Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 335381 (CVE-2010-2956) - <app-admin/sudo-1.7.4_p3-r1: Privilege escalation related to groups (CVE-2010-2956)
Summary: <app-admin/sudo-1.7.4_p3-r1: Privilege escalation related to groups (CVE-2010...
Status: RESOLVED FIXED
Alias: CVE-2010-2956
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.sudo.ws/sudo/alerts/runas_...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-31 10:37 UTC by Alex Legler (RETIRED)
Modified: 2010-09-25 16:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
sudo-CVE-2010-2956.patch (sudo-CVE-2010-2956.patch,2.75 KB, patch)
2010-08-31 10:40 UTC, Alex Legler (RETIRED)
no flags Details | Diff
sudo-1.7.4_p3-r1.ebuild (sudo-1.7.4_p3-r1.ebuild,7.10 KB, text/plain)
2010-08-31 11:21 UTC, Diego Elio Pettenò (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-31 10:37:15 UTC
Jan of RedHat informed us via vendor-sec about the following issue:

A security flaw was found in the way Sudo performed matching
for user described by a password against the list of members,
allowed to run particular sudo command, when the group option
was specified on the command line. If a local, unprivileged
user was authorized by sudoers file to run their sudo commands
with permissions of a particular group (different to their own),
it could lead to privilege escalation (execution of that sudo
command with permissions of privileged user account (root)).

Affected versions:    x >= sudo-v1.7.2p1 (an potentially also
------------------    sudo-v1.7.2. Those versions which support -g
                      option to be specified on the command line).
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-31 10:40:11 UTC
Created attachment 245457 [details, diff]
sudo-CVE-2010-2956.patch

Patch by Todd C. Miller.

Reproducer information can be requested from me via email.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-31 11:21:52 UTC
Created attachment 245460 [details]
sudo-1.7.4_p3-r1.ebuild

For what I'm concerned, I'm fine with 1.7.4_p3 (patched) to go stable.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-31 11:27:21 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, chainsaw
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : armin76, tcunha
     x86 : fauli, maekke
Comment 4 Tony Vroon gentoo-dev 2010-08-31 12:25:33 UTC
AMD64 approves stabling by the security team at end of embargo.

Tested USE-flag combinations:
[ebuild   R   ] app-admin/sudo-1.7.4_p3-r1  USE="pam -ldap -offensive (-selinux) -skey" 0 kB
[ebuild   R   ] app-admin/sudo-1.7.4_p3-r1  USE="offensive pam skey -ldap (-selinux)" 0 kB
[ebuild   R   ] app-admin/sudo-1.7.4_p3-r1  USE="ldap offensive pam (-selinux) -skey" 0 kB

Recommended investigation (when USE=ldap), not a show-stopper:
checking whether to use PAM session support... yes
./configure: line 17257: test: =: unary operator expected
checking for LDAP libraries...  -lldap
checking for library containing ber_set_option... -llber

Test system information:
Portage 2.1.8.3 (hardened/linux/amd64/10.0/no-multilib, gcc-4.3.4, glibc-2.11.2-r0, 2.6.32-hardened-r11 x86_64)
=================================================================
System uname: Linux-2.6.32-hardened-r11-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_2218-with-gentoo-1.12.13
Timestamp of tree: Mon, 30 Aug 2010 23:15:01 +0000
app-shells/bash:     4.0_p37
dev-lang/python:     2.4.6, 2.5.4-r3, 2.6.5-r3
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       3.4.6-r2, 4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_GB.UTF-8"
LC_ALL="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/srv/gentoo/overlay"
SYNC="rsync://portage-rsync.linx.net/gentoo-portage"
USE="amd64 animgif bash-completion berkdb bzip2 calendar cgi cli cracklib crypt cxx diskio dri elf expat fastcgi gd gdbm gif gnutls hardened httpd iconv ipv6 jpeg justify mmx modules mpm-prefork mudflap mysql ncurses network network-cron no-old-linux nptl nptlonly pam pcre perl perlsuid pic png pppd python readline reflection rss session snmp spl sqlite sse sse2 ssl stream sysfs syslog threads truetype unicode urandom v4l2 vhosts xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-08-31 13:12:33 UTC
Fine for x86
Comment 6 Tobias Klausmann gentoo-dev 2010-08-31 14:37:00 UTC
Alpha has no objections.
Comment 7 Jeroen Roovers gentoo-dev 2010-09-01 12:46:48 UTC
(In reply to comment #4)
> Recommended investigation (when USE=ldap), not a show-stopper:
> checking whether to use PAM session support... yes
> ./configure: line 17257: test: =: unary operator expected
> checking for LDAP libraries...  -lldap
> checking for library containing ber_set_option... -llber

That's not a regression against either 1.7.2_p7 or 1.7.3 or 1.7.4_p3.

HPPA is OK.
Comment 8 Tony Vroon gentoo-dev 2010-09-01 13:11:13 UTC
(In reply to comment #7)
> That's not a regression against either 1.7.2_p7 or 1.7.3 or 1.7.4_p3.

Okay, thanks Jeroen. Withdrawn. 
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2010-09-03 19:34:47 UTC
Seems fine on ppc/ppc64.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-06 14:55:18 UTC
The embargo will be likely postponed to tomorrow, 1200 UTC.

Currently, we'll go into -x86 with the following KEYWORDS:
"alpha amd64 ~arm hppa ~ia64 ~m68k ppc ppc64 ~s390 ~sh ~sparc x86"

Raul, maybe you still get the chance to test this on a few of your arches (ia64/sparc)?
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-09-06 16:33:43 UTC
Looks fine on arm/ia64/s390/sh/sparc
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-06 16:36:09 UTC
(In reply to comment #11)
> Looks fine on arm/ia64/s390/sh/sparc
> 

Great, thanks. Updated KW list:
"alpha amd64 arm hppa ia64 ~m68k ppc ppc64 s390 sh sparc x86"
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-07 12:03:23 UTC
This is now public as per $URL.
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-07 12:10:22 UTC
GLSA 201009-03
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2010-09-25 16:35:18 UTC
CVE-2010-2956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2956):
  Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not
  properly handle use of the -u option in conjunction with the -g option,
  which allows local users to gain privileges via a command line containing a
  "-u root" sequence.