Jan of RedHat informed us via vendor-sec about the following issue: A security flaw was found in the way Sudo performed matching for user described by a password against the list of members, allowed to run particular sudo command, when the group option was specified on the command line. If a local, unprivileged user was authorized by sudoers file to run their sudo commands with permissions of a particular group (different to their own), it could lead to privilege escalation (execution of that sudo command with permissions of privileged user account (root)). Affected versions: x >= sudo-v1.7.2p1 (an potentially also ------------------ sudo-v1.7.2. Those versions which support -g option to be specified on the command line).
Created attachment 245457 [details, diff] sudo-CVE-2010-2956.patch Patch by Todd C. Miller. Reproducer information can be requested from me via email.
Created attachment 245460 [details] sudo-1.7.4_p3-r1.ebuild For what I'm concerned, I'm fine with 1.7.4_p3 (patched) to go stable.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, chainsaw hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : armin76, tcunha x86 : fauli, maekke
AMD64 approves stabling by the security team at end of embargo. Tested USE-flag combinations: [ebuild R ] app-admin/sudo-1.7.4_p3-r1 USE="pam -ldap -offensive (-selinux) -skey" 0 kB [ebuild R ] app-admin/sudo-1.7.4_p3-r1 USE="offensive pam skey -ldap (-selinux)" 0 kB [ebuild R ] app-admin/sudo-1.7.4_p3-r1 USE="ldap offensive pam (-selinux) -skey" 0 kB Recommended investigation (when USE=ldap), not a show-stopper: checking whether to use PAM session support... yes ./configure: line 17257: test: =: unary operator expected checking for LDAP libraries... -lldap checking for library containing ber_set_option... -llber Test system information: Portage 2.1.8.3 (hardened/linux/amd64/10.0/no-multilib, gcc-4.3.4, glibc-2.11.2-r0, 2.6.32-hardened-r11 x86_64) ================================================================= System uname: Linux-2.6.32-hardened-r11-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2218-with-gentoo-1.12.13 Timestamp of tree: Mon, 30 Aug 2010 23:15:01 +0000 app-shells/bash: 4.0_p37 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.5-r3 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 3.4.6-r2, 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_GB.UTF-8" LC_ALL="en_GB.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/srv/gentoo/overlay" SYNC="rsync://portage-rsync.linx.net/gentoo-portage" USE="amd64 animgif bash-completion berkdb bzip2 calendar cgi cli cracklib crypt cxx diskio dri elf expat fastcgi gd gdbm gif gnutls hardened httpd iconv ipv6 jpeg justify mmx modules mpm-prefork mudflap mysql ncurses network network-cron no-old-linux nptl nptlonly pam pcre perl perlsuid pic png pppd python readline reflection rss session snmp spl sqlite sse sse2 ssl stream sysfs syslog threads truetype unicode urandom v4l2 vhosts xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Fine for x86
Alpha has no objections.
(In reply to comment #4) > Recommended investigation (when USE=ldap), not a show-stopper: > checking whether to use PAM session support... yes > ./configure: line 17257: test: =: unary operator expected > checking for LDAP libraries... -lldap > checking for library containing ber_set_option... -llber That's not a regression against either 1.7.2_p7 or 1.7.3 or 1.7.4_p3. HPPA is OK.
(In reply to comment #7) > That's not a regression against either 1.7.2_p7 or 1.7.3 or 1.7.4_p3. Okay, thanks Jeroen. Withdrawn.
Seems fine on ppc/ppc64.
The embargo will be likely postponed to tomorrow, 1200 UTC. Currently, we'll go into -x86 with the following KEYWORDS: "alpha amd64 ~arm hppa ~ia64 ~m68k ppc ppc64 ~s390 ~sh ~sparc x86" Raul, maybe you still get the chance to test this on a few of your arches (ia64/sparc)?
Looks fine on arm/ia64/s390/sh/sparc
(In reply to comment #11) > Looks fine on arm/ia64/s390/sh/sparc > Great, thanks. Updated KW list: "alpha amd64 arm hppa ia64 ~m68k ppc ppc64 s390 sh sparc x86"
This is now public as per $URL.
GLSA 201009-03
CVE-2010-2956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2956): Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.
