First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 189615
Alias:
Product:
Component:
Status: RESOLVED
Resolution: INVALID
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matt Fleming (RETIRED) <mjf@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 189615 depends on: 186836 Show dependency tree
Bug 189615 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-08-20 16:45 0000 
A vulnerability has been reported in Sudo, which can be exploited by malicious,
local users to bypass certain security restrictions.

The vulnerability is caused due to improper error handling within the Kerberos
5 authentication mechanism. This can be exploited to execute commands allowed
by the Sudo configuration without proper authentication.

NOTE: Successful exploitation requires that Sudo is linked directly with the
Kerberos 5 libraries, and that the affected machine is a Kerberos 5 client.

The vulnerability is reported in versions prior to 1.6.9.

------- Comment #1 From Matt Fleming (RETIRED) 2007-08-20 16:47:49 0000 ------- 
CC'ing maintainer and setting whiteboard status.

------- Comment #2 From Matt Fleming (RETIRED) 2007-08-20 16:49:42 0000 ------- 
Whoops, forgot CVE number. Thanks rbu.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-08-20 19:05:53 0000 ------- 
As long as it is only linked against PAM it's not affected.

------- Comment #4 From Christian Faulhammer 2007-09-08 21:48:48 0000 ------- 
taviso is away...bump it?

------- Comment #5 From Pierre-Yves Rofes 2007-09-08 22:13:57 0000 ------- 
(In reply to comment #4)
> taviso is away...bump it?
> 
Err, like jaervosz pointed out, we're not affected actually. 

ldd /usr/bin/sudo                                                        
        libpam.so.0 => /lib/libpam.so.0 (0xf7fb8000)
        libdl.so.2 => /lib/libdl.so.2 (0xf7fa0000)
        libc.so.6 => /lib/libc.so.6 (0xf7e3c000)
        /lib/ld-linux.so.2 (0xf7fd8000)

And from the ebuild:
# TODO: Fix support for krb4 and krb5

So closing this one as invalid.
First Last Prev Next    No search results available      Search page      Enter new bug