Major changes between version 1.8.31 and 1.8.30: Fixed CVE-2019-18634, a buffer overflow when the pwfeedback sudoers option is enabled on systems with uni-directional pipes.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0daecc9a3722cbab10e8124eb19b8e89d00d624f commit 0daecc9a3722cbab10e8124eb19b8e89d00d624f Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-01-31 13:54:44 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-01-31 14:00:04 +0000 app-admin/sudo: Security bump to version 1.8.31 Bug: https://bugs.gentoo.org/707574 Package-Manager: Portage-2.3.86, Repoman-2.3.20 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-admin/sudo/Manifest | 1 + app-admin/sudo/sudo-1.8.31.ebuild | 263 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 264 insertions(+)
It turns out a change in EOF handling introduced in sudo 1.8.26 prevents exploitation of the bug. The EOF character is also initialized to 0 and sudo 1.8.26 checks for EOF before it checks for the kill character. This means that the bug actually affects sudo versions 1.7.1 to 1.8.25p1 inclusive. Sorry for the oversight. I've updated the affected versions in https://www.sudo.ws/alerts/pwfeedback.html
> It turns out a change in EOF handling introduced in sudo 1.8.26 > prevents exploitation of the bug. Or not? https://www.openwall.com/lists/oss-security/2020/02/05/2 "When using a pty, sudo_term_eof and sudo_term_kill are initialized to 0x4 and 0x15 allowing the overflow to be reached, making 1.8.26-1.8.30 also vulnerable" I think we should go ahead and stabilize 1.8.31 as long as people still argue whether this is actually exploitable.
Can we proceed here with stabilizing?
(In reply to Hanno Böck from comment #4) > Can we proceed here with stabilizing? Of course...
ppc stable
hppa/sparc stable
amd64 stable
arm stable
s390 stable
x86 stable
ppc64 stable
ia64 stable
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-12 at https://security.gentoo.org/glsa/202003-12 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
sh stable
arm64 stable
@m68k: ping.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28909837d2ce52371aac93d39b0f79297aad09f3 commit 28909837d2ce52371aac93d39b0f79297aad09f3 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-30 15:21:30 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 15:21:49 +0000 app-admin/sudo: security cleanup Bug: https://bugs.gentoo.org/707574 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-admin/sudo/Manifest | 3 - .../sudo-1.8.28-no_pam_error_message_fix.patch | 46 ---- app-admin/sudo/sudo-1.8.28_p1-r2.ebuild | 267 --------------------- app-admin/sudo/sudo-1.8.29-r2.ebuild | 267 --------------------- app-admin/sudo/sudo-1.8.30.ebuild | 263 -------------------- 5 files changed, 846 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f048af4f5103aba015717bef4beb43a70de765f4 commit f048af4f5103aba015717bef4beb43a70de765f4 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-30 15:20:31 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-30 15:21:48 +0000 app-admin/sudo: mark m68k stable (bug #707574) Bug: https://bugs.gentoo.org/707574 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-admin/sudo/sudo-1.8.31.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Repository is clean, all done!