Debian Bug report logs -
#342948
CVE-2005-4158: Insecure handling of PERLLIB PERL5LIB PERL5OPT environment vars
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 11 Dec 2005 21:48:02 UTC
Severity: important
Tags: security
Fixed in version sudo/1.6.8p12-1
Done: Bdale Garbee <bdale@gag.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sudo
Severity: important
Tags: security
Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
| The PERL5LIB and PERLLIB environment variables can be used to provide a list of
| directories in which to look for perl library files before the system directories are
| searched. It is similar in concept to the LD_LIBRARY_PATH environment variables, only for
| perl. These variables are ignored if "tainting" is enabled (via the -T switch). The
| PERL5OPT environment variable specifies additional command line options to be passed to
| the script which may modify its behavior.
|
| Malicious users with sudo access to run a perl script can use these variables to include
| and execute their own library file with the same name as a system library file that is
| included (via the "use" or "require" directives) by the perl script run via sudo.
It's been fixed upstream in 1.6.8p12.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #10 received at 342948@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
> Package: sudo
> Severity: important
> Tags: security
>
> Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
> | The PERL5LIB and PERLLIB environment variables can be used to provide a list of
> | directories in which to look for perl library files before the system directories are
> | searched. It is similar in concept to the LD_LIBRARY_PATH environment variables, only for
> | perl. These variables are ignored if "tainting" is enabled (via the -T switch). The
> | PERL5OPT environment variable specifies additional command line options to be passed to
> | the script which may modify its behavior.
> |
> | Malicious users with sudo access to run a perl script can use these variables to include
> | and execute their own library file with the same name as a system library file that is
> | included (via the "use" or "require" directives) by the perl script run via sudo.
>
> It's been fixed upstream in 1.6.8p12.
This is true, but it becomes rediculous.
Maintaining a blacklist of environment variables it not a proper approach.
For Perl the above variables are dangerous.
For Python it's PYTHONPATH.
For TeX it's TEXINPUTS.
For Ruby it is...
For....
This list only ends after all languages were checked, and then starts
from the beginning, since probably new possibilities have been created
in the meantime.
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #15 received at 342948@bugs.debian.org (full text, mbox, reply):
Martin Schulze wrote:
> > It's been fixed upstream in 1.6.8p12.
>
> This is true, but it becomes rediculous.
Finally allocated some time to develop a minimal patch.
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment. This will preserve language
settings by default, but nothing more.
What do people think about this?
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #20 received at 342948@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Martin Schulze wrote:
> Martin Schulze wrote:
> > > It's been fixed upstream in 1.6.8p12.
> >
> > This is true, but it becomes rediculous.
>
> Finally allocated some time to develop a minimal patch.
>
> The attached patch only uses the variables listed in env_check to
> be passed to the setuid environment. This will preserve language
> settings by default, but nothing more.
This time with the attachment attached.
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #25 received at 342948@bugs.debian.org (full text, mbox, reply):
Martin Schulze wrote:
> The attached patch only uses the variables listed in env_check to
> be passed to the setuid environment. This will preserve language
> settings by default, but nothing more.
>
> What do people think about this?
The patch itself looks fine for sid (although HOME, LOGNAME, PATH,
SHELL and USER should be allowed as well, as they're quite crucial,
security-wise clean and enabled for the limited env_reset environment
as well), but I think it's a bit too aggressive for a stable update?
http://www.sudo.ws/sudo/alerts/perl_env.html suggests that environment
sanitising takes only place if explicitely enabled with the -T switch,
but the "-T" isn't present in the getopt like parser in sudo.c and
the sanitising is done unconditionally in env.c.
I guess for Woody and Sarge is would be less intrusive to add
PERLLIB PERL5LIB PERL5OPT into the black list and point out in
the advisory that the use of sudo is only recommended for binaries,
shell and Perl scripts.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #30 received at 342948@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
> Martin Schulze wrote:
> > The attached patch only uses the variables listed in env_check to
> > be passed to the setuid environment. This will preserve language
> > settings by default, but nothing more.
> >
> > What do people think about this?
>
> The patch itself looks fine for sid (although HOME, LOGNAME, PATH,
> SHELL and USER should be allowed as well, as they're quite crucial,
I consider SHELL problematic and sudo should probably reset it to
a sane default.
> security-wise clean and enabled for the limited env_reset environment
> as well), but I think it's a bit too aggressive for a stable update?
I don't think so anymore. Also, due to the lack of feedback I've already
built packages and pushed them into the security queue.
> http://www.sudo.ws/sudo/alerts/perl_env.html suggests that environment
> sanitising takes only place if explicitely enabled with the -T switch,
> but the "-T" isn't present in the getopt like parser in sudo.c and
> the sanitising is done unconditionally in env.c.
>
> I guess for Woody and Sarge is would be less intrusive to add
> PERLLIB PERL5LIB PERL5OPT into the black list and point out in
> the advisory that the use of sudo is only recommended for binaries,
> shell and Perl scripts.
It's a box of pandora. You can hardly hit all variables.
Bdale, what's your opinion?
Regards,
Joey
--
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Bdale Garbee <bdale@gag.com>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #35 received at 342948@bugs.debian.org (full text, mbox, reply):
On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
> It's a box of pandora. You can hardly hit all variables.
>
> Bdale, what's your opinion?
One of the workarounds suggested by upstream in the p12 release
announcement is:
Alternately, the administrator can add a line to the top of
sudoers file:
Defaults env_reset
which will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
this attack.
My inclination for unstable is to just package p12 and upload it as-is.
It might also be reasonable to add the env_reset entry to the suders
file we create if none already exists? I think I'll do that. But
forcing a change on already-installed systems of that kind certainly
doesn't make sense.
Bdale
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #40 received at 342948@bugs.debian.org (full text, mbox, reply):
Bdale Garbee wrote:
> On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
>
> > It's a box of pandora. You can hardly hit all variables.
> >
> > Bdale, what's your opinion?
>
> One of the workarounds suggested by upstream in the p12 release
> announcement is:
>
> Alternately, the administrator can add a line to the top of
> sudoers file:
>
> Defaults env_reset
>
> which will reset the environment to only contain the variables
> HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
> this attack.
>
> My inclination for unstable is to just package p12 and upload it as-is.
Ack. Sounds reasonable.
> It might also be reasonable to add the env_reset entry to the suders
> file we create if none already exists? I think I'll do that. But
Yes.
> forcing a change on already-installed systems of that kind certainly
> doesn't make sense.
I'm not quite sure. That would leave existing systems in a vulnerable
state, even though we have corrected this in woody + sarge (by another
means, though).
A note to NEWS.Debian should be read at least.
When you've uploaded the sid package, please drop me a line.
I assume that
Regards,
Joey
--
All language designers are arrogant. Goes with the territory...
-- Larry Wall
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Justin Pryzby <justinpryzby@users.sourceforge.net>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #45 received at 342948@bugs.debian.org (full text, mbox, reply):
Hello Joey,
I was perusing the new queue, and noticed the sudo package there (for
reasons unknown). I noticed that it closes bug#342948, and at the end
of the buglog, you said: "When you've uploaded the sid package, please
drop me a line. I assume that " an it ends there. What did you mean
to say?
--
Clear skies,
Justin
Reply sent to Bdale Garbee <bdale@gag.com>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #50 received at 342948-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.6.8p12-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo-ldap_1.6.8p12-1_i386.deb
to pool/main/s/sudo/sudo-ldap_1.6.8p12-1_i386.deb
sudo_1.6.8p12-1.diff.gz
to pool/main/s/sudo/sudo_1.6.8p12-1.diff.gz
sudo_1.6.8p12-1.dsc
to pool/main/s/sudo/sudo_1.6.8p12-1.dsc
sudo_1.6.8p12-1_i386.deb
to pool/main/s/sudo/sudo_1.6.8p12-1_i386.deb
sudo_1.6.8p12.orig.tar.gz
to pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 342948@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 28 Dec 2005 13:49:10 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 342948 344034
Changes:
sudo (1.6.8p12-1) unstable; urgency=low
.
* new upstream version, closes: #342948 (CVE-2005-4158)
* add env_reset to the sudoers file we create if none already exists,
as a further precaution in response to discussion about CVS-2005-4158
* split ldap support into a new sudo-ldap package. I was trying to avoid
doing this, but the impact of going from 4 to 17 linked shlibs on the
autobuilder chroots is sufficient motivation for me.
closes: #344034
Files:
6a1f51b30730dbe9a2402814242c09e8 591 admin optional sudo_1.6.8p12-1.dsc
b29893c06192df6230dd5f340f3badf5 585643 admin optional sudo_1.6.8p12.orig.tar.gz
8df19a66299fd77fa2ec43e6d0802382 28480 admin optional sudo_1.6.8p12-1.diff.gz
9b80d0af75066921391efd713375e73b 159792 admin optional sudo_1.6.8p12-1_i386.deb
ed31f882ebec71b2d16095b8476232a3 172136 admin optional sudo-ldap_1.6.8p12-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDszb8ZKfAp/LPAagRAr9UAJ46qBSLpLcMlu7BI2JEj3pKqzNfjACffnZQ
SReCd9WCcWRc7uAHsYK4zEo=
=SzYb
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #55 received at 342948@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Bdale, hi Joey!
I still think that the current sid version is broken: it does nothing
to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
from stable, and for new installations it disables environment passing
completely, which breaks lots of scripts and users which/who do
'VAR=value sudo foo'.
I discussed this a bit with Matt Zimmerman, Scott Remnant, and Colin
Watson, and our current agreement is as follows:
* We use Joey's whitelist approach if the user has limited sudo
access, since it's the only sane long term solution and fixes the
issue not only for brand new installations.
* If the user has unlimited access anyway (i. e. "ALL" commands),
then we do not filter out environment variables. The user can shoot
himself in the foot much easier. And e. g. for developers it does
indeed make sense to set a library path to a development version in
his HOME temporarily for testing something.
I would appreciate if Debian and Ubuntu would find a common solution.
What do you think about this approach?
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Andres Salomon <dilinger@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #60 received at 342948@bugs.debian.org (full text, mbox, reply):
I find myself agreeing with Martin here; this isn't really optimal for
sid, as it doesn't take into account existing installations and
upgrades. Even at the risk of changing behavior, I think this is an
important enough fix to warrant making env_reset the default behavior.
Differentiating between ALL and limited sudo access seems like
unnecessary logic, and is sure to confuse people (the sudoers manpage is
already quite long, more than 1000 lines; finding a brief mention of
differing behavior wrt environment variables and sudo access will
probably be missed). I would prefer a simpler solution; simply remove
all unknown env variables in all cases. If users are running sid, they
should be able to deal with this sort of behavioral change, and it
should be documented in NEWS.Debian.
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #65 received at 342948@bugs.debian.org (full text, mbox, reply):
Martin Pitt wrote:
> I still think that the current sid version is broken: it does nothing
> to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
> PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
> from stable, and for new installations it disables environment passing
> completely, which breaks lots of scripts and users which/who do
> 'VAR=value sudo foo'.
>
> I discussed this a bit with Matt Zimmerman, Scott Remnant, and Colin
> Watson, and our current agreement is as follows:
>
> * We use Joey's whitelist approach if the user has limited sudo
> access, since it's the only sane long term solution and fixes the
> issue not only for brand new installations.
>
> * If the user has unlimited access anyway (i. e. "ALL" commands),
> then we do not filter out environment variables. The user can shoot
> himself in the foot much easier. And e. g. for developers it does
> indeed make sense to set a library path to a development version in
> his HOME temporarily for testing something.
>
> I would appreciate if Debian and Ubuntu would find a common solution.
> What do you think about this approach?
I believe this is a sane approach.
Bdale, what do you think?
What's the current implementation in version 1.6.8p12-1 anyway1?
Regards,
Joey
--
Never trust an operating system you don't have source for!
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Bdale Garbee <bdale@gag.com>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #70 received at 342948@bugs.debian.org (full text, mbox, reply):
On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
> Bdale, what do you think?
I'm ok with it. Does someone have a patch representing this behavior?
> What's the current implementation in version 1.6.8p12-1 anyway1?
What upstream shipped for p12, plus env_reset added to sudoers when
nothing already exists and we're creating one from scratch.
Bdale
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #75 received at 342948@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi!
Bdale Garbee [2006-01-11 22:04 -0700]:
> On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
>
> > Bdale, what do you think?
>
> I'm ok with it. Does someone have a patch representing this behavior?
No, but if we all agree, I'll cook one. I'll report back.
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #80 received at 342948@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi again!
Bdale Garbee [2006-01-11 22:04 -0700]:
> On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
>
> > Bdale, what do you think?
>
> I'm ok with it. Does someone have a patch representing this behavior?
I now finished the first version of the patch [1]. Please note that I
tried to keep the patch small; if this should be accepted upstream,
then env.c should be cleaned up severely.
I did the same changes to the LDAP backend; the change is fairly
straightforward, but I did not test it. I programmed it defensively,
so the worst that can happen is that your environment is slaughtered
even if you can execute "ALL" commands. Does someone of you happen to
use sudo with LDAP?
I would highly appreciate some more pairs of eyes on the patch,
though.
> What upstream shipped for p12, plus env_reset added to sudoers when
> nothing already exists and we're creating one from scratch.
I disabled the addition of env_reset in Ubuntu, since it doesn't help
for upgrades and would annoy real admins (with no command restriction)
too much, BTW.
Thanks for considering,
Martin
[1] http://patches.ubuntu.com/patches/sudo.envhandling.patch
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Peter Mottram <peter@sysnix.com>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #85 received at 342948@bugs.debian.org (full text, mbox, reply):
Now I can easily add environment variables back in using env_check but I
see no way of pulling in csh shell variables. :-(
Is this the 'fix' that finally forces me to switch from tcsh to some other
shell after 15 years?
btw: nice fix - the best solution IMHO.
R.
PeteM
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Nicholas Lee <nic@plumtree.co.nz>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #90 received at 342948@bugs.debian.org (full text, mbox, reply):
http://stateless.geek.nz/2006/01/24/sudo-upgrade-from-debian-security-changes-env-handling/
When semantics changes its important for a core tool like sudo to tell
people. Arbitrarily dumping the environment is likely to break some cron
scripts silently. A message using debconf would probably save a lot of
hassle.
Nicholas
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Andrew Pimlott <andrew@pimlott.net>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #95 received at 342948@bugs.debian.org (full text, mbox, reply):
I want to amplify the comment of Nicholas Lee <nic@plumtree.co.nz>.
This patch did not include an update to the manual, only a terse mention
in the changelog.Debian. Even reading the bug log, I cannot tell what
behaviour is implemented for stable. This leaves the hapless
administrator to use guesswork to repair the damage, a precarious
situation for a security-critical function. Further, there appears to
be no way to get the old behavior back in situations where that is safe.
I would suggest documenting the applied patch in the man page and
README.Debian.
Andrew
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Anton Ivanov <arivanov@sigsegv.cx>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #100 received at 342948@bugs.debian.org (full text, mbox, reply):
Defaults: env_keep no longer works at least for me.
Now only env_check allows passing variables which unless I am mistaken
means that they undergo mandatory sanitization.
Brgds,
--
A. R. Ivanov
E-mail: aivanov@sigsegv.cx
WWW: http://www.sigsegv.cx/
pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n@sigsegv.cx>
Fingerprint: C824 CBD7 EE4B D7F8 5331 89D5 FCDA 572E DDE5 E715
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Pat Suwalski <pat@suwalski.net>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
(full text, mbox, link).
Message #105 received at 342948@bugs.debian.org (full text, mbox, reply):
This security update really breaks the behaviour of sudo, especially
with regard to the DISPLAY variable used in a lot of projects.
Things like:
> sudo xeyes
no longer work.
We have to tell our users to add:
Default: env_reset, env_keep="DISPLAY"
to get their functionality back. This is WRONG.
--Pat
Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>
:
Bug#342948
; Package sudo
.
(full text, mbox, link).
Acknowledgement sent to Anton Ivanov <arivanov@sigsegv.cx>
:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>
.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(full text, mbox, link).
Message #110 received at 342948@bugs.debian.org (full text, mbox, reply):
Forgot to add:
While env_keep/env_check is b0rken with current sarge sudo it works OK
as per documentation with the more recent version from testing.
This is essentially the same bug as in:
#349196: sudo: DSA-946-1 broke joe horribly
#349549: XAUTHORITY broken
#349587: sudo -s does not preserve $HOME environment variable
#349729: sudo: Removes all user environment variables except TERM, LANG
and LANGUAGE
All of these can be resolved by upgrading to testing and setting the
relevant variables as env_keep or env_check, I have found no way of
getting these to work with current sudo from updates and had to upgrade
sudo on all systems I manage.
--
A. R. Ivanov
E-mail: aivanov@sigsegv.cx
WWW: http://www.sigsegv.cx/
pub 1024D/DDE5E715 2002-03-03 Anton R. Ivanov <ai1-n@sigsegv.cx>
Fingerprint: C824 CBD7 EE4B D7F8 5331 89D5 FCDA 572E DDE5 E715
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 12:41:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:35:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.