Summary: | <app-admin/sudo-1.7.4_p5: Flaw in Runas Group password checking (CVE-2011-0010) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.sudo.ws/sudo/alerts/runas_group_pw.html | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-01-12 21:40:22 UTC
Seen the release notes, bumping in a moment. In tree now. (In reply to comment #2) > In tree now. > Great, thank you. Are we ok to call for stabilization now? (In reply to comment #3) > > Great, thank you. Are we ok to call for stabilization now? > Thanks for the go-ahead via IRC. Arches, please test and mark stable: =app-admin/sudo-1.7.4_p5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" This is a nasty security issue. amd64 done Tested on SPARC, sudo works as usual, no problems found. Please stabilise. I tested it on x86, looks good over here. ppc/ppc64 stable Stable for HPPA. x86 stable, thanks Andreas arm stable alpha/ia64/m68k/s390/sh/sparc stable Thanks, folks. GLSA request filed. CVE-2011-0010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0010): check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does not require a password for command execution that involves a gid change but no uid change, which allows local users to bypass an intended authentication requirement via the -g option to a sudo command. This issue was resolved and addressed in GLSA 201203-06 at http://security.gentoo.org/glsa/glsa-201203-06.xml by GLSA coordinator Sean Amoss (ackle). |