Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707574 (CVE-2019-18634) - <app-admin/sudo-1.8.31: buffer overflow when the pwfeedback sudoers option is enabled on systems with uni-directional pipes (CVE-2019-18634)
Summary: <app-admin/sudo-1.8.31: buffer overflow when the pwfeedback sudoers option is...
Status: RESOLVED FIXED
Alias: CVE-2019-18634
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-01-31 13:53 UTC by Lars Wendler (Polynomial-C)
Modified: 2020-03-30 15:22 UTC (History)
1 user (show)

See Also:
Package list:
=app-admin/sudo-1.8.31
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) gentoo-dev 2020-01-31 13:53:37 UTC
Major changes between version 1.8.31 and 1.8.30:

    Fixed CVE-2019-18634, a buffer overflow when the pwfeedback sudoers option is enabled on systems with uni-directional pipes.
Comment 1 Larry the Git Cow gentoo-dev 2020-01-31 14:00:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0daecc9a3722cbab10e8124eb19b8e89d00d624f

commit 0daecc9a3722cbab10e8124eb19b8e89d00d624f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-01-31 13:54:44 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-01-31 14:00:04 +0000

    app-admin/sudo: Security bump to version 1.8.31
    
    Bug: https://bugs.gentoo.org/707574
    Package-Manager: Portage-2.3.86, Repoman-2.3.20
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-admin/sudo/Manifest           |   1 +
 app-admin/sudo/sudo-1.8.31.ebuild | 263 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 264 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-01-31 14:15:57 UTC
It turns out a change in EOF handling introduced in sudo 1.8.26
prevents exploitation of the bug.  The EOF character is also
initialized to 0 and sudo 1.8.26 checks for EOF before it checks
for the kill character.

This means that the bug actually affects sudo versions 1.7.1 to
1.8.25p1 inclusive.

Sorry for the oversight.  I've updated the affected versions in
https://www.sudo.ws/alerts/pwfeedback.html
Comment 3 Hanno Böck gentoo-dev 2020-02-05 12:43:46 UTC
> It turns out a change in EOF handling introduced in sudo 1.8.26
> prevents exploitation of the bug.

Or not?
https://www.openwall.com/lists/oss-security/2020/02/05/2
"When using a pty, sudo_term_eof and sudo_term_kill are initialized to 0x4 and 0x15 allowing the overflow to be reached, making 1.8.26-1.8.30 also vulnerable"

I think we should go ahead and stabilize 1.8.31 as long as people still argue whether this is actually exploitable.
Comment 4 Hanno Böck gentoo-dev 2020-03-02 08:58:24 UTC
Can we proceed here with stabilizing?
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2020-03-02 09:05:03 UTC
(In reply to Hanno Böck from comment #4)
> Can we proceed here with stabilizing?

Of course...
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-02 15:23:50 UTC
ppc stable
Comment 7 Rolf Eike Beer 2020-03-02 18:27:45 UTC
hppa/sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-03 07:53:59 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-03 07:54:22 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-03 07:55:17 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-03 08:03:16 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-03 16:26:25 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-04 08:07:55 UTC
ia64 stable
Comment 14 Thomas Deutschmann gentoo-dev Security 2020-03-14 16:14:08 UTC
Added to an existing GLSA.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-03-14 16:22:54 UTC
This issue was resolved and addressed in
 GLSA 202003-12 at https://security.gentoo.org/glsa/202003-12
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann gentoo-dev Security 2020-03-14 16:23:28 UTC
Re-opening for remaining architectures.
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 13:10:47 UTC
sh stable
Comment 18 Mart Raudsepp gentoo-dev 2020-03-17 19:21:34 UTC
arm64 stable
Comment 19 Sam James (sec padawan) 2020-03-30 14:40:09 UTC
@m68k: ping.
Comment 20 Larry the Git Cow gentoo-dev 2020-03-30 15:21:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28909837d2ce52371aac93d39b0f79297aad09f3

commit 28909837d2ce52371aac93d39b0f79297aad09f3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-30 15:21:30 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-30 15:21:49 +0000

    app-admin/sudo: security cleanup
    
    Bug: https://bugs.gentoo.org/707574
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/sudo/Manifest                            |   3 -
 .../sudo-1.8.28-no_pam_error_message_fix.patch     |  46 ----
 app-admin/sudo/sudo-1.8.28_p1-r2.ebuild            | 267 ---------------------
 app-admin/sudo/sudo-1.8.29-r2.ebuild               | 267 ---------------------
 app-admin/sudo/sudo-1.8.30.ebuild                  | 263 --------------------
 5 files changed, 846 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f048af4f5103aba015717bef4beb43a70de765f4

commit f048af4f5103aba015717bef4beb43a70de765f4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-30 15:20:31 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-30 15:21:48 +0000

    app-admin/sudo: mark m68k stable (bug #707574)
    
    Bug: https://bugs.gentoo.org/707574
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/sudo/sudo-1.8.31.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 21 Thomas Deutschmann gentoo-dev Security 2020-03-30 15:22:31 UTC
Repository is clean, all done!