From https://www.openwall.com/lists/oss-security/2021/01/30/1: "While reproducing the exploitation of "Baron Samedit" another minor issue in Sudo was discovered. It affects Sudo 1.9.4 and newer and renders the "NO_ROOT_MAILER" hardening option useless. While this bug by itself is not known to be exploitable on its own, combining it with the "Baron Samedit" heap overflow eases exploitation of the later tremendously. Further analysis of the issue in cooperation with Qualys showed, that therefore on newer systems Qualys complex end timeconsuming exploitation methods can be avoided, thus allowing trivial, reliable privilege escalation. The loss of the feature allows to overwrite the default mailer binary name "/usr/sbin/sendmail" on the heap with a user controlled string. The rogue mailer is then invoked with full privileges due to "NO_ROOT_MAILER" failing."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3dea34c197901b5d40aa0683ee9c0473ab62b9c commit e3dea34c197901b5d40aa0683ee9c0473ab62b9c Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2021-01-30 10:18:50 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2021-01-30 10:18:50 +0000 app-admin/sudo: Revbump to fix NO_ROOT_MAILER issue Removed old. Bumped straight to stable. Bug: https://bugs.gentoo.org/767946 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> .../files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch | 51 ++++++++++++++++++++++ ...udo-1.9.5_p2.ebuild => sudo-1.9.5_p2-r1.ebuild} | 4 ++ 2 files changed, 55 insertions(+)
Package list is empty or all packages have requested keywords.
Not exploitable on its own according to the oss-security report. No GLSA, all done!
