[bugtraq] Sudo version 1.6.8p9 now available, fixes security issue.

Debian Bug report logs - #315115
[bugtraq] Sudo version 1.6.8p9 now available, fixes security issue.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: submit@bugs.debian.org

Subject: [bugtraq] Sudo version 1.6.8p9 now available, fixes security issue.

Date: Mon, 20 Jun 2005 19:04:42 +0200

[Message part 1 (text/plain, inline)]

Package: sudo
Severity: critical
Tags: security
Version: 1.6.8p7-1.1

Please see attached announcement.

bye,

-christian-

[Message part 2 (message/rfc822, inline)]

From: "Todd C. Miller" <Todd.Miller@courtesan.com>

To: bugtraq@securityfocus.com

Subject: [bugtraq] Sudo version 1.6.8p9 now available, fixes security issue.

Date: Mon, 20 Jun 2005 08:24:43 -0600

Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
race condition in Sudo's pathname validation.  This is a security
issue.

Summary:
    A race condition in Sudo's command pathname handling prior to
    Sudo version 1.6.8p9 that could allow a user with Sudo privileges
    to run arbitrary commands.

Sudo versions affected:
    Sudo versions 1.3.1 up to and including 1.6.8p8.

Details:
    When a user runs a command via Sudo, the inode and device numbers
    of the command are compared to those of commands with the same
    basename found in the sudoers file (see the Background paragraph
    for more information).  When a match is found, the path to the
    matching command listed in the sudoers file is stored in the
    variable safe_cmnd,  which is later used to execute the command.
    Because the actual path executed comes from the sudoers file
    and not directly from the user, Sudo should be safe from race
    conditions involving symbolic links.  However, if a sudoers
    entry containing the pseudo-command ALL follows the user's
    sudoers entry the contents of safe_cmnd will be overwritten
    with the path the user specified on the command line, making
    Sudo vulnerable to the aforementioned race condition.

Impact:
    Exploitation of the bug requires that the user be allowed to
    run one or more commands via Sudo and be able to create symbolic
    links in the filesystem.  Furthermore, a sudoers entry giving
    another user access to the ALL pseudo-command must follow the
    user's sudoers entry for the race to exist.

    For example, the following sudoers file is not affected by the
    bug:

	root		server=ALL
	someuser	server=/bin/echo

    Whereas this one would be:

	someuser	server=/bin/echo
	root		server=ALL

Fix:
    The bug is fixed in sudo 1.6.8p9.

Workaround:
    The administrator can order the sudoers file such that all
    entries granting Sudo ALL privileges precede all other entries.

Credit:
    This problem was brought to my attention by Charles Morris.

Background:
    The reason Sudo uses the inode for command matching is to make
    relative paths work and to avoid problems caused by automounters
    where the path to be executed is not the same as the absolute
    path to the command.

    Another possible approach is to use the realpath() function to
    find the true path.  Sudo does not user realpath() because that
    function is not present in all operating systems and is often
    vulnerable to race conditions where it does exist.

The next major Sudo release will be version 1.7.  For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).

Commercial support is available for Sudo.  If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.

You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html

Master Web Site:
    http://www.sudo.ws/sudo/

Web Site Mirrors:
    http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
    http://sudo.stikman.com/ (Los Angeles, California, USA)
    http://sudo.tolix.org/ (California, USA)
    http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
    http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
    http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
    http://www.signal42.com/mirrors/sudo_www/ (USA)
    http://sudo.xmundo.net/ (Argentina)
    http://sudo.planetmirror.com/ (Australia)
    http://mirror.mons-new-media.de/sudo/ (Germany)
    http://sunshine.lv/sudo/ (Latvia)
    http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
    http://sudo.cdu.elektra.ru/ (Russia)
    http://sudo.nctu.edu.tw/ (Taiwan)

FTP Mirrors:
    ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
    ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
    ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
    ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
    ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
    ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
    ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
    ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
    ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
    ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
    ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
    ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia)
    ftp://ftp.ujf-grenoble.fr/sudo/ (France)
    ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
    ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
    ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
    ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
    ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
    ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

HTTP Mirrors:
    http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
    http://sudo.tolix.org/ftp/ (California, USA)
    http://sudo.mirror99.com/ (San Jose, California, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
    http://probsd.org/sudoftp/ (East Coast, USA)
    http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
    http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
    http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
    http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
    http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

Message #10 received at 315115@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 315115@bugs.debian.org

Cc: control@bugs.debian.org

Subject: CAN number

Date: Tue, 21 Jun 2005 12:47:54 +0200

[Message part 1 (text/plain, inline)]

Hi!

This is CAN-2005-1993, please mention that in the changelog.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 315115@bugs.debian.org (full text, mbox, reply):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>

To: Debian Bug Tracking System <315115@bugs.debian.org>

Subject: sudo: This bug refers to CAN-2005-1993

Date: Thu, 23 Jun 2005 10:04:11 +1000

Package: sudo
Version: 1.6.8p7-1.1
Followup-For: Bug #315115

Just for information, this bug refers to CAN-2005-1993, and corresponds
to security focus BID 13993.

Message #22 received at 315115-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 315115-close@bugs.debian.org

Subject: Bug#315115: fixed in sudo 1.6.8p9-1

Date: Tue, 28 Jun 2005 16:02:51 -0400

Source: sudo
Source-Version: 1.6.8p9-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo_1.6.8p9-1.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p9-1.diff.gz
sudo_1.6.8p9-1.dsc
  to pool/main/s/sudo/sudo_1.6.8p9-1.dsc
sudo_1.6.8p9-1_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p9-1_i386.deb
sudo_1.6.8p9.orig.tar.gz
  to pool/main/s/sudo/sudo_1.6.8p9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 315115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 28 Jun 2005 15:33:11 -0400
Source: sudo
Binary: sudo
Architecture: source i386
Version: 1.6.8p9-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
Closes: 315115 315718
Changes: 
 sudo (1.6.8p9-1) unstable; urgency=high
 .
   * new upstream version, fixes a race condition in sudo's pathname
     validation, which is a security issue (CAN-2005-1993),
     closes: #315115, #315718
Files: 
 e2e0775f3e6df6ad492c8865324626ba 567 admin optional sudo_1.6.8p9-1.dsc
 6d0346abd16914956bc7ea4f17fc85fb 585509 admin optional sudo_1.6.8p9.orig.tar.gz
 d2465319cef04fcc3dd46ab4fbb83244 20150 admin optional sudo_1.6.8p9-1.diff.gz
 7ad87187742f906dfffde408598cc0a1 159608 admin optional sudo_1.6.8p9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCwaglZKfAp/LPAagRAv8KAJ4hDeOlBRe4LDe7Tr3PSPnuP8eKLQCfSUMY
ehNiYDJWKirfmDgnx4DltKk=
=EpVl
-----END PGP SIGNATURE-----

Message #27 received at 315115@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

To: 315115@bugs.debian.org

Cc: Debian Bugs Control Bot <control@bugs.debian.org>

Subject: [bdale@gag.com: sudo fix]

Date: Wed, 29 Jun 2005 04:26:09 +0200

reopen 315115
tags 315115 woody sarge pending
thanks

Updated packages mailed to security team, awaiting review and upload.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Message #36 received at 315115@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

To: 315115@bugs.debian.org

Cc: Debian Bugs Control Bot <control@bugs.debian.org>

Subject: Re: [bdale@gag.com: sudo fix]

Date: Wed, 29 Jun 2005 04:50:53 +0200

tags 315115 patch
thanks

On Wed, Jun 29, 2005 at 04:26:09AM +0200, Jeroen van Wolffelaar wrote:
> Updated packages mailed to security team, awaiting review and upload.

If you want to test:

http://www.wolffelaar.nl/~jeroen/sudo.CAN-2005-1993.tar.gz
(intentionally lacking .changes files)

Please send feedback (esp when you find regressions and/or find that
they don't fix the problem) to this bug, cc'ing me.

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl

Message #45 received at 315115-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 315115-close@bugs.debian.org

Subject: Bug#315115: fixed in sudo 1.6.8p12-2

Date: Sun, 02 Apr 2006 15:02:19 -0700

Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 315115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----

Message #50 received at 315718-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 315718-close@bugs.debian.org

Subject: Bug#315718: fixed in sudo 1.6.8p12-2

Date: Sun, 02 Apr 2006 15:02:19 -0700

Source: sudo
Source-Version: 1.6.8p12-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-2_i386.deb
sudo_1.6.8p12-2.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-2.diff.gz
sudo_1.6.8p12-2.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-2.dsc
sudo_1.6.8p12-2_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 315718@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun,  2 Apr 2006 14:26:20 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 161012 203874 220808 228551 292833 314949 315115 315718 346325 349085 349129 349196 349549 349587 349729 350776 354431
Changes: 
 sudo (1.6.8p12-2) unstable; urgency=low
 .
   * fix typos in init scripts, closes: #346325
   * update to debhelper compat level 5
   * build depend on autotools-dev to ensure config.sub/guess are fresh
   * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and
     use it here as well.  Thanks to Martin and the debian-security team.
     closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
     closes: #315115, #315718, #203874
     * Non-maintainer upload by the Security Team
     * Reworked the former patch to limit environment variables from being
       passed through, set env_reset as default instead [sudo.c, env.c,
       sudoers.pod, Bug#342948, CVE-2005-4158]
     * env_reset is now set by default
     * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
       DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
       (in addition to the SUDO_* variables)
     * Rebuild sudoers.man.in from the POD file
     * Added README.Debian
   * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
   * simplify rules file by using more of Makefile, despite having to override
     default directories with more arguments to configure, closes: #292833
   * update sudo man page to reflect use of SECURE_PATH, closes: #228551
   * inconsistencies in sudoers man page resolved, closes: #220808, #161012
   * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
     unresolveable (requires adding bison as build dep), closes: #314949
Files: 
 73d77951ae86e88e906d28d0f94abb33 615 admin optional sudo_1.6.8p12-2.dsc
 b3205e53c871e64824c6b338c9fa8a35 33108 admin optional sudo_1.6.8p12-2.diff.gz
 22698e7f33a3f7179ec3ab59d24e4fec 161506 admin optional sudo_1.6.8p12-2_i386.deb
 d2418ccc65a98154b15c7b3c1342462b 173910 admin optional sudo-ldap_1.6.8p12-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMEhZZKfAp/LPAagRAkw0AJwJq5L7amKiN48J0ldHRH3Sv29yFACbBi1b
LP3jMinYQ8qNMfE81BL1G9U=
=NSf8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.