Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 96618 - app-admin/sudo 1.6.8p9 fixes race condition
Summary: app-admin/sudo 1.6.8p9 fixes race condition
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High major (vote)
Assignee: Gentoo Security
URL: http://www.sudo.ws/sudo/alerts/path_r...
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-06-20 08:56 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2005-08-15 21:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2005-06-20 08:56:21 UTC
From: 	  Todd.Miller@courtesan.com
	Subject: 	Sudo version 1.6.8p9 now available, fixes security issue.
	Date: 	June 20, 2005 10:24:43 AM EDT
	To: 	  bugtraq@securityfocus.com

Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
race condition in Sudo's pathname validation.  This is a security
issue.

Summary:
    A race condition in Sudo's command pathname handling prior to
    Sudo version 1.6.8p9 that could allow a user with Sudo privileges
    to run arbitrary commands.

Sudo versions affected:
    Sudo versions 1.3.1 up to and including 1.6.8p8.

Details:
    When a user runs a command via Sudo, the inode and device numbers
    of the command are compared to those of commands with the same
    basename found in the sudoers file (see the Background paragraph
    for more information).  When a match is found, the path to the
    matching command listed in the sudoers file is stored in the
    variable safe_cmnd,  which is later used to execute the command.
    Because the actual path executed comes from the sudoers file
    and not directly from the user, Sudo should be safe from race
    conditions involving symbolic links.  However, if a sudoers
    entry containing the pseudo-command ALL follows the user's
    sudoers entry the contents of safe_cmnd will be overwritten
    with the path the user specified on the command line, making
    Sudo vulnerable to the aforementioned race condition.

Impact:
    Exploitation of the bug requires that the user be allowed to
    run one or more commands via Sudo and be able to create symbolic
    links in the filesystem.  Furthermore, a sudoers entry giving
    another user access to the ALL pseudo-command must follow the
    user's sudoers entry for the race to exist.

    For example, the following sudoers file is not affected by the
    bug:

	root		server=ALL
	someuser	server=/bin/echo

    Whereas this one would be:

	someuser	server=/bin/echo
	root		server=ALL

Fix:
    The bug is fixed in sudo 1.6.8p9.

Workaround:
    The administrator can order the sudoers file such that all
    entries granting Sudo ALL privileges precede all other entries.

Credit:
    This problem was brought to my attention by Charles Morris.

Background:
    The reason Sudo uses the inode for command matching is to make
    relative paths work and to avoid problems caused by automounters
    where the path to be executed is not the same as the absolute
    path to the command.

    Another possible approach is to use the realpath() function to
    find the true path.  Sudo does not user realpath() because that
    function is not present in all operating systems and is often
    vulnerable to race conditions where it does exist.

The next major Sudo release will be version 1.7.  For information
on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
You can help speed the release of Sudo 1.7 by purchasing a support
contract or making a donation (see below).

Commercial support is available for Sudo.  If your organization
uses Sudo, please consider purchasing a support contract to help
fund future Sudo development at http://www.sudo.ws/support.html
Custom enhancements to Sudo may also be contracted.

You can also help out by making a donation or "purchase" a copy
of Sudo at http://www.sudo.ws/purchase.html

Master Web Site:
    http://www.sudo.ws/sudo/

Web Site Mirrors:
    http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
    http://sudo.stikman.com/ (Los Angeles, California, USA)
    http://sudo.tolix.org/ (California, USA)
    http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
    http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
    http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
    http://www.signal42.com/mirrors/sudo_www/ (USA)
    http://sudo.xmundo.net/ (Argentina)
    http://sudo.planetmirror.com/ (Australia)
    http://mirror.mons-new-media.de/sudo/ (Germany)
    http://sunshine.lv/sudo/ (Latvia)
    http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
    http://sudo.cdu.elektra.ru/ (Russia)
    http://sudo.nctu.edu.tw/ (Taiwan)

FTP Mirrors:
    ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
    ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
    ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
    ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
    ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana, USA)
    ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
    ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
    ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
    ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
    ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
    ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
    ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong, China)
    ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia)
    ftp://ftp.ujf-grenoble.fr/sudo/ (France)
    ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
    ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
    ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
    ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
    ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
    ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
    ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)

HTTP Mirrors:
    http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
    http://sudo.tolix.org/ftp/ (California, USA)
    http://sudo.mirror99.com/ (San Jose, California, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
    http://probsd.org/sudoftp/ (East Coast, USA)
    http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West Lafayette, Indiana, USA)
    http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
    http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
    http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
    http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
    http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
    http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
    http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2005-06-20 09:01:00 UTC
sudo-1.6.8_p9 is in portage, but currently marked unstable on most arch's.
Comment 2 solar (RETIRED) gentoo-dev 2005-06-20 14:34:40 UTC
======================================================
Candidate: CAN-2005-1993
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1993
Reference: BUGTRAQ:20050620 Sudo version 1.6.8p9 now available, fixes
security issue.
Reference: URL:http://www.securityfocus.com/archive/1/402741
Reference:
CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161116

Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL
pseudo-command is used after a user entry in the sudoers file, allows
local users to gain privileges via a symlink attack.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-20 23:14:17 UTC
Arches please test and mark sudo-1.6.8_p9. 
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-20 23:29:08 UTC
Stable on ppc.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-06-20 23:43:43 UTC
stable on ppc64 
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-06-21 01:29:31 UTC
Stable on hppa
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2005-06-21 02:40:15 UTC
amd64 stable
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2005-06-21 11:09:37 UTC
Stable on sparc.
Comment 9 Tim Yamin (RETIRED) gentoo-dev 2005-06-21 11:33:24 UTC
IA64 done and happy.
Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev 2005-06-21 13:42:27 UTC
alpha done for you :)

Cheers,
Ferdy
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-22 09:11:26 UTC
x86 please mark stable. 
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2005-06-22 20:35:05 UTC
stable on x86.. 
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-06-23 01:18:33 UTC
GLSA 200506-22  
  
arm, mips, s390 please remember to mark stable to benifit from the GLSA.  
Comment 14 Hardave Riar (RETIRED) gentoo-dev 2005-07-02 12:08:35 UTC
Stable on mips.