Debian Bug report logs -
#673766
CVE-2012-2337: IP addresses in sudoers with netmask may match additional hosts
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 21 May 2012 10:09:01 UTC
Severity: grave
Tags: patch, security
Fixed in version sudo/1.8.3p2-1.1
Done: Dmitrijs Ledkovs <xnox@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#673766; Package sudo.
(Mon, 21 May 2012 10:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Bdale Garbee <bdale@gag.com>.
(Mon, 21 May 2012 10:09:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sudo
Severity: grave
Tags: security
Please see http://www.sudo.ws/sudo/alerts/netmask.html
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#673766; Package sudo.
(Tue, 22 May 2012 11:45:59 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitrijs Ledkovs <dmitrijs.ledkovs@canonical.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>.
(Tue, 22 May 2012 11:46:03 GMT) (full text, mbox, link).
Message #10 received at 673766@bugs.debian.org (full text, mbox, reply):
tags 673766 + patch
tags 673766 + pending
user ubuntu-devel@lists.ubuntu.com
usertag 673766 + ubuntu-patch
thanks
Dear maintainer,
I've prepared an NMU for sudo (versioned as 1.8.3p2-1.1).
Please consider uploading this Security fix.
Regards.
diff -Nru sudo-1.8.3p2/debian/changelog sudo-1.8.3p2/debian/changelog
--- sudo-1.8.3p2/debian/changelog 2012-01-30 16:11:54.000000000 +0000
+++ sudo-1.8.3p2/debian/changelog 2012-05-22 12:26:47.000000000 +0100
@@ -1,3 +1,14 @@
+sudo (1.8.3p2-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * SECURITY UPDATE: Properly handle netmasks in sudoers Host and Host_List
+ values (LP: #1000276, Closes: #673766)
+ - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4
+ addresses. Based on upstream patch.
+ - CVE-2012-2337
+
+ -- Dmitrijs Ledkovs <dmitrijs.ledkovs@canonical.com> Tue, 22 May 2012 12:23:00 +0100
+
sudo (1.8.3p2-1) unstable; urgency=high
* new upstream version, closes: #657985 (CVE-2012-0809)
diff -Nru sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch
--- sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.8.3p2/debian/patches/CVE-2012-2337.patch 2012-05-22 12:21:08.000000000 +0100
@@ -0,0 +1,47 @@
+Description: Prevent IPv6 netmask-based address matching logic from incorrectly
+ being applied to IPv4 addresses.
+Author: Todd C. Miller <Todd.Miller@courtesan.com>
+Origin: upstream, http://www.sudo.ws/repos/sudo/rev/672a4793931a
+
+Index: sudo-1.8.3p1/plugins/sudoers/match_addr.c
+===================================================================
+--- sudo-1.8.3p1.orig/plugins/sudoers/match_addr.c 2011-10-21 08:01:25.000000000 -0500
++++ sudo-1.8.3p1/plugins/sudoers/match_addr.c 2012-05-16 09:45:03.289738323 -0500
+@@ -73,7 +73,7 @@
+ for (ifp = interfaces; ifp != NULL; ifp = ifp->next) {
+ if (ifp->family != family)
+ continue;
+- switch(family) {
++ switch (family) {
+ case AF_INET:
+ if (ifp->addr.ip4.s_addr == addr.ip4.s_addr ||
+ (ifp->addr.ip4.s_addr & ifp->netmask.ip4.s_addr)
+@@ -91,6 +91,7 @@
+ }
+ if (j == sizeof(addr.ip6.s6_addr))
+ return TRUE;
++ break;
+ #endif
+ }
+ }
+@@ -154,10 +155,11 @@
+ for (ifp = interfaces; ifp != NULL; ifp = ifp->next) {
+ if (ifp->family != family)
+ continue;
+- switch(family) {
++ switch (family) {
+ case AF_INET:
+ if ((ifp->addr.ip4.s_addr & mask.ip4.s_addr) == addr.ip4.s_addr)
+ return TRUE;
++ break;
+ #ifdef HAVE_IN6_ADDR
+ case AF_INET6:
+ for (j = 0; j < sizeof(addr.ip6.s6_addr); j++) {
+@@ -166,6 +168,7 @@
+ }
+ if (j == sizeof(addr.ip6.s6_addr))
+ return TRUE;
++ break;
+ #endif /* HAVE_IN6_ADDR */
+ }
+ }
diff -Nru sudo-1.8.3p2/debian/patches/series sudo-1.8.3p2/debian/patches/series
--- sudo-1.8.3p2/debian/patches/series 2011-10-23 00:49:16.000000000 +0100
+++ sudo-1.8.3p2/debian/patches/series 2012-05-22 12:22:07.000000000 +0100
@@ -1,2 +1,3 @@
typo-in-classic-insults.diff
paths-in-samples.diff
+CVE-2012-2337.patch
Added tag(s) patch.
Request was from Dmitrijs Ledkovs <dmitrijs.ledkovs@canonical.com>
to control@bugs.debian.org.
(Tue, 22 May 2012 11:46:53 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Dmitrijs Ledkovs <dmitrijs.ledkovs@canonical.com>
to control@bugs.debian.org.
(Tue, 22 May 2012 11:46:55 GMT) (full text, mbox, link).
Reply sent
to Dmitrijs Ledkovs <xnox@debian.org>:
You have taken responsibility.
(Thu, 24 May 2012 21:21:49 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Thu, 24 May 2012 21:21:49 GMT) (full text, mbox, link).
Message #19 received at 673766-close@bugs.debian.org (full text, mbox, reply):
Source: sudo
Source-Version: 1.8.3p2-1.1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo-ldap_1.8.3p2-1.1_amd64.deb
to main/s/sudo/sudo-ldap_1.8.3p2-1.1_amd64.deb
sudo_1.8.3p2-1.1.debian.tar.gz
to main/s/sudo/sudo_1.8.3p2-1.1.debian.tar.gz
sudo_1.8.3p2-1.1.dsc
to main/s/sudo/sudo_1.8.3p2-1.1.dsc
sudo_1.8.3p2-1.1_amd64.deb
to main/s/sudo/sudo_1.8.3p2-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 673766@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitrijs Ledkovs <xnox@debian.org> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 22 May 2012 12:23:00 +0100
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.3p2-1.1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Dmitrijs Ledkovs <xnox@debian.org>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 673766
Changes:
sudo (1.8.3p2-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* SECURITY UPDATE: Properly handle netmasks in sudoers Host and Host_List
values (LP: #1000276, Closes: #673766, CVE-2012-2337)
- debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4
addresses. Based on upstream patch.
Checksums-Sha1:
d64a4d0d9600401479ff991f043ef7ea6c9aa170 1873 sudo_1.8.3p2-1.1.dsc
3009fb7249cdc71330518370ace2d2747226a62a 22640 sudo_1.8.3p2-1.1.debian.tar.gz
e53578ce82d0c0ac42ecfaca09899df72b4606d4 681172 sudo_1.8.3p2-1.1_amd64.deb
18c11dddfb813dd521e02a13c3f253363dbfdef5 707290 sudo-ldap_1.8.3p2-1.1_amd64.deb
Checksums-Sha256:
47d4a2e1096fbd4316d0c6dd55f0c3a8694cab38606566ae305ec2d1bc8a5ced 1873 sudo_1.8.3p2-1.1.dsc
3987b471b0b93ca3bf9c75221a8a1dea88de570bf4c357fd23b89843458f0fa2 22640 sudo_1.8.3p2-1.1.debian.tar.gz
5eb1c80261f67bd4dfa93b0455b9104c73f1efa8b410ec740e3431b0a1296d55 681172 sudo_1.8.3p2-1.1_amd64.deb
5d25914386d3a4778972a393f613e146f244ecd90de64d7e9b283d2b933122ca 707290 sudo-ldap_1.8.3p2-1.1_amd64.deb
Files:
73c50a9c9c05f3586ec2fea48db7fe92 1873 admin optional sudo_1.8.3p2-1.1.dsc
11bd4c9f1f275fe05a240964aff6bb91 22640 admin optional sudo_1.8.3p2-1.1.debian.tar.gz
03f6b2045610e3c46f98f535fb9ea4e5 681172 admin optional sudo_1.8.3p2-1.1_amd64.deb
9d7f365e762ec2f353ff846a89b2bbac 707290 admin optional sudo-ldap_1.8.3p2-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPvpJLAAoJEIh7YGGLPBau7SAQAJNDV9EeyDFJn6Wo0ZbRRIM6
AuAVCFIcpuz0DciK9hF3SnEQhHTd8mPzI4pw4aqUNoOVsWZrd1XTJodyhbeVLxmx
SkyI8IsR5NpjiOsGnr66XE5Orky6dUgqgHqNgjA0Svs/AfcgFGGz2BQrHQSC5xC/
A2CMjYJQzfRbWnnqp3r5lBcFstpHfH8taSi4vwl3uwKnK0xm6vBJRkF4NwyFhLI3
yc1x/MRzCAOQQ89tl+eUFD0har52luSfHqTOn5WFHyb0f3K3ce2rPyQ9FJ5aOE9y
c2bteTxUQmxGN1bDAP0DQdykwRJi+AzZvWGcG0+OUvE6BiVKbYKz1F386MUyLq0B
C4oUY90wiyzdHBri4YU/armF9GNAQDVUUMKyJ9k/ZacgZ1V2H3OfvefDp0sgTaMz
drGYBs38aOVzayWJx2L1BYyCB2Yzr9U5nSyNtau4yb9xhEaw0MVikT3gICttkxMk
SBVuyepHeCXURz5H913kF7SiZzjMQuWKV7xwgx3hAgi5K6rx/78QOO9dGYb3VcLU
o4peRurz2BdCI2GKoV0BzPF1ZRD7bVOhdY+VDC1ghFuZirof0bZYh49mZUAcuqB5
MMGGXBlFQA/j9+nOPZxdUfs0ayJjEeHsw4D2KryT7fxdEOAzehbICHzcPl3S63g3
uCONOjtoNJIoy/M8n3Ge
=ykBa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2012 07:43:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:59:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon