"While reproducing the exploitation of "Baron Samedit" another
minor issue in Sudo was discovered. It affects Sudo 1.9.4
and newer and renders the "NO_ROOT_MAILER" hardening option
useless. While this bug by itself is not known to be exploitable
on its own, combining it with the "Baron Samedit" heap overflow
eases exploitation of the later tremendously.
Further analysis of the issue in cooperation with Qualys showed,
that therefore on newer systems Qualys complex end timeconsuming
exploitation methods can be avoided, thus allowing trivial, reliable
privilege escalation. The loss of the feature allows to overwrite
the default mailer binary name "/usr/sbin/sendmail" on the heap
with a user controlled string. The rogue mailer is then invoked
with full privileges due to "NO_ROOT_MAILER" failing."
The bug has been referenced in the following commit(s):
Author: Lars Wendler <firstname.lastname@example.org>
AuthorDate: 2021-01-30 10:18:50 +0000
Commit: Lars Wendler <email@example.com>
CommitDate: 2021-01-30 10:18:50 +0000
app-admin/sudo: Revbump to fix NO_ROOT_MAILER issue
Removed old. Bumped straight to stable.
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Lars Wendler <firstname.lastname@example.org>
.../files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch | 51 ++++++++++++++++++++++
...udo-1.9.5_p2.ebuild => sudo-1.9.5_p2-r1.ebuild} | 4 ++
2 files changed, 55 insertions(+)
Package list is empty or all packages have requested keywords.