Bug 153939

Summary: [patch] security/sudo: fix CVE-2011-0010
Product: Ports & Packages Reporter: Eygene Ryabinkin <rea>
Component: Individual Port(s)Assignee: Wesley Shields <wxs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Eygene Ryabinkin freebsd_committer freebsd_triage 2011-01-12 21:20:08 UTC 
CVE-2011-0010 was just issued, but the real description of the
problem is available at the Debian's bug tracker [1].

To be short, if sudoers have explicit group list in the Runas
specification, 'sudo -g <GROUP> <CMD>' for the allowed <GROUP>
and <CMD> will not ask for the password.

Fix: The following patch fixes the problem:


It works on my test machines and Tinderbox builds are also fine:
 - http://gpf.codelabs.ru/tb-logs/mine-7/sudo-1.7.4.4_2.log
 - http://gpf.codelabs.ru/tb-logs/mine-8/sudo-1.7.4.4_2.log
 - http://gpf.codelabs.ru/tb-logs/mine-9/sudo-1.7.4.4_2.log


The following VuXML entry should be evaluated and added:
  <vuln vid="908f4cf2-1e8b-11e0-a587-001b77d09812">
    <topic>sudo -- local privilege escalation</topic>
    <affects>
      <package>
	<name>sudo</name>
	<range><lt>1.7.4.4_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>When sudoers database has entries with the list of groups
	  in the Runas_Spec block, users for which these entries
	  permit to run commands may execute them with credentials of
	  these groups, but without any password propts using command
	  &quot;sudo -g &lt;GROUP&gt; &lt;CMD&gt;&quot;.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2011-0010</cvename>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641</url>
      <url>http://www.sudo.ws/repos/sudo/rev/fe8a94f96542</url>
    </references>
    <dates>
      <discovery>2011-01-11</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
I had sent it for the review to Remko Lodder, but your (and anyone's)
comments are welcome.--kxzr3ybnDG4mHCFyWHGhbFtVRHpWBQiRaIcmnUdPSh8DhPEE
Content-Type: text/plain; name="fix-CVE-2011-0010.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="fix-CVE-2011-0010.diff"

From 860a164877887ac1f36a136870f6795ce8f1dc0d Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Wed, 12 Jan 2011 23:24:11 +0300

Prior to this patch sudo allowed users to change groups
without asking for password.

Look-at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
Look-at: http://www.sudo.ws/repos/sudo/raw-rev/fe8a94f96542
Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 security/sudo/Makefile                  |    2 +-
 security/sudo/files/patch-cve-2011-0010 |   28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletions(-)
 create mode 100644 security/sudo/files/patch-cve-2011-0010

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 198a8a6..79757af 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	sudo
 PORTVERSION=	1.7.4.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		http://www.signal42.com/mirrors/sudo_ftp/ \
diff --git a/security/sudo/files/patch-cve-2011-0010 b/security/sudo/files/patch-cve-2011-0010
new file mode 100644
index 0000000..06696e2
--- /dev/null
+++ b/security/sudo/files/patch-cve-2011-0010
@@ -0,0 +1,28 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@courtesan.com>
+# Date 1294760019 18000
+# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5
+# Parent  8f9303326db73a2e00cd53c2515db8188386cfc0
+If the user is running sudo as himself but as a different group we
+need to prompt for a password.
+
+diff -r 8f9303326db7 -r fe8a94f96542 check.c
+--- check.c	Mon Jan 10 10:28:59 2011 -0500
++++ check.c	Tue Jan 11 10:33:39 2011 -0500
+@@ -120,7 +120,13 @@
+     if (ISSET(mode, MODE_INVALIDATE)) {
+ 	SET(validated, FLAG_CHECK_USER);
+     } else {
+-	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
++	/*
++	 * Don't prompt for the root passwd or if the user is exempt.
++	 * If the user is not changing uid/gid, no need for a password.
++	 */
++	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
++	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
++	    user_is_exempt())
+ 	    return;
+     }
+ 
+
-- 
1.7.3.4
How-To-Repeat: 
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
[2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542

Here's the transcript of my test session with old and updated
port:
{{{
[prior to patching]
$ sudo -k && sudo -g kmem id
uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of>
[after patching]
$ sudo -k && sudo -g kmem id
Password:
uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of>
[vanilla id output]
$ id
uid=1001(rea) gid=1001(rea) groups=1001(rea),<bunch of>
}}}

In sudoers I have '(ALL:ALL)' as the Runas specification.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2011-01-12 21:20:47 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->wxs

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Eygene Ryabinkin freebsd_committer freebsd_triage 2011-01-12 22:11:10 UTC 
Todd Miller just issued advisory, so I redid the VuXML entry.
Now it is available at
  http://codelabs.ru/fbsd/vuxml/sudo-cve-2011-0010.xml

Also Todd said that 1.7.4p5 is available,
  http://www.openwall.com/lists/oss-security/2011/01/12/3
-- 
Eygene Ryabinkin                                        ,,,^..^,,,
[ Life's unfair - but root password helps!           | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
Comment 3 dfilter service freebsd_committer freebsd_triage 2011-01-13 14:09:29 UTC 
rea         2011-01-13 14:09:25 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  security/sudo: document privilege escalation, CVE-2011-0010
  
  PR: 153939
  Approved by: delphij (secteam), erwin (mentor)
  Feature safe: yes
  
  Revision  Changes    Path
  1.2277    +34 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 dfilter service freebsd_committer freebsd_triage 2011-01-13 20:00:28 UTC 
wxs         2011-01-13 20:00:11 UTC

  FreeBSD ports repository

  Modified files:
    security/sudo        Makefile distinfo 
  Log:
  Update to 1.7.4p5.
  
  Special thanks to rea@ for commiting the appropriate VuXML for me. :)
  
  PR:             ports/153939
  Submitted by:   rea@
  Security:       908f4cf2-1e8b-11e0-a587-001b77d09812
  Feature safe:   yes
  
  Revision  Changes    Path
  1.121     +2 -3      ports/security/sudo/Makefile
  1.70      +2 -3      ports/security/sudo/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Wesley Shields freebsd_committer freebsd_triage 2011-01-13 20:00:59 UTC 
State Changed
From-To: open->closed

Committed. Thanks!