Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 767946 - <app-admin/sudo-1.9.5_p2-r1: NO_ROOT_MAILER ineffective
Summary: <app-admin/sudo-1.9.5_p2-r1: NO_ROOT_MAILER ineffective
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.sudo.ws/repos/sudo/rev/e0...
Whiteboard: A4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-30 09:17 UTC by Sam James
Modified: 2021-07-29 18:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-01-30 09:17:15 UTC
From https://www.openwall.com/lists/oss-security/2021/01/30/1:

"While reproducing the exploitation of "Baron Samedit" another
minor issue in Sudo was discovered. It affects Sudo 1.9.4
and newer and renders the "NO_ROOT_MAILER" hardening option
useless. While this bug by itself is not known to be exploitable
on its own, combining it with the "Baron Samedit" heap overflow
eases exploitation of the later tremendously.

Further analysis of the issue in cooperation with Qualys showed,
that therefore on newer systems Qualys complex end timeconsuming
exploitation methods can be avoided, thus allowing trivial, reliable
privilege escalation. The loss of the feature allows to overwrite
the default mailer binary name "/usr/sbin/sendmail" on the heap
with a user controlled string. The rogue mailer is then invoked
with full privileges due to "NO_ROOT_MAILER" failing."
Comment 1 Larry the Git Cow gentoo-dev 2021-01-30 10:19:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3dea34c197901b5d40aa0683ee9c0473ab62b9c

commit e3dea34c197901b5d40aa0683ee9c0473ab62b9c
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-01-30 10:18:50 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-01-30 10:18:50 +0000

    app-admin/sudo: Revbump to fix NO_ROOT_MAILER issue
    
    Removed old. Bumped straight to stable.
    
    Bug: https://bugs.gentoo.org/767946
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch   | 51 ++++++++++++++++++++++
 ...udo-1.9.5_p2.ebuild => sudo-1.9.5_p2-r1.ebuild} |  4 ++
 2 files changed, 55 insertions(+)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:24:16 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:32:44 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:40:37 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:48:47 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:04:43 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:13:01 UTC
Package list is empty or all packages have requested keywords.