Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 764986 (CVE-2021-23239, CVE-2021-23240) - <app-admin/sudo-1.9.5: Multiple vulnerabilities
Summary: <app-admin/sudo-1.9.5: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-23239, CVE-2021-23240
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa+ cve]
Keywords:
Depends on: CVE-2021-3156
Blocks:
  Show dependency tree
 
Reported: 2021-01-11 17:52 UTC by Sam James
Modified: 2021-01-26 23:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 17:52:10 UTC
From the 1.9.5 changelog:
* Fixed CVE-2021-23239, a potential information leak in sudoedit
  that could be used to test for the existence of directories not
  normally accessible to the user in certain circumstances.  When
  creating a new file, sudoedit checks to make sure the parent
  directory of the new file exists before running the editor.
  However, a race condition exists if the invoking user can replace
  (or create) the parent directory.  If a symbolic link is created
  in place of the parent directory, sudoedit will run the editor
  as long as the target of the link exists.  If the target of the
  link does not exist, an error message will be displayed.  The
  race condition can be used to test for the existence of an
  arbitrary directory.  However, it _cannot_ be used to write to
  an arbitrary location.

* Fixed CVE-2021-23240, a flaw in the temporary file handling of
  sudoedit's SELinux RBAC support.  On systems where SELinux is
  enabled, a user with sudoedit permissions may be able to set the
  owner of an arbitrary file to the user-ID of the target user.
  On Linux kernels that support "protected symlinks", setting
  /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
  being exploited.  For more information see
  https://www.sudo.ws/alerts/sudoedit_selinux.html.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 17:52:53 UTC
We're only vulnerable to the first using supported configurations.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-11 19:20:49 UTC
amd64 done
Comment 3 Larry the Git Cow gentoo-dev 2021-01-12 07:52:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f914130fbe411b5a304579002e551c0a4edb19d6

commit f914130fbe411b5a304579002e551c0a4edb19d6
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-01-12 07:52:42 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-01-12 07:52:42 +0000

    app-admin/sudo: Bump to version 1.9.5_p1. Removed old
    
    Bug: https://bugs.gentoo.org/764986
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/sudo/Manifest                                    | 2 +-
 app-admin/sudo/{sudo-1.9.5.ebuild => sudo-1.9.5_p1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:03:27 UTC
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 12:04:17 UTC
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-12 19:01:05 UTC
x86 done
Comment 7 Rolf Eike Beer archtester 2021-01-13 06:18:50 UTC
hppa/sparc stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 02:55:26 UTC
ppc done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 02:55:51 UTC
ppc64 done
Comment 10 NATTkA bot gentoo-dev 2021-01-22 17:32:56 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-01-22 18:36:56 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-01-26 21:04:52 UTC
Unable to check for sanity:

> no match for package: app-admin/sudo-1.9.5_p1-r1
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 23:44:10 UTC
This issue was resolved and addressed in
 GLSA 202101-33 at https://security.gentoo.org/glsa/202101-33
by GLSA coordinator Sam James (sam_c).