Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459722 (CVE-2013-1775) - <app-admin/sudo-1.8.6_p7: two vulnerabilities (CVE-2013-{1775,1776,2776,2777})
Summary: <app-admin/sudo-1.8.6_p7: two vulnerabilities (CVE-2013-{1775,1776,2776,2777})
Status: RESOLVED FIXED
Alias: CVE-2013-1775
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-28 15:15 UTC by Agostino Sarubbo
Modified: 2014-01-21 20:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-28 15:15:53 UTC
From ${URL} :

From the upstream advisory:

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user 
to continue running sudo without requiring a password for a preset time period (five minutes by 
default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo 
-K".
A user who has sudo access and is able to control the local clock (common in desktop environments) 
can run a command via sudo without authenticating as long as they have previously authenticated 
themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 
01:00:00).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers 
policy.

This affects versions 1.6.0 through up to the fixed 1.7.10p7 version, and sudo 1.8.0 through to the 
fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/ddf399e3e306

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/ebd6cc75020f


External References:

http://www.sudo.ws/sudo/alerts/epoch_ticket.html
Comment 1 Agostino Sarubbo gentoo-dev 2013-02-28 15:16:20 UTC
and from https://bugzilla.redhat.com/show_bug.cgi?id=916365 :

When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default).
This time stamp file can either be common to all of a user's terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the "tty_tickets" option in the sudoers file. This option has been enabled by default since sudo 1.7.4. Prior to sudo 1.7.4, the default was to use a single time stamp for all the user's sessions.

A vulnerability exists because the user can control which terminal the standard input, output and error file descriptors (0-2) refer to. A malicious user could use this to run commands via sudo without authenticating, so long as there exists a terminal the user has access to where a sudo command was successfully run by that same user within the password timeout period (usually five minutes).

The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy.

This affects versions 1.3.5 through up to the fixed 1.7.10p6 version, and sudo 1.8.0 through to the fixed 1.8.7p7.

The fix for 1.7.x: http://www.sudo.ws/repos/sudo/rev/0c0283d1fafa

The fix for 1.8.x: http://www.sudo.ws/repos/sudo/rev/049a12a5cc14


External References:

http://www.sudo.ws/sudo/alerts/tty_tickets.html
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-03-06 23:32:04 UTC
CVE-2013-1775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1775):
  sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local
  users or physically-proximate attackers to bypass intended time restrictions
  and retain privileges without re-authenticating by setting the system clock
  and sudo user timestamp to the epoch.
Comment 3 SpanKY gentoo-dev 2013-03-11 15:38:14 UTC
sudo-1.8.6_p7 is in the tree
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-04-08 22:40:06 UTC
CVE-2013-2777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2777):
  sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option
  is enabled, does not properly validate the controlling terminal device,
  which allows local users with sudo permissions to hijack the authorization
  of another terminal via vectors related to a session without a controlling
  terminal device and connecting to a standard input, output, and error file
  descriptors of another terminal.  NOTE: this is one of three closely-related
  vulnerabilities that were originally assigned CVE-2013-1776, but they have
  been SPLIT because of different affected versions.

CVE-2013-2776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2776):
  sudo 1.3.5 through 1.7.10p5 and 1.8.0 through 1.8.6p6, when running on
  systems without /proc or the sysctl function with the tty_tickets option
  enabled, does not properly validate the controlling terminal device, which
  allows local users with sudo permissions to hijack the authorization of
  another terminal via vectors related to connecting to a standard input,
  output, and error file descriptors of another terminal.  NOTE: this is one
  of three closely-related vulnerabilities that were originally assigned
  CVE-2013-1776, but they have been SPLIT because of different affected
  versions.

CVE-2013-1776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1776):
  sudo 1.3.5 through 1.7.10 and 1.8.0 through 1.8.5, when the tty_tickets
  option is enabled, does not properly validate the controlling terminal
  device, which allows local users with sudo permissions to hijack the
  authorization of another terminal via vectors related to connecting to a
  standard input, output, and error file descriptors of another terminal. 
  NOTE: this is one of three closely-related vulnerabilities that were
  originally assigned CVE-2013-1776, but they have been SPLIT because of
  different affected versions.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-08 23:11:17 UTC
(In reply to comment #3)
> sudo-1.8.6_p7 is in the tree

Arches, please test and mark stable.
Target KEYWORDS: "alpha amd64 arm hppa ia64 ~m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~sparc-solaris"
Comment 6 Sergey Popov gentoo-dev 2013-04-09 08:30:25 UTC
amd64 stable
Comment 7 Sergey Popov gentoo-dev 2013-04-09 08:42:32 UTC
arm stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2013-04-09 13:57:26 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2013-04-11 18:59:43 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-04-11 19:29:11 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-04-11 21:03:00 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-04-12 15:19:40 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-04-12 17:26:25 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-04-13 07:41:57 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-04-13 20:51:43 UTC
s390 stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-04-14 11:50:08 UTC
sh stable
Comment 17 Sergey Popov gentoo-dev 2013-09-04 06:34:34 UTC
Thanks for your work

GLSA vote: yes
Comment 18 Sean Amoss (RETIRED) gentoo-dev Security 2014-01-03 14:24:58 UTC
GLSA vote: YES.

GLSA request filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 20:49:27 UTC
This issue was resolved and addressed in
 GLSA 201401-23 at http://security.gentoo.org/glsa/glsa-201401-23.xml
by GLSA coordinator Chris Reffett (creffett).