Bug 252583 - security/sudo: Update to 1.9.5
Summary: security/sudo: Update to 1.9.5
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Renato Botelho
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-01-11 16:25 UTC by Cy Schubert
Modified: 2021-01-13 08:09 UTC (History)
1 user (show)

See Also:
garga: maintainer-feedback+
koobs: merge-quarterly+


Attachments
Update sudo to 1.9.5 (781 bytes, patch)
2021-01-11 16:25 UTC, Cy Schubert
cy: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cy Schubert freebsd_committer freebsd_triage 2021-01-11 16:25:39 UTC
Created attachment 221466 [details]
Update sudo to 1.9.5

Sudo version 1.9.5 is now available which fixes several bugs, including
CVE-2021-23239 and CVE-2021-23240 which have security implications.
See below for details.

Source:
    https://www.sudo.ws/dist/sudo-1.9.5.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5.tar.gz

SHA256 checksum:
    3718b16de71fd6076858d5a1efe93a0d11d2f713fc51f24a314dfee78e4e83a5
MD5 checksum:
    faf1dfc975929c5f99a1fdc64e9b7098

Binary packages:
    https://www.sudo.ws/download.html#binary

For a list of download mirror sites, see:
    https://www.sudo.ws/download_mirrors.html

Sudo web site:
    https://www.sudo.ws/

Sudo web site mirrors:
    https://www.sudo.ws/mirrors.html

Major changes between sudo 1.9.5 and 1.9.4p2

 * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
   unknown user.  This is related to but distinct from Bug #948.

 * If the "lecture_file" setting is enabled in sudoers, it must now
   refer to a regular file or a symbolic link to a regular file.

 * Fixed a potential use-after-free bug in sudo_logsrvd when the
   server shuts down if there are existing connections from clients
   that are only logging events and not session I/O data.

 * Fixed a buffer size mismatch when serializing the list of IP
   addresses for configured network interfaces.  This bug is not
   actually exploitable since the allocated buffer is large enough
   to hold the list of addresses.

 * If sudo is executed with a name other than "sudo" or "sudoedit",
   it will now fall back to "sudo" as the program name.  This affects
   warning, help and usage messages as well as the matching of Debug
   lines in the /etc/sudo.conf file.  Previously, it was possible
   for the invoking user to manipulate the program name by setting
   argv[0] to an arbitrary value when executing sudo.

 * Sudo now checks for failure when setting the close-on-exec flag
   on open file descriptors.  This should never fail but, if it
   were to, there is the possibility of a file descriptor leak to
   a child process (such as the command sudo runs).

 * Fixed CVE-2021-23239, a potential information leak in sudoedit
   that could be used to test for the existence of directories not
   normally accessible to the user in certain circumstances.  When
   creating a new file, sudoedit checks to make sure the parent
   directory of the new file exists before running the editor.
   However, a race condition exists if the invoking user can replace
   (or create) the parent directory.  If a symbolic link is created
   in place of the parent directory, sudoedit will run the editor
   as long as the target of the link exists.  If the target of the
   link does not exist, an error message will be displayed.  The
   race condition can be used to test for the existence of an
   arbitrary directory.  However, it _cannot_ be used to write to
   an arbitrary location.

 * Fixed CVE-2021-23240, a flaw in the temporary file handling of
   sudoedit's SELinux RBAC support.  On systems where SELinux is
   enabled, a user with sudoedit permissions may be able to set the
   owner of an arbitrary file to the user-ID of the target user.
   On Linux kernels that support "protected symlinks", setting
   /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
   being exploited.  For more information see
   https://www.sudo.ws/alerts/sudoedit_selinux.html.

 * Added writability checks for sudoedit when SELinux RBAC is in use.
   This makes sudoedit behavior consistent regardless of whether
   or not SELinux RBAC is in use.  Previously, the "sudoedit_checkdir"
   setting had no effect for RBAC entries.

 * A new sudoers option "selinux" can be used to disable sudo's
   SELinux RBAC support.

 * Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
   Added suppression annotations for PVS Studio false positives.
Comment 1 Renato Botelho freebsd_committer freebsd_triage 2021-01-11 19:35:09 UTC
Approved.  Thanks!
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-01-11 20:07:11 UTC
A commit references this bug:

Author: cy
Date: Mon Jan 11 20:06:29 UTC 2021
New revision: 561259
URL: https://svnweb.freebsd.org/changeset/ports/561259

Log:
  Update 1.9.4p2 --> 1.9.5

  PR:		252583
  Submitted by:	cy
  Reported by:	cy
  Approved by:	garga (maintainer)
  MFH:		2021Q1
  Security:	CVE-2021-23239

Changes:
  head/security/sudo/Makefile
  head/security/sudo/distinfo
Comment 3 Cy Schubert freebsd_committer freebsd_triage 2021-01-11 20:10:49 UTC
committed
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-01-12 12:43:56 UTC
A commit references this bug:

Author: garga
Date: Tue Jan 12 12:43:27 UTC 2021
New revision: 561325
URL: https://svnweb.freebsd.org/changeset/ports/561325

Log:
  MFH: r561259 r561323

  Update 1.9.4p2 --> 1.9.5

  PR:		252583
  Submitted by:	cy
  Reported by:	cy
  Approved by:	garga (maintainer)
  Security:	CVE-2021-23239

  security/sudo: Update to 1.9.5p1

  This version fixes a regression introduced by 1.9.5

  Changelog: https://www.sudo.ws/stable.html#1.9.5p1

  PR:		252598
  Submitted by:	cy
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
_U  branches/2021Q1/
  branches/2021Q1/security/sudo/Makefile
  branches/2021Q1/security/sudo/distinfo
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-01-13 08:09:51 UTC
^Triage: 

- [tags] in issue Titles are deprecated
- Track MFH & security metadata