863897-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.20p1-1.1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Jun 2017 14:19:33 +0200
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.20p1-1.1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 863897
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Changes:
sudo (1.8.20p1-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Use /proc/self consistently on Linux
* CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
Checksums-Sha1:
632b59c58896d36142379c33d11e2d34fe029fdd 2162 sudo_1.8.20p1-1.1.dsc
f1b0157950c46e859f4a2038322b09aa1f83e2b7 24368 sudo_1.8.20p1-1.1.debian.tar.xz
Checksums-Sha256:
a9db40dc5f6c7b318cb4e3dea0263f9c3989c034f107155f437f4766d06b6ff1 2162 sudo_1.8.20p1-1.1.dsc
51d76c6cb6d83e6b1dd7598c8fb265344b03593bcefeb5c3d4e4901df8404439 24368 sudo_1.8.20p1-1.1.debian.tar.xz
Files:
472bbc089e135e6d885f7a20a8f0ca54 2162 admin optional sudo_1.8.20p1-1.1.dsc
1a108f88581121c6c2d07235e355120a 24368 admin optional sudo_1.8.20p1-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlk1T+RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ef6EQAJT3sXazYlrbgyjG2Ce7f3BA0Ab1CBRh
IM+MGVJybXmIVa1z0DHSLH27k1gL0cWxq0UG9pXoWgAwNHZv2Fm2HE/UNGZGgLjX
U+63+iQ7mxP0N/jUGNR+/hC0waqxWAHjhTAKYIbYb8IvHm/urgnFYLK/Cxke++w3
ytYp6nIUAboLJozbEp/e1fzGRXzbpuohaC47Fy8kMFsw2C6v9HvbUE5YVmMsCxtt
8buobd0srYvXjjTbU2iDR+UObjrwy8MW+5C0CZDP8HTEk6OkfwaZ4pZwCg8Vikk2
8nCLeL0T6rKB5d73bTmfHAIE8PT51SE1BCerAUu9E5MeCmqk1mGshF/PzzTGMnK9
WS98ZNh/LjneA3MFq2ZEojbO/0JUJ+R5lFFfvB1jR7TSTfInnDQhYJG/rgoytAYA
mzGNkXS/f7x5TWarrsN/yAuLGx7i4f5uIHxX2W97Wt2gOde4xrUN+k/gzNIEYisN
1kUxTOc+QV20wlRvT7USic1vWgBNzJQ6u/ghM+zaRjYNPTPjVlnyRcqbIG3GqqiI
7p5w0fGqE3NglepEo7KZAz6+jMR/2/yN1uchs6HNujn3tLglZq2ALYr65CadAimL
7wZjSKyAdcfxipWunic2M+u3oTzBEZKLQWFbNRniIO/89uzLOJBMi+daDtv/8lWT
ls3GCeSkgSJx
=M9yY
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Mon, 05 Jun 2017 17:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 05 Jun 2017 17:09:03 GMT) (full text, mbox, link).
Message #45 received at 863897-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.19p1-2.1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 05 Jun 2017 14:22:55 +0200
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.19p1-2.1
Distribution: stretch
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 863897
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Changes:
sudo (1.8.19p1-2.1) stretch; urgency=high
.
* Non-maintainer upload.
* Use /proc/self consistently on Linux
* CVE-2017-1000368: Arbitrary terminal access (Closes: #863897)
Checksums-Sha1:
389d97a5450dea0ba937c08514ed2b94bd4ba6eb 2162 sudo_1.8.19p1-2.1.dsc
aca0feb33f0163911502ee1d0675bb09177e6f95 26228 sudo_1.8.19p1-2.1.debian.tar.xz
Checksums-Sha256:
e7bac2de56bdab027eaa0087a15b9558e57f27cfa49de43cac3d8cd5019b932b 2162 sudo_1.8.19p1-2.1.dsc
3152691a37e26e26d6829853c607ec6db9aaa1a50a1ea87a4dee2cbecaff29bd 26228 sudo_1.8.19p1-2.1.debian.tar.xz
Files:
fc0e06c179860d8532d80c77aafeb9b6 2162 admin optional sudo_1.8.19p1-2.1.dsc
296aeafeeef6279358c2d5a68b36eba4 26228 admin optional sudo_1.8.19p1-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlk1VJhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ETGkP/3t12eGY3DIlamI7OjaCU9QzosEbYbBn
Y0i4U4Hl7yAuId6k3Cg1fJUgXeP6GnadUwR+w5SqsuypSaOM8z2SWuwPjlnoOCow
pkzg+0edOlSCOwTMf1Luj5C5i1ar8w5+zg49ghe3yC3lB9TsBodCsJKHFE5mQNnQ
sKT6dxfD29PqphcpMT7CgznhFWnUssvFxIxOpE1q2NkZK/mFSQANzs6WBnuKhRIn
1Dw6aw9ylwSxU4KS5u2rGShjCaK4tAlLoMN8BX6LC5FQQ2GX8EBpXocBxuZg8YH3
ca7TrhXe3RS1uqdtVIZRfMuIBmY67cXZm9oTQsCS/ymEbiJd6Dm421mwYbjLBB0W
p+37g7e5wwSFo3pcUvq973k40LUCmd7fCw4JoJi/pTOH+1EK33/0rHdgbK+mOYiq
r0Y/QcmAT5OW9kk8IV1jwtMbJKW8JlrnpmaVpOacLPuBwCWOIAIo0gLSN0/OV5Ie
EKSsGq+HKEgs0p4vNuvgNQg4d/sHnqD/0Ck5Ac0gRGRBwJLDqHkqWAUfQ1TOWRRV
aAjiixYBm8PhOHz8X0b+FxpKjEYxMdAV87pR/+V7EvnByMKq+JmILX00aCVleJGB
z4+15vvzAl5yTUQ/dfduy5H61asQdpwJcdkRXrtHp4+0ajg77LD6gC/zHJlG0u2V
f5hxfHB74jPh
=B0ch
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#863897; Package src:sudo.
(Mon, 03 Jul 2017 14:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Mon, 03 Jul 2017 14:48:02 GMT) (full text, mbox, link).
Message #50 received at 863897@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jun 05, 2017 at 06:32:11AM +0200, Salvatore Bonaccorso wrote:
> Hi!
>
> On Sun, Jun 04, 2017 at 08:35:05PM +0200, Salvatore Bonaccorso wrote:
> > Hi Bdale
> >
> > Since time is pressing a bit for the release of stretch, any problem
> > in if I would prepare a NMU for both stretch (targetted) and sid for
> > this issue?
>
> Attached attempt/proposed debdiff for stretch.
I forgot to link to this bug report in the LTS update changelog, but the
patch there may be useful for the jessie update here as well. The goods
are in 1.8.5p2-1+nmu3+deb7u4 which I just uploaded to wheezy and I
attached the backported patch here.
The code path modified by the upstream patch somewhat changed a lot
between wheezy and stretch, so much so that there's an extra loop around
the patched code. I painstakingly backported this and hopefully that
will be useful for the sudo point release update.
Thank you for your attention,
A.
[CVE-2017-1000368-15a46f4007dd.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 01 Aug 2017 07:31:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:09:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon