CVE-2011-0010 was just issued, but the real description of the problem is available at the Debian's bug tracker [1]. To be short, if sudoers have explicit group list in the Runas specification, 'sudo -g <GROUP> <CMD>' for the allowed <GROUP> and <CMD> will not ask for the password. Fix: The following patch fixes the problem: It works on my test machines and Tinderbox builds are also fine: - http://gpf.codelabs.ru/tb-logs/mine-7/sudo-1.7.4.4_2.log - http://gpf.codelabs.ru/tb-logs/mine-8/sudo-1.7.4.4_2.log - http://gpf.codelabs.ru/tb-logs/mine-9/sudo-1.7.4.4_2.log The following VuXML entry should be evaluated and added: <vuln vid="908f4cf2-1e8b-11e0-a587-001b77d09812"> <topic>sudo -- local privilege escalation</topic> <affects> <package> <name>sudo</name> <range><lt>1.7.4.4_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>When sudoers database has entries with the list of groups in the Runas_Spec block, users for which these entries permit to run commands may execute them with credentials of these groups, but without any password propts using command "sudo -g <GROUP> <CMD>".</p> </body> </description> <references> <cvename>CVE-2011-0010</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641</url> <url>http://www.sudo.ws/repos/sudo/rev/fe8a94f96542</url> </references> <dates> <discovery>2011-01-11</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- I had sent it for the review to Remko Lodder, but your (and anyone's) comments are welcome.--kxzr3ybnDG4mHCFyWHGhbFtVRHpWBQiRaIcmnUdPSh8DhPEE Content-Type: text/plain; name="fix-CVE-2011-0010.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="fix-CVE-2011-0010.diff" From 860a164877887ac1f36a136870f6795ce8f1dc0d Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Wed, 12 Jan 2011 23:24:11 +0300 Prior to this patch sudo allowed users to change groups without asking for password. Look-at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 Look-at: http://www.sudo.ws/repos/sudo/raw-rev/fe8a94f96542 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/sudo/Makefile | 2 +- security/sudo/files/patch-cve-2011-0010 | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletions(-) create mode 100644 security/sudo/files/patch-cve-2011-0010 diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 198a8a6..79757af 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -7,7 +7,7 @@ PORTNAME= sudo PORTVERSION= 1.7.4.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ http://www.signal42.com/mirrors/sudo_ftp/ \ diff --git a/security/sudo/files/patch-cve-2011-0010 b/security/sudo/files/patch-cve-2011-0010 new file mode 100644 index 0000000..06696e2 --- /dev/null +++ b/security/sudo/files/patch-cve-2011-0010 @@ -0,0 +1,28 @@ + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@courtesan.com> +# Date 1294760019 18000 +# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5 +# Parent 8f9303326db73a2e00cd53c2515db8188386cfc0 +If the user is running sudo as himself but as a different group we +need to prompt for a password. + +diff -r 8f9303326db7 -r fe8a94f96542 check.c +--- check.c Mon Jan 10 10:28:59 2011 -0500 ++++ check.c Tue Jan 11 10:33:39 2011 -0500 +@@ -120,7 +120,13 @@ + if (ISSET(mode, MODE_INVALIDATE)) { + SET(validated, FLAG_CHECK_USER); + } else { +- if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) ++ /* ++ * Don't prompt for the root passwd or if the user is exempt. ++ * If the user is not changing uid/gid, no need for a password. ++ */ ++ if (user_uid == 0 || (user_uid == runas_pw->pw_uid && ++ (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || ++ user_is_exempt()) + return; + } + + -- 1.7.3.4 How-To-Repeat: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 [2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 Here's the transcript of my test session with old and updated port: {{{ [prior to patching] $ sudo -k && sudo -g kmem id uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of> [after patching] $ sudo -k && sudo -g kmem id Password: uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of> [vanilla id output] $ id uid=1001(rea) gid=1001(rea) groups=1001(rea),<bunch of> }}} In sudoers I have '(ALL:ALL)' as the Runas specification.
Responsible Changed From-To: freebsd-ports-bugs->wxs Over to maintainer (via the GNATS Auto Assign Tool)
Todd Miller just issued advisory, so I redid the VuXML entry. Now it is available at http://codelabs.ru/fbsd/vuxml/sudo-cve-2011-0010.xml Also Todd said that 1.7.4p5 is available, http://www.openwall.com/lists/oss-security/2011/01/12/3 -- Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
rea 2011-01-13 14:09:25 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: security/sudo: document privilege escalation, CVE-2011-0010 PR: 153939 Approved by: delphij (secteam), erwin (mentor) Feature safe: yes Revision Changes Path 1.2277 +34 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
wxs 2011-01-13 20:00:11 UTC FreeBSD ports repository Modified files: security/sudo Makefile distinfo Log: Update to 1.7.4p5. Special thanks to rea@ for commiting the appropriate VuXML for me. :) PR: ports/153939 Submitted by: rea@ Security: 908f4cf2-1e8b-11e0-a587-001b77d09812 Feature safe: yes Revision Changes Path 1.121 +2 -3 ports/security/sudo/Makefile 1.70 +2 -3 ports/security/sudo/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!