It was discovered, [1], that in certain system configurations that allow users to run commands as the members of some group, the backport error in sudo up to 1.9.6p20 was permitted these users to run commands as root. [1] http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html Fix: The following patch updates the current port to the 1.9.6p20 that has this bug fixed. I had tested the port for non-LDAP case -- works for me and fixes the issue. The following VuXML entry should be evaluated and added: <vuln vid="13d6d997-f455-11dd-8516-001b77d09812"> <topic>sudo -- certain authorized users could run commands as any user</topic> <affects> <package> <name>sudo</name> <range><ge>1.6.9.17</ge><lt>1.6.9.20</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Todd Miller reports:</p> <blockquote cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html"> <p>A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.</p> </blockquote> </body> </description> <references> <mlist msgid="200902041802.n14I2llS024155@core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist> <cvename>CVE-2009-0034</cvename> <bid>33517</bid> </references> <dates> <discovery>2009-02-04</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----hXLgc7JafFskZYVxwO1ZYbZOA5PSRT0hazaIuJqhL3hcgvJm Content-Type: text/plain; name="fix-CVE-2009-0034.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="fix-CVE-2009-0034.diff" From fbf8b6659e4ac2988f867b775c2fdac10fbdee7e Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 6 Feb 2009 17:15:29 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/sudo/Makefile | 4 ++-- security/sudo/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 3848874..5a68e05 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -6,7 +6,7 @@ # PORTNAME= sudo -PORTVERSION= 1.6.9.17 +PORTVERSION= 1.6.9.20 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://obsd.isc.org/pub/sudo/ \ @@ -16,7 +16,7 @@ MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \ ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= tmclaugh/sudo -DISTNAME= ${PORTNAME}-1.6.9p17 +DISTNAME= ${PORTNAME}-1.6.9p20 MAINTAINER= tmclaugh@FreeBSD.org COMMENT= Allow others to run commands as root diff --git a/security/sudo/distinfo b/security/sudo/distinfo index dfc778c..9103e9d 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,3 +1,3 @@ -MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110 -SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596 -SIZE (sudo-1.6.9p17.tar.gz) = 593534 +MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a +SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b +SIZE (sudo-1.6.9p20.tar.gz) = 596009 -- 1.6.1 How-To-Repeat: Insert the following rule to the sudoers, ----- user ALL=(%group) ALL ----- where 'user' is ordinary user, 'group' is the group for the user. And try 'sudo -L root COMMAND'. It will give me root with 1.9.6p17.
Responsible Changed From-To: freebsd-ports-bugs->tmclaugh Over to maintainer (via the GNATS Auto Assign Tool)
Two things: 1. I had supplied the wrong command in the How-To-Repeat field, it should be really 'sudo -u root COMMAND'; 2. there is ports/131373 that talks about the same issue, but provides update path to the 1.7.0 and has no VuXML entry. I had somehow missed this PR during the search via the PR database before submission of this report. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
tmclaugh 2009-02-06 19:35:47 UTC FreeBSD ports repository Modified files: security/sudo Makefile distinfo security/vuxml vuln.xml Log: Security update for sudo to 1.6.9p20 for CVE 2009-0034 Changes: - Only use the cached supplementory group vector when matching groups for the invoking user. (security) - When setting the umask, use the union of the user's umask and the default value set in sudoers so that we never lower the user's umask when running a command. - Sudo now operates in the C locale again when doing a match against sudoers. PR: 131446 Submitted by: Eygene Ryabinkin Security: vid:13d6d997-f455-11dd-8516-001b77d09812 Revision Changes Path 1.101 +2 -2 ports/security/sudo/Makefile 1.61 +3 -3 ports/security/sudo/distinfo 1.1846 +33 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks. And yes I know about sudo 1.7.0 but I'm hesitant to update the port to it. It's a big change and I'd rather wait for a p1 or p2 release to come out. I'm also not sure if any OSes are even using it yet.