From: Todd.Miller@courtesan.com Subject: Sudo version 1.6.8p9 now available, fixes security issue. Date: June 20, 2005 10:24:43 AM EDT To: bugtraq@securityfocus.com Sudo version 1.6.8, patchlevel 9 is now available, which fixes a race condition in Sudo's pathname validation. This is a security issue. Summary: A race condition in Sudo's command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands. Sudo versions affected: Sudo versions 1.3.1 up to and including 1.6.8p8. Details: When a user runs a command via Sudo, the inode and device numbers of the command are compared to those of commands with the same basename found in the sudoers file (see the Background paragraph for more information). When a match is found, the path to the matching command listed in the sudoers file is stored in the variable safe_cmnd, which is later used to execute the command. Because the actual path executed comes from the sudoers file and not directly from the user, Sudo should be safe from race conditions involving symbolic links. However, if a sudoers entry containing the pseudo-command ALL follows the user's sudoers entry the contents of safe_cmnd will be overwritten with the path the user specified on the command line, making Sudo vulnerable to the aforementioned race condition. Impact: Exploitation of the bug requires that the user be allowed to run one or more commands via Sudo and be able to create symbolic links in the filesystem. Furthermore, a sudoers entry giving another user access to the ALL pseudo-command must follow the user's sudoers entry for the race to exist. For example, the following sudoers file is not affected by the bug: root server=ALL someuser server=/bin/echo Whereas this one would be: someuser server=/bin/echo root server=ALL Fix: The bug is fixed in sudo 1.6.8p9. Workaround: The administrator can order the sudoers file such that all entries granting Sudo ALL privileges precede all other entries. Credit: This problem was brought to my attention by Charles Morris. Background: The reason Sudo uses the inode for command matching is to make relative paths work and to avoid problems caused by automounters where the path to be executed is not the same as the absolute path to the command. Another possible approach is to use the realpath() function to find the true path. Sudo does not user realpath() because that function is not present in all operating systems and is often vulnerable to race conditions where it does exist. The next major Sudo release will be version 1.7. For information on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html You can help speed the release of Sudo 1.7 by purchasing a support contract or making a donation (see below). Commercial support is available for Sudo. If your organization uses Sudo, please consider purchasing a support contract to help fund future Sudo development at http://www.sudo.ws/support.html Custom enhancements to Sudo may also be contracted. You can also help out by making a donation or "purchase" a copy of Sudo at http://www.sudo.ws/purchase.html Master Web Site: http://www.sudo.ws/sudo/ Web Site Mirrors: http://www.mirrormonster.com/sudo/ (Fremont, California, USA) http://sudo.stikman.com/ (Los Angeles, California, USA) http://sudo.tolix.org/ (California, USA) http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA) http://www.mrv2k.net/sudo/ (Bend, Oregon, USA) http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA) http://www.signal42.com/mirrors/sudo_www/ (USA) http://sudo.xmundo.net/ (Argentina) http://sudo.planetmirror.com/ (Australia) http://mirror.mons-new-media.de/sudo/ (Germany) http://sunshine.lv/sudo/ (Latvia) http://rexem.uni.cc/sudo/ (Kaunas, Lithuania) http://sudo.cdu.elektra.ru/ (Russia) http://sudo.nctu.edu.tw/ (Taiwan) FTP Mirrors: ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA) ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA) ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA) ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA) ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA) ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA) ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA) ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA) ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina) ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia) ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria) ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada) ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China) ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia) ftp://ftp.ujf-grenoble.fr/sudo/ (France) ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany) ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan) ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan) ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan) ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan) ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan) ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland) ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia) ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan) HTTP Mirrors: http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA) http://sudo.tolix.org/ftp/ (California, USA) http://sudo.mirror99.com/ (San Jose, California, USA) http://www.signal42.com/mirrors/sudo_ftp/ (California, USA) http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA) http://probsd.org/sudoftp/ (East Coast, USA) http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA) http://www.signal42.com/mirrors/sudo_ftp/ (California, USA) http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany) http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany) http://core.ring.gr.jp/archives/misc/sudo/ (Japan) http://www.ring.gr.jp/archives/misc/sudo/ (Japan) http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland) http://sudo.tsuren.net/dist/ (Moscow, Russian Federation) http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
sudo-1.6.8_p9 is in portage, but currently marked unstable on most arch's.
====================================================== Candidate: CAN-2005-1993 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1993 Reference: BUGTRAQ:20050620 Sudo version 1.6.8p9 now available, fixes security issue. Reference: URL:http://www.securityfocus.com/archive/1/402741 Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161116 Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.
Arches please test and mark sudo-1.6.8_p9.
Stable on ppc.
stable on ppc64
Stable on hppa
amd64 stable
Stable on sparc.
IA64 done and happy.
alpha done for you :) Cheers, Ferdy
x86 please mark stable.
stable on x86..
GLSA 200506-22 arm, mips, s390 please remember to mark stable to benifit from the GLSA.
Stable on mips.
