Debian Bug report logs -
#657985
sudo: 1.8 Format String Vulnerability
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#657985; Package sudo.
(Mon, 30 Jan 2012 15:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>.
(Mon, 30 Jan 2012 15:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sudo
Version: 1.8.3p1-2
Severity: important
A full-disclosure user reported issue in sudo. Please verify: http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version information is correct in this bug-report. Please contact me if you need testing and I can help!
- Henri Salo
Added tag(s) security and help.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Mon, 30 Jan 2012 15:42:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#657985; Package sudo.
(Mon, 30 Jan 2012 18:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Mon, 30 Jan 2012 18:12:07 GMT) (full text, mbox, link).
Message #12 received at 657985@bugs.debian.org (full text, mbox, reply):
This issue seems to be: CVE-2012-0809
Gentoo report: https://bugs.gentoo.org/show_bug.cgi?id=401533
- Henri Salo
Severity set to 'serious' from 'important'
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jan 2012 22:15:05 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jan 2012 22:15:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#657985; Package sudo.
(Mon, 30 Jan 2012 23:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list.
(Mon, 30 Jan 2012 23:03:08 GMT) (full text, mbox, link).
Message #23 received at 657985@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, 30 Jan 2012 17:27:17 +0200, Henri Salo <henri@nerv.fi> wrote:
> A full-disclosure user reported issue in sudo. Please verify:
> http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version
> information is correct in this bug-report. Please contact me if you
> need testing and I can help!
Thanks for the pointer. I'll plan to build and upload 1.8.3p2 tonight.
Bdale
[Message part 2 (application/pgp-signature, inline)]
Bug reassigned from package 'sudo' to 'src:sudo'.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jan 2012 23:03:11 GMT) (full text, mbox, link).
Bug No longer marked as found in versions sudo/1.8.3p1-2.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jan 2012 23:03:12 GMT) (full text, mbox, link).
Forcibly Merged 657985 658041.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Mon, 30 Jan 2012 23:03:13 GMT) (full text, mbox, link).
Reply sent
to Bdale Garbee <bdale@gag.com>:
You have taken responsibility.
(Mon, 30 Jan 2012 23:36:12 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 30 Jan 2012 23:36:12 GMT) (full text, mbox, link).
Message #34 received at 657985-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.3p2-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo-ldap_1.8.3p2-1_i386.deb
to main/s/sudo/sudo-ldap_1.8.3p2-1_i386.deb
sudo_1.8.3p2-1.debian.tar.gz
to main/s/sudo/sudo_1.8.3p2-1.debian.tar.gz
sudo_1.8.3p2-1.dsc
to main/s/sudo/sudo_1.8.3p2-1.dsc
sudo_1.8.3p2-1_i386.deb
to main/s/sudo/sudo_1.8.3p2-1_i386.deb
sudo_1.8.3p2.orig.tar.gz
to main/s/sudo/sudo_1.8.3p2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 657985@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Jan 2012 16:11:54 -0700
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.8.3p2-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 655894 657985
Changes:
sudo (1.8.3p2-1) unstable; urgency=high
.
* new upstream version, closes: #657985 (CVE-2012-0809)
* patch from Pino Toscano to only use selinux on Linux, closes: #655894
Checksums-Sha1:
9ac9c1255340b73cc44a986e2b215f315df94aab 1857 sudo_1.8.3p2-1.dsc
37d70b133f809116ce631229fa0e727d9f5125ad 1536943 sudo_1.8.3p2.orig.tar.gz
2940af3d52feee1ce1721bb1b2d1b1734143e3d9 22814 sudo_1.8.3p2-1.debian.tar.gz
d6d01340ddb851b6d08406c65615576777a5db94 674528 sudo_1.8.3p2-1_i386.deb
a8629898088cb0a541a1ca774effa9d6c02c0943 699806 sudo-ldap_1.8.3p2-1_i386.deb
Checksums-Sha256:
c4cf35e8363e9b57009be9e43a8c9f4b92d8e6b29de32cafb74eda32c8111188 1857 sudo_1.8.3p2-1.dsc
7edcf02ef4dc4f26f524726e8faaa90d7939772c186409ab150d2934e3a9ba31 1536943 sudo_1.8.3p2.orig.tar.gz
6c22274246ac458fe1f7ff3c567fe89ba2137ef0b4a36bf1df445686976f4cd2 22814 sudo_1.8.3p2-1.debian.tar.gz
131e2d4dcb90e112eb4612f479dfc86d423cbafd40af17d108cbecbc670555ed 674528 sudo_1.8.3p2-1_i386.deb
294bfaef06666cc6f9928df829fab40b0050a16695e7d4cd91b03024961f883a 699806 sudo-ldap_1.8.3p2-1_i386.deb
Files:
1b116db41cd1a25c5bd09107eb490d99 1857 admin optional sudo_1.8.3p2-1.dsc
6d4282a1530c541f7900fa8dfcf2a882 1536943 admin optional sudo_1.8.3p2.orig.tar.gz
ce7e9a896f1fabb7481900a34e46c7f2 22814 admin optional sudo_1.8.3p2-1.debian.tar.gz
b828c290ffe87c97ba46fd0fc3c4b05f 674528 admin optional sudo_1.8.3p2-1_i386.deb
6a86c012d05148ca9dc87c0c1d1ac442 699806 admin optional sudo-ldap_1.8.3p2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIVAwUBTycm/jqTYZbAldlBAQqpmA//a8wKUIlttEKwFXprHtcBczq+d8w9pA7c
UqbpbVg/3kahLGQOJAnbk3yP+RTaRma0L3z3E3Yo1LmWBnqaMQfzDoLHfwn6Mi0i
o7cch8Aa0CwX7LEkWDImFZBG861feZ/w+8ttBMbQO5FQ8Nm1Zw6Nq0yqGUdf/X/L
xARkVNq186Ad+sJ/ykzTAcqmDiE2rLRqNoaysIGZz15sGmmJvoSqY7VFtIziWoKT
c4SfaW1PF+qRmwrRJIUX9greAobljZUB7Ac49oRN5qb5rDQUekYV5RfwQ3C60AFD
vTb/1TrqHKY05OLsx5pb5l67Aa5rv3dIG60UVLABx6MnkHo/Zo7a14tIpF48X37I
94CzGJAZaWjSHt9waU2ZBTM6tO/cBXFt+MRKxA45+2xUuZCP0frW9RpMrZzA5vGl
LGwMU6IcFI4PixOOpQDpNpp7g9eIpZ9UEf9/izE8kinnaGKNYYgsH0x6sReGMByH
W60y1HZgCUSAaEuIJwsGc6V0rocek1D4dRLgswasiGeSW+yAp3aUseIsppOG3bFY
8growS4AVMEU2kdzPEHE+FbzS/s0QQ8OR/9GQ3tOnrEveTQFigRhpqidy1ZN8YFG
lSfalplasixJGkGGmu16dITLA89pbdcbBVPbbbPEMZjwvL6AlpMbMF4hTZODV5vK
344oePQ+dkU=
=d694
-----END PGP SIGNATURE-----
Reply sent
to Bdale Garbee <bdale@gag.com>:
You have taken responsibility.
(Mon, 30 Jan 2012 23:36:13 GMT) (full text, mbox, link).
Notification sent
to Don Armstrong <don@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Jan 2012 23:36:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#657985; Package src:sudo.
(Mon, 30 Jan 2012 23:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Harry Sintonen <sintonen@iki.fi>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Mon, 30 Jan 2012 23:51:08 GMT) (full text, mbox, link).
Message #44 received at 657985@bugs.debian.org (full text, mbox, reply):
> A full-disclosure user reported issue in sudo. Please verify:
> http://seclists.org/fulldisclosure/2012/Jan/590 I hope the version
> information is correct in this bug-report.
-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417
This makes current sid package (1.8.3p1-3) safe. Any attempt to exploit
the vulnerability via format string (%n) results in:
*** %n in writable segment detected *** and controlled abort.
Relevant fortify code can be found from glibc:
http://pastebin.com/C6jLM8r8
Testing has 1.8.3p1-2 which *is* exploitable (assuming other security
features such as ASLR can be bypassed).
Stable has 1.7.4p4-2.squeeze.2 which doesn't have the -D flag or the
vulnerable code at all, and thus is safe:
sudo: invalid option -- 'D'
Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_<4+D&i++<87;);puts
(" Harry 'Piru' Sintonen <sintonen@iki.fi> http://www.iki.fi/sintonen");}
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#657985; Package src:sudo.
(Thu, 02 Feb 2012 10:30:10 GMT) (full text, mbox, link).
Message #47 received at 657985@bugs.debian.org (full text, mbox, reply):
* Harry Sintonen <sintonen@iki.fi>, 2012-01-31, 01:42:
>-D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See:
>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417
>
>This makes current sid package (1.8.3p1-3) safe.
Maybe. Maybe not. There are known ways of exploiting string format
vulnerabilities even with -D_FORTIFY_SOURCE=2.
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#657985; Package src:sudo.
(Thu, 02 Feb 2012 18:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Harry Sintonen <sintonen@iki.fi>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Thu, 02 Feb 2012 18:15:03 GMT) (full text, mbox, link).
Message #52 received at 657985@bugs.debian.org (full text, mbox, reply):
On Thu, 2 Feb 2012, Jakub Wilk wrote:
> * Harry Sintonen <sintonen@iki.fi>, 2012-01-31, 01:42:
>> -D_FORTIFY_SOURCE=2 was enabled in package version 1.8.3p1-3. See:
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655417
>>
>> This makes current sid package (1.8.3p1-3) safe.
>
> Maybe. Maybe not. There are known ways of exploiting string format
> vulnerabilities even with -D_FORTIFY_SOURCE=2.
If you're referring to the glibc args_type[specs[cnt].width_arg] = PA_INT;
32-bit 0-write to reset the FORTIFY flag, sure it is possible, but rather
painful with ASLR. It is true however that if you get to exploit this
thing you run it locally, making it quite fast to bruteforce (albeit with
some noise in the logs).
Of course I wasn't suggesting that you should skip updating to the fixed
version or anything.
But agreed, "safe" was perhaps a bit too strong statement. "relatively
safe" would have been more suitable.
Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_<4+D&i++<87;);puts
(" Harry 'Piru' Sintonen <sintonen@iki.fi> http://www.iki.fi/sintonen");}
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 02 Mar 2012 07:36:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:23:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon