CVE-2015-5602: Unauthorized privilege escalation in sudoedit

Debian Bug report logs - #804149
CVE-2015-5602: Unauthorized privilege escalation in sudoedit

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-5602: Unauthorized privilege escalation in sudoedit

Date: Thu, 05 Nov 2015 14:11:46 +0100

Package: sudo
Version: 1.7.4p4-2.squeeze.4
Severity: critical
Tags: upstream security
Justification: root security hole

Hi,

Apparently a security has been disclosed (CVE-2015-5602) allowing users
to open files with sudoedit that is not supposed to using a symlinks,
see: https://www.exploit-db.com/exploits/37710/

Upstream has released a new fixed version by no following the symlinks
by default.

But according to this comment[0], this is not fixing the issue
completely.

Cheers,

Laurent Bigonville

[0]
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/comments/1

Message #14 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Laurent Bigonville <bigon@debian.org>, 804149@bugs.debian.org

Subject: Re: Bug#804149: CVE-2015-5602: Unauthorized privilege escalation in sudoedit

Date: Fri, 6 Nov 2015 10:39:36 +0100

Control: forwarded -1 http://bugzilla.sudo.ws/show_bug.cgi?id=707

On Thu, 05 Nov 2015, Laurent Bigonville wrote:
> Apparently a security has been disclosed (CVE-2015-5602) allowing users
> to open files with sudoedit that is not supposed to using a symlinks,
> see: https://www.exploit-db.com/exploits/37710/
> 
> Upstream has released a new fixed version by no following the symlinks
> by default.
> 
> But according to this comment[0], this is not fixing the issue
> completely.

It's really a combination of a specific sudoers configuration
(allowing the edition via root of files possibly under the user's
control) and a lack of checks for this specific case in sudoedit.

I doubt that many systems have such a setup but sudo is not really
helping the administrator to notice their mistake. And depending
on what files the configuration allows to edit, even the patched
1.8.15 does not help...

I left a comment on the upstream ticket:
http://bugzilla.sudo.ws/show_bug.cgi?id=707

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #21 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: 804149@bugs.debian.org

Cc: debian-lts@lists.debian.org

Subject: squeeze update of sudo?

Date: Fri, 6 Nov 2015 10:49:45 +0100

Hello Bdale,

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of sudo:
https://security-tracker.debian.org/tracker/CVE-2015-5602

Would you like to take care of this yourself (once a proper
fix is available upstream)?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #28 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Raphael Hertzog <hertzog@debian.org>, 804149@bugs.debian.org, 804149@bugs.debian.org

Cc: debian-lts@lists.debian.org

Subject: Re: Bug#804149: squeeze update of sudo?

Date: Sat, 07 Nov 2015 14:27:36 -0700

[Message part 1 (text/plain, inline)]

Raphael Hertzog <hertzog@debian.org> writes:

> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets
> released.

I would be pleased to review the updated package before release.

Bdale

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 804149-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 804149-close@bugs.debian.org

Subject: Bug#804149: fixed in sudo 1.8.15-1

Date: Thu, 24 Dec 2015 05:19:31 +0000

Source: sudo
Source-Version: 1.8.15-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Dec 2015 11:15:22 -0700
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.15-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 804149
Changes:
 sudo (1.8.15-1) unstable; urgency=low
 .
   * new upstream version, closes: #804149
   * use --with-exampledir to deliver example files more cleanly
Checksums-Sha1:
 5b96d2b4e4a7905a7364b4289a456a467839b515 1954 sudo_1.8.15-1.dsc
 acb5ff3f38fa9e0365f6a91a6620b9846e2ad843 2660128 sudo_1.8.15.orig.tar.gz
 40e11c6db71650b97d42d829a982a598ddb58f7b 22780 sudo_1.8.15-1.debian.tar.xz
 12a5283ab6d39b362a798fc9746a6bb866d4264d 632758 sudo-dbgsym_1.8.15-1_amd64.deb
 e4159a1a9f09737a26399c0feaed3dd6ed73ce72 655768 sudo-ldap-dbgsym_1.8.15-1_amd64.deb
 4e745063614f18882a43ed33b32397868312718d 1011496 sudo-ldap_1.8.15-1_amd64.deb
 415d181becb2f77ae7e2e71cfeba9d1464dd70a7 982480 sudo_1.8.15-1_amd64.deb
Checksums-Sha256:
 c527c16ccb8f8fb53a22ddb9e52abfba4952a77eb7c0a3fabf2e0c568a45da61 1954 sudo_1.8.15-1.dsc
 4316381708324da8b6cb151f655c1a11855207c7c02244d8ffdea5104d7cc308 2660128 sudo_1.8.15.orig.tar.gz
 a9ff349974c2a7926aa7e61a0ed3bd41ed45c188a348ec813417c9131e0158dc 22780 sudo_1.8.15-1.debian.tar.xz
 595df09993452ed99304f76c95f3363a655d935416bc4eda06c796af86ff792d 632758 sudo-dbgsym_1.8.15-1_amd64.deb
 aadb1f17f226f8cb06be0f4cf629e1195b9c08421766fd1d87ed295c96ec37bc 655768 sudo-ldap-dbgsym_1.8.15-1_amd64.deb
 6c4e0b332f642b6a849a8d943e1e085d5e26c4eff6e4a286a82514b296134958 1011496 sudo-ldap_1.8.15-1_amd64.deb
 f27ad382ff5ca16d09deaee68ecceb3ab536f0249f59fb2307f543e9b7597c71 982480 sudo_1.8.15-1_amd64.deb
Files:
 e048d01594338c5a1c40c74d8847cc1b 1954 admin optional sudo_1.8.15-1.dsc
 7cf6b9b76d0478a572432bed481dd7b5 2660128 admin optional sudo_1.8.15.orig.tar.gz
 122d9ea4b9b46dd5c2942e759dd33e74 22780 admin optional sudo_1.8.15-1.debian.tar.xz
 db5915be9c65b8753ae739b88018c06c 632758 debug extra sudo-dbgsym_1.8.15-1_amd64.deb
 7f2b0e5655b5360b956f55e42ab410a5 655768 debug extra sudo-ldap-dbgsym_1.8.15-1_amd64.deb
 2fea6b2268a3eac717e71e9e3782211c 1011496 admin optional sudo-ldap_1.8.15-1_amd64.deb
 2fcf93dab9350e5a3a7e45431abade59 982480 admin optional sudo_1.8.15-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVnt6DzqTYZbAldlBAQoZHBAAkWJZavqtfPQKvGQ6dU4MeUIEFiSYYMXF
RLOFLTsEqfo6YwEobGUdLRH60Ozyt6OU/R9U+txEW/BY8LaGlDWYuGUeDhK0GinO
Wc5xJ8HkcHHqkHS5TkKKWBq03RFEJMfOI7yU5SegfSIU8ZsJIeUxXR0KUUYO+kWA
X1dMOq9/zhS/pFYAzAzxKhBgSIsrS7EX81R31OJ1WTPjh7iYYDktH6RzNAARVfkk
pYeEFK0ZlX7tQJF/bJpxeuobrR85AxFmQmobK7QntD1yVHQrz0eBgCZUAY+gwktU
Qo69Ew9BhAYS+JItL0ZYZk4nND5GiWJ6lAVGf7kndCOiL5IvzITjJ+gXJa4N+W3s
dgII2zdKSEeFKdbz9JCXzxS4hc/SMq+Zg1tJ7Oo+oOJN9rOHtDykx2Sa0Kxcjpz1
ukhZ/8Y7d+7KlJwrLjun2X01WZ63TB71bZzbKh4w7BrWv3TxV3FebP0u++2Of2Pm
6zxSggWdKA900erytHFOohKyxZiGBFkL9LRqouzGtBHUFDEnUd3L90ziDz2y7pK2
MO9PVvg1vX+eCcLNM5M4+t5dm9bnq/ApMc6hd63smrrjsFoM4m3loBc8oBnlt9ZK
0j+6oklvNGcUJo6oJcmn/+eV7HKdE9GMjIpoZyg0n6w34Zcr+ngiv+hBTpwxqpKV
hqlryOJ1VNI=
=IdOw
-----END PGP SIGNATURE-----

Message #38 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: Re: Bug#804149: fixed in sudo 1.8.15-1

Date: Fri, 25 Dec 2015 02:53:14 +0000

[Message part 1 (text/plain, inline)]

Control: reopen -1

On Thu, 24 Dec 2015 05:19:31 +0000 Bdale Garbee <bdale@gag.com> wrote:
> Source: sudo
> Source-Version: 1.8.15-1
> 
> We believe that the bug you reported is fixed in the latest version of
> sudo, which is due to be installed in the Debian FTP archive.
[...]

As Raphael already explained, the upstream change doesn't fix this.

Ben.

-- 
Ben Hutchings
All extremists should be taken out and shot.

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: Re: Bug#804149: fixed in sudo 1.8.15-1

Date: Fri, 25 Dec 2015 03:09:07 +0000

[Message part 1 (text/plain, inline)]

On Fri, 2015-12-25 at 02:53 +0000, Ben Hutchings wrote:
> Control: reopen -1
> 
> On Thu, 24 Dec 2015 05:19:31 +0000 Bdale Garbee <bdale@gag.com> wrote:
> > Source: sudo
> > Source-Version: 1.8.15-1
> > 
> > We believe that the bug you reported is fixed in the latest version of
> > sudo, which is due to be installed in the Debian FTP archive.
> [...]
> 
> As Raphael already explained, the upstream change doesn't fix this.

It *does* add a new configuration option, sudoedit_checkdir, which if
enabled will defeat this attack.  However, the upstream default is that
it's disabled.  Perhaps this should be changed in the Debian package?

Ben.

-- 
Ben Hutchings
All extremists should be taken out and shot.

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: Re: Bug#804149: fixed in sudo 1.8.15-1

Date: Fri, 25 Dec 2015 04:35:26 +0000

[Message part 1 (text/plain, inline)]

On Fri, 2015-12-25 at 03:09 +0000, Ben Hutchings wrote:
> On Fri, 2015-12-25 at 02:53 +0000, Ben Hutchings wrote:
> > Control: reopen -1
> > 
> > On Thu, 24 Dec 2015 05:19:31 +0000 Bdale Garbee <bdale@gag.com> wrote:
> > > Source: sudo
> > > Source-Version: 1.8.15-1
> > > 
> > > We believe that the bug you reported is fixed in the latest version of
> > > sudo, which is due to be installed in the Debian FTP archive.
> > [...]
> > 
> > As Raphael already explained, the upstream change doesn't fix this.
> 
> It *does* add a new configuration option, sudoedit_checkdir, which if
> enabled will defeat this attack.  However, the upstream default is that
> it's disabled.  Perhaps this should be changed in the Debian package?

Actually, that option doesn't work either.

Ben.

-- 
Ben Hutchings
All extremists should be taken out and shot.

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: Re: Bug#804149: fixed in sudo 1.8.15-1

Date: Tue, 29 Dec 2015 21:36:19 +0000

[Message part 1 (text/plain, inline)]

On Fri, 2015-12-25 at 04:35 +0000, Ben Hutchings wrote:
> On Fri, 2015-12-25 at 03:09 +0000, Ben Hutchings wrote:
> > On Fri, 2015-12-25 at 02:53 +0000, Ben Hutchings wrote:
> > > Control: reopen -1
> > > 
> > > On Thu, 24 Dec 2015 05:19:31 +0000 Bdale Garbee <bdale@gag.com> wrote:
> > > > Source: sudo
> > > > Source-Version: 1.8.15-1
> > > > 
> > > > We believe that the bug you reported is fixed in the latest version of
> > > > sudo, which is due to be installed in the Debian FTP archive.
> > > [...]
> > > 
> > > As Raphael already explained, the upstream change doesn't fix this.
> > 
> > It *does* add a new configuration option, sudoedit_checkdir, which if
> > enabled will defeat this attack.  However, the upstream default is that
> > it's disabled.  Perhaps this should be changed in the Debian package?
> 
> Actually, that option doesn't work either.

Attaching my fixes for sudoedit_checkdir.  I intend to NMU with these
changes later this week if I don't hear any objections.

Ben.

-- 
Ben Hutchings
If God had intended Man to program,
we'd have been born with serial I/O ports.

[CVE-2015-5602-6.patch (text/x-patch, attachment)]

[CVE-2015-5602-7.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #64 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: Re: Bug#804149: fixed in sudo 1.8.15-1

Date: Fri, 01 Jan 2016 17:21:03 +0000

[Message part 1 (text/plain, inline)]

On Tue, 2015-12-29 at 21:36 +0000, Ben Hutchings wrote:
> Attaching my fixes for sudoedit_checkdir.  I intend to NMU with these
> changes later this week if I don't hear any objections.

And here's the backport to squeeze.

Ben.

-- 
Ben Hutchings
All the simple programs have been written, and all the good names taken.

[sudo_1.7.4p4-2.squeeze.6.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #69 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: NMU diff for sudo 1.8.15-1.1

Date: Mon, 04 Jan 2016 23:41:00 +0000

[Message part 1 (text/plain, inline)]

See attachment.

Ben.

-- 
Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.

[sudo_1.8.15-1.1.debdiff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #74 received at 804149-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149-close@bugs.debian.org

Subject: Bug#804149: fixed in sudo 1.8.15-1.1

Date: Mon, 04 Jan 2016 23:50:26 +0000

Source: sudo
Source-Version: 1.8.15-1.1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 04 Jan 2016 23:36:50 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.15-1.1
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 804149
Changes:
 sudo (1.8.15-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload
   * Disable editing of files via user-controllable symlinks
     (Closes: #804149) (CVE-2015-5602)
     - Fix directory writability checks for sudoedit
     - Enable sudoedit directory writability checks by default
Checksums-Sha1:
 28fda1fa7131168db879e78d264e84dd67cfb7dd 1962 sudo_1.8.15-1.1.dsc
 ab0150acf5e43f26a8f2f3979d2db16de1a917c5 24336 sudo_1.8.15-1.1.debian.tar.xz
Checksums-Sha256:
 c94af51d8ac81c27f231fc2deef471bf671ee16a352834ea3a86e9c93e303670 1962 sudo_1.8.15-1.1.dsc
 b2543f8fd92e03d6f7e2ba6ba8875cf3987bf5cf285b25c31c8ec535b08cb10b 24336 sudo_1.8.15-1.1.debian.tar.xz
Files:
 455fe06f16b8843d25bfef9cfce9cd93 1962 admin optional sudo_1.8.15-1.1.dsc
 c633ae88cdc8ed3b5ba53e78a89feb39 24336 admin optional sudo_1.8.15-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVosCvOe/yOyVhhEJAQpiVg/9FrhB7qi/lk3u2q3RUKtXVtmvjbadQkw4
xMh42vV6MuFHxGqGi1bOf/DwhjSCmp0tKbof6hu6It8ttxBGug4vFfXiJzLM3pW1
UN1lQCTcAbOpYLw12/MB4q0X7m4v4bRQr+3bB7wNqyYRVnSrrs3ovweCVvGJStgf
HvMNfXgt788r4hDTEyqzoJfNC+8piUQ7vWH8667T/fx+Zjn1op126CiT68l20hmM
YSS32YYnQU1EDJ32gqLuoU3k0XGwQbKW96nVl5yhD2UcRXPZ9OtZcZABxKcGzLZG
SgABpJFVj7xDY87spCtbGgH6tV/EibJ+CKF58e27SoO4aqZm5O56XZ6sJPtttSew
Ru60nftGGy5513wyEUWa5zYZyJDXSeI/Ly/jIZPHa4OA2H6kdCQhiTKTTct4m6vV
QOa9TxlKuPLUYTGiOlfga3v6mOpX1JUsHnKA02cr7UCuw+6VEbN0SJMl3mMT2LK+
IljSUhEsIPG9Od4uj1C2VCX4DVL7dpHjB+/jJKIPdPdpC/4irh4PxN7J3wQjDLua
SB0bOLAVJLqNH1B1XrtleAZAXccv0+jCFWrBmvkgdMDa7PfxdQ5XjUs7thFuJWTZ
mpw9Jrzhr57mnQks3y4f906BXtEtQfJtKbRqIs9NvNM4SjO9PCtnEMQq4oWPHZok
1FXIMrV3Yl8=
=rFOg
-----END PGP SIGNATURE-----

Message #79 received at 804149-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149-close@bugs.debian.org

Subject: Bug#804149: fixed in sudo 1.7.4p4-2.squeeze.6

Date: Tue, 05 Jan 2016 19:06:00 +0000

Source: sudo
Source-Version: 1.7.4p4-2.squeeze.6

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jan 2016 18:45:35 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.7.4p4-2.squeeze.6
Distribution: squeeze-lts
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 804149
Changes:
 sudo (1.7.4p4-2.squeeze.6) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team
   * Disable editing of files via user-controllable symlinks
     (Closes: #804149) (CVE-2015-5602)
     - sudoedit path restriction bypass using symlinks
     - Change warning when user tries to sudoedit a symbolic link
     - Open sudoedit files with O_NONBLOCK and fail if they are not regular files
     - Remove S_ISREG check from sudo_edit_open(), it is already done in the
       caller
     - Add directory writability checks for sudoedit
     - Fix directory writability checks for sudoedit
     - Enable sudoedit directory writability checks by default
Checksums-Sha1:
 0b6546bec910002b7a493429f0f9a3b3b85a10e6 1779 sudo_1.7.4p4-2.squeeze.6.dsc
 09ba4b9d788cd28d569fb07d3623a5a0fcc40142 101408 sudo_1.7.4p4-2.squeeze.6.debian.tar.xz
Checksums-Sha256:
 3aa35f05b2b64aa9a33942f6f1b0363e55a30cb1df0e3a74f0766696979eddd5 1779 sudo_1.7.4p4-2.squeeze.6.dsc
 4c8c43f2d90bd8474ddbc110a5c4df10f76a5b047382f970684e76c99b37fd57 101408 sudo_1.7.4p4-2.squeeze.6.debian.tar.xz
Files:
 0c4b01e91a293233c607012ac50ff93f 1779 admin optional sudo_1.7.4p4-2.squeeze.6.dsc
 a02eb94481caea038b6ed0a97ed1aee4 101408 admin optional sudo_1.7.4p4-2.squeeze.6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVowPwee/yOyVhhEJAQqQxw/+OktRIYg84bOhlYuQTpbdqH9GN2WBlJFV
OwQTFf7JlZla8COfzUT5x/oC44liJ8PozLz1kMReYzdRCJqG76qbLhO49pbsi3o7
Gi3o/zkc6kmWW1SwoArvC8/du27yFRj1UE68kcVjlI883wxuEwxjpHB473i/nCKB
IPU5KIRmhBAdJ9GrG/kMEG9Wwur/V9H//9Z9VCAKzqwZGvd/xftt5UO0aiFnDOiU
aQ+F9ovhcf+1P7uVRkGTi/012yb20WTzShk0wOA8jCswOKtVoPkedFM/IeVmuXW5
38ufU7DdvYMhq8UlRDKlaVWaKcXYFBKrsc7XJS00Ju7cMeefUnBzdH4JKeX2LiC2
+nT/Nz7FsQWDSdky75YZ4Vy2X0bGGZTR4wcuVzOfgpRqVQIbuFfQ8ONtnULVu8ga
sXOF7Mcr+jHnxEHRTcc74ZNW97ErG+HSiK/r6MyAaAkMt6l9vUDxAIA0yZreGY6L
2b6X5EmTRJNU99lDPuAs3An8UBJGxl9v02qQpgE98LaP40upKg6G0CzAujxFORys
tTiAcCN2cPTunbnUOm8YWWFGQqnsMhWLwPGTFxW/BlcjzizTi2RNaFqtL2toPZ7d
g4XiTjeN69hR2lZ+V+K6GnstsgAlwkr91pzUD8UjFTQdVYhSkgUeFNOwSocnvbyC
dopIaJqjb1U=
=S2BM
-----END PGP SIGNATURE-----

Message #84 received at 804149@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149@bugs.debian.org

Subject: Re: NMU diff for sudo 1.8.15-1.1

Date: Tue, 05 Jan 2016 21:01:13 +0000

[Message part 1 (text/plain, inline)]

On Mon, 2016-01-04 at 23:41 +0000, Ben Hutchings wrote:
> See attachment.

As the git repository is under collab-maint, I've also pushed the
changes there (to a new branch, 'squeeze-lts', as 'squeeze' currently
seems to correspond squeeze-backports).

I also NMU'd for wheezy and jessie, and pushed my changes to the
corresponding git branches.

Ben.

-- 
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.

[signature.asc (application/pgp-signature, inline)]

Message #89 received at 804149-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149-close@bugs.debian.org

Subject: Bug#804149: fixed in sudo 1.8.10p3-1+deb8u3

Date: Thu, 14 Jan 2016 23:17:09 +0000

Source: sudo
Source-Version: 1.8.10p3-1+deb8u3

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jan 2016 19:37:34 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.10p3-1+deb8u3
Distribution: jessie-security
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 804149
Changes:
 sudo (1.8.10p3-1+deb8u3) jessie-security; urgency=medium
 .
   * Non-maintainer upload
   * Disable editing of files via user-controllable symlinks
     (Closes: #804149) (CVE-2015-5602)
     - sudoedit path restriction bypass using symlinks
     - Change warning when user tries to sudoedit a symbolic link
     - Open sudoedit files with O_NONBLOCK and fail if they are not regular files
     - Remove S_ISREG check from sudo_edit_open(), it is already done in the
       caller
     - Add directory writability checks for sudoedit
     - Fix directory writability checks for sudoedit
     - Enable sudoedit directory writability checks by default
Checksums-Sha1:
 a78ae5edd23eab94de70c67b43814e950fd2548a 1999 sudo_1.8.10p3-1+deb8u3.dsc
 ed45b25da17c82e0d2cfed98cb4bfd45617c91d9 2262370 sudo_1.8.10p3.orig.tar.gz
 0f8cde331547cef187863b701d3dc133bf6c0c40 100872 sudo_1.8.10p3-1+deb8u3.debian.tar.xz
Checksums-Sha256:
 3b45c5c5ded8b9884302bf86d759e0997fccd386ee7003a90463c77a1d0ba9f2 1999 sudo_1.8.10p3-1+deb8u3.dsc
 6eda135fa68163108f1c24de6975de5ddb09d75730bb62d6390bda7b04345400 2262370 sudo_1.8.10p3.orig.tar.gz
 5b365f9ebec1a79a76aa6d72b83b14232abe493de106c38cb46504b896e6ed8c 100872 sudo_1.8.10p3-1+deb8u3.debian.tar.xz
Files:
 bdd0efc63d3b83294baa4a8e4e29781d 1999 admin optional sudo_1.8.10p3-1+deb8u3.dsc
 fcd8d0d9f9f0397d076ee901e242ed39 2262370 admin optional sudo_1.8.10p3.orig.tar.gz
 de8a725b548cffd954c6990f3f24becd 100872 admin optional sudo_1.8.10p3-1+deb8u3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVpLq8+e/yOyVhhEJAQpMNA/+IPPK2VJCatflFsOu7s+88uKQyor4W4gS
MNSAkoxG1mm3K2J2pmBhP2kXplqX7d2Rh9sKVp3p3UDr70i7PSy2g+UoURRUoni3
oU22NOs/KAIAWbMBKhcYPvJgxe3gZ4VCrvHR6FqS6rcR8WkkTxDZqJ7WgZAmchs3
raflchad6WDZtZmNCHBKgc1g1+fqJUFHPTNuOob3rKfOGI+y9Pvg/9uE+rK0HjKW
4wMPwQAi8xpydcWaN0129t4L/pXf2s6lfbDRyAVYyS3S6r8io3hVItzvBjRaCd3o
0yvu+XG6F5Oilcehpwre+6xlLJYzrHzfm0AqJ0KgzU0CwYuMQ/e0bOTOV2RInX0W
1dyngTeRHgm+IL+OksNoR6S70NoF/KW20iDa6xr8ZH/l1DnypkkfbG5PSCXqx5Y5
4/Z1TY+7phozWXWWv4LFSumJ2Ifzt3UeQC4hGShlUATMcndH7bdwl/2bt1KIkDAc
BOhEyp3xUOBBINv0fpSoNWLxLscaiz+8B+yJu54snVmVDs81ZxB/VnHNGUmdGsH9
Q7Sg9VgNxCmGkLWCKwg2RGQIWuT0iv6ABMVKYZhZog8Co3rf6qrE/58NhrxTQ4tg
1plNoIn1wBNDOLOMBhk/gBQ7qYqQ9pypDzh6W5M+4K8Tr+48TLOYfD7yon8bvNhy
n70Ikm0Zir4=
=Zwf9
-----END PGP SIGNATURE-----

Message #94 received at 804149-close@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 804149-close@bugs.debian.org

Subject: Bug#804149: fixed in sudo 1.8.5p2-1+nmu3+deb7u1

Date: Thu, 14 Jan 2016 23:17:42 +0000

Source: sudo
Source-Version: 1.8.5p2-1+nmu3+deb7u1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jan 2016 18:48:03 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.5p2-1+nmu3+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 804149
Changes:
 sudo (1.8.5p2-1+nmu3+deb7u1) wheezy-security; urgency=medium
 .
   * Non-maintainer upload
   * Fix CVE-2014-9680-{1,2}.patch to edit sudoers.pod, not just the
     generated docs
   * Disable editing of files via user-controllable symlinks
     (Closes: #804149) (CVE-2015-5602)
     - sudoedit path restriction bypass using symlinks
     - Change warning when user tries to sudoedit a symbolic link
     - Open sudoedit files with O_NONBLOCK and fail if they are not regular files
     - Remove S_ISREG check from sudo_edit_open(), it is already done in the
       caller
     - Add directory writability checks for sudoedit
     - Fix directory writability checks for sudoedit
     - Enable sudoedit directory writability checks by default
Checksums-Sha1:
 3eff89c542097326b8ff7e11ce97f25f52f14528 1959 sudo_1.8.5p2-1+nmu3+deb7u1.dsc
 95194417f876b27f53559b4df6fbd639763fbbd4 95564 sudo_1.8.5p2-1+nmu3+deb7u1.debian.tar.xz
Checksums-Sha256:
 663ade0adb880e4693d8b0be936f274f9308c42978e0f8113efd92b72badf0d2 1959 sudo_1.8.5p2-1+nmu3+deb7u1.dsc
 3011009364604bf9adccab4bcd65b1551b4cf398bef698d9ab3dd6f75efc2380 95564 sudo_1.8.5p2-1+nmu3+deb7u1.debian.tar.xz
Files:
 6fa73e4b848b9cbc8cd05eeb7922351a 1959 admin optional sudo_1.8.5p2-1+nmu3+deb7u1.dsc
 db482baf1d123b4f78aa10cf7103b5cb 95564 admin optional sudo_1.8.5p2-1+nmu3+deb7u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVowbIue/yOyVhhEJAQq1zxAAiz4TEHIo/gzeccu9yG73vNvbQ38igY9b
y/AeMG7tQHM1XbR4Ki9QiqMuJhWDz5MSbgE6Ub4EKuEX4ZByZ1VJhWGUl99JRcj9
uI15FlISH+MvMmSJHXgKb0pIUpwvxI1NXE//fy5hfmVg4UkLHrNVmciK4o0B6jEw
n3UAF4yfEPo0wWJ41l1eLzD4OMGsRGcAV9MK92AenkYOKlM3Nf3vgBDKk2vnnYcU
hpxLobz+lEV9eiWLUWyrcRgg1H8f7cFAcA69158Ul95MTeGbroIadtnz9YeQiL2p
iWuLZAI/+IlC87vR0dRkHjyKKwKXXRRaCljeaXJVGS6lTd0BO9JRVi1T4rnVyTEw
EZnofLf4W/ONmRRWeTxMZuRqQuSHa0nsVFumUpo2Qj6QY9WU7lCUvOsxRV/OEQwh
0IXcJkPcK9yOI1sb77E6YXiSGEgXfUXXpbhHhTfg6hVWBPMSSBgIDbpUY77uLHO2
HZOZhkh4YFYprammoIx8XvFxv3fyFLe8Meya7LLO25e83JZ+1j5fPMaYVvXAxCWd
N+Vt/p8svnLHqwWJMQrk6k/89f6fBaNNF2+Tvlz0M14+P/7ThZ2CIXjXHpFZkEmG
gxLIpm1N0OY9HKZmR8ZOLiDh/mBPfh4xzuIwnlap+p+UJJ4Rpcz+Gp8FsyfJBAQx
lExOrGiMh9I=
=/BZX
-----END PGP SIGNATURE-----

Message #118 received at 804149@bugs.debian.org (full text, mbox, reply):

From: "FedEx International Economy" <jcruz@jfdsales.com>

To: <804149@bugs.debian.org>

Subject: Shipment delivery problem #2515354

Date: Tue, 15 Nov 2016 12:09:41 +0300

[Message part 1 (text/plain, inline)]

Hello,
Courier was unable to deliver the parcel to you. Please, download Delivery Label attached to this email.
Jenise Kintzer - Area Manager FedEx , CA
Yours trully

[FedEx.doc (application/msword, attachment)]

Send a report that this bug log contains spam.