Created attachment 221945 [details] Update sudo to 1.9.5p2 (text/plain) Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156 (aka Baron Samedit), a severe security vulnerability in sudo versions 1.8.2 through 1.9.5p1. For more details, see: https://www.sudo.ws/alerts/unescape_overflow.html https://www.openwall.com/lists/oss-security/2021/01/26/3 Source: https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978 MD5 e6bc4c18c06346e6b3431637a2b5f3d5 Patch: https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc MD5 2816f5fa537c61fb913046ef20b88e3b Binary packages: https://www.sudo.ws/download.html#binary https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2 For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.5p2 and 1.9.5p1 * Fixed sudo's setprogname(3) emulation on systems that don't provide it. * Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. * Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. * The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. * When invoked as sudoedit, the same set of command line options are now accepted as for "sudo -e". The -H and -P options are now rejected for sudoedit and "sudo -e" which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. * Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. Major changes between sudo 1.9.5p1 and 1.9.5 * Fixed a regression introduced in sudo 1.9.5 where the editor run by sudoedit was set-user-ID root unless SELinux RBAC was in use. The editor is now run with the user's real and effective user-IDs. Major changes between sudo 1.9.5 and 1.9.4p2 * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an unknown user. This is related to but distinct from Bug #948. * If the "lecture_file" setting is enabled in sudoers, it must now refer to a regular file or a symbolic link to a regular file. * Fixed a potential use-after-free bug in sudo_logsrvd when the server shuts down if there are existing connections from clients that are only logging events and not session I/O data. * Fixed a buffer size mismatch when serializing the list of IP addresses for configured network interfaces. This bug is not actually exploitable since the allocated buffer is large enough to hold the list of addresses. * If sudo is executed with a name other than "sudo" or "sudoedit", it will now fall back to "sudo" as the program name. This affects warning, help and usage messages as well as the matching of Debug lines in the /etc/sudo.conf file. Previously, it was possible for the invoking user to manipulate the program name by setting argv[0] to an arbitrary value when executing sudo. * Sudo now checks for failure when setting the close-on-exec flag on open file descriptors. This should never fail but, if it were to, there is the possibility of a file descriptor leak to a child process (such as the command sudo runs). * Fixed CVE-2021-23239, a potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists. If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location. * Fixed CVE-2021-23240, a flaw in the temporary file handling of sudoedit's SELinux RBAC support. On systems where SELinux is enabled, a user with sudoedit permissions may be able to set the owner of an arbitrary file to the user-ID of the target user. On Linux kernels that support "protected symlinks", setting /proc/sys/fs/protected_symlinks to 1 will prevent the bug from being exploited. For more information see https://www.sudo.ws/alerts/sudoedit_selinux.html. * Added writability checks for sudoedit when SELinux RBAC is in use. This makes sudoedit behavior consistent regardless of whether or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir" setting had no effect for RBAC entries. * A new sudoers option "selinux" can be used to disable sudo's SELinux RBAC support. * Quieted warnings from PVS Studio, clang analyzer, and cppcheck. Added suppression annotations for PVS Studio false positives. 2. (text/plain) ____________________________________________________________ sudo-announce mailing list <sudo-announce@sudo.ws> For list information, options, or to unsubscribe, visit: https://www.sudo.ws/mailman/listinfo/sudo-announce
See https://reviews.freebsd.org/D28363 to resolve two CVEs.
A commit references this bug: Author: cy Date: Tue Jan 26 20:15:31 UTC 2021 New revision: 562997 URL: https://svnweb.freebsd.org/changeset/ports/562997 Log: security/sudo - update 1.9.5p1 to 1.9.5p2 (text/plain) Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156 (aka Baron Samedit), a severe security vulnerability in sudo versions 1.8.2 through 1.9.5p1. For more details, see: https://www.sudo.ws/alerts/unescape_overflow.html https://www.openwall.com/lists/oss-security/2021/01/26/3 Source: https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978 MD5 e6bc4c18c06346e6b3431637a2b5f3d5 Patch: https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc MD5 2816f5fa537c61fb913046ef20b88e3b Binary packages: https://www.sudo.ws/download.html#binary https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2 For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.5p2 and 1.9.5p1 * Fixed sudo's setprogname(3) emulation on systems that don't provide it. * Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. * Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. * The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. * When invoked as sudoedit, the same set of command line options are now accepted as for "sudo -e". The -H and -P options are now rejected for sudoedit and "sudo -e" which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. * Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. Major changes between sudo 1.9.5p1 and 1.9.5 * Fixed a regression introduced in sudo 1.9.5 where the editor run by sudoedit was set-user-ID root unless SELinux RBAC was in use. The editor is now run with the user's real and effective user-IDs. Major changes between sudo 1.9.5 and 1.9.4p2 * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an unknown user. This is related to but distinct from Bug #948. * If the "lecture_file" setting is enabled in sudoers, it must now refer to a regular file or a symbolic link to a regular file. * Fixed a potential use-after-free bug in sudo_logsrvd when the server shuts down if there are existing connections from clients that are only logging events and not session I/O data. * Fixed a buffer size mismatch when serializing the list of IP addresses for configured network interfaces. This bug is not actually exploitable since the allocated buffer is large enough to hold the list of addresses. * If sudo is executed with a name other than "sudo" or "sudoedit", it will now fall back to "sudo" as the program name. This affects warning, help and usage messages as well as the matching of Debug lines in the /etc/sudo.conf file. Previously, it was possible for the invoking user to manipulate the program name by setting argv[0] to an arbitrary value when executing sudo. * Sudo now checks for failure when setting the close-on-exec flag on open file descriptors. This should never fail but, if it were to, there is the possibility of a file descriptor leak to a child process (such as the command sudo runs). * Fixed CVE-2021-23239, a potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists. If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location. * Fixed CVE-2021-23240, a flaw in the temporary file handling of sudoedit's SELinux RBAC support. On systems where SELinux is enabled, a user with sudoedit permissions may be able to set the owner of an arbitrary file to the user-ID of the target user. On Linux kernels that support "protected symlinks", setting /proc/sys/fs/protected_symlinks to 1 will prevent the bug from being exploited. For more information see https://www.sudo.ws/alerts/sudoedit_selinux.html. * Added writability checks for sudoedit when SELinux RBAC is in use. This makes sudoedit behavior consistent regardless of whether or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir" setting had no effect for RBAC entries. * A new sudoers option "selinux" can be used to disable sudo's SELinux RBAC support. * Quieted warnings from PVS Studio, clang analyzer, and cppcheck. Added suppression annotations for PVS Studio false positives. PR: 253034 Submitted by: cy Reported by: cy Reviewed by: emaste Approved by: emaste MFH: 2020Q1 Security: CVE-2021-3156, CVE-2021-3156 Differential Revision: https://reviews.freebsd.org/D28363 Changes: head/security/sudo/Makefile head/security/sudo/distinfo
A commit references this bug: Author: cy Date: Tue Jan 26 20:28:56 UTC 2021 New revision: 562998 URL: https://svnweb.freebsd.org/changeset/ports/562998 Log: Document sudo CVE-2021-3156. * When invoked as sudoedit, the same set of command line options are now accepted as for "sudo -e". The -H and -P options are now rejected for sudoedit and "sudo -e" which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. * Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. PR: 253034 Reported by: "Todd C. Miller" <Todd.Miller@sudo.ws> via mailing list emaste Obtained from: sudo Changes: head/security/vuxml/vuln.xml
jmg@ via emaste@ requested this be fixed sooner due to its severity.
A commit references this bug: Author: cy Date: Tue Jan 26 20:40:58 UTC 2021 New revision: 563000 URL: https://svnweb.freebsd.org/changeset/ports/563000 Log: MFH: r562997 security/sudo - update 1.9.5p1 to 1.9.5p2 (text/plain) Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156 (aka Baron Samedit), a severe security vulnerability in sudo versions 1.8.2 through 1.9.5p1. For more details, see: https://www.sudo.ws/alerts/unescape_overflow.html https://www.openwall.com/lists/oss-security/2021/01/26/3 Source: https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978 MD5 e6bc4c18c06346e6b3431637a2b5f3d5 Patch: https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc MD5 2816f5fa537c61fb913046ef20b88e3b Binary packages: https://www.sudo.ws/download.html#binary https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2 For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.5p2 and 1.9.5p1 * Fixed sudo's setprogname(3) emulation on systems that don't provide it. * Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954. * Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically. * The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache. * When invoked as sudoedit, the same set of command line options are now accepted as for "sudo -e". The -H and -P options are now rejected for sudoedit and "sudo -e" which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156. * Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156. Major changes between sudo 1.9.5p1 and 1.9.5 * Fixed a regression introduced in sudo 1.9.5 where the editor run by sudoedit was set-user-ID root unless SELinux RBAC was in use. The editor is now run with the user's real and effective user-IDs. Major changes between sudo 1.9.5 and 1.9.4p2 * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an unknown user. This is related to but distinct from Bug #948. * If the "lecture_file" setting is enabled in sudoers, it must now refer to a regular file or a symbolic link to a regular file. * Fixed a potential use-after-free bug in sudo_logsrvd when the server shuts down if there are existing connections from clients that are only logging events and not session I/O data. * Fixed a buffer size mismatch when serializing the list of IP addresses for configured network interfaces. This bug is not actually exploitable since the allocated buffer is large enough to hold the list of addresses. * If sudo is executed with a name other than "sudo" or "sudoedit", it will now fall back to "sudo" as the program name. This affects warning, help and usage messages as well as the matching of Debug lines in the /etc/sudo.conf file. Previously, it was possible for the invoking user to manipulate the program name by setting argv[0] to an arbitrary value when executing sudo. * Sudo now checks for failure when setting the close-on-exec flag on open file descriptors. This should never fail but, if it were to, there is the possibility of a file descriptor leak to a child process (such as the command sudo runs). * Fixed CVE-2021-23239, a potential information leak in sudoedit that could be used to test for the existence of directories not normally accessible to the user in certain circumstances. When creating a new file, sudoedit checks to make sure the parent directory of the new file exists before running the editor. However, a race condition exists if the invoking user can replace (or create) the parent directory. If a symbolic link is created in place of the parent directory, sudoedit will run the editor as long as the target of the link exists. If the target of the link does not exist, an error message will be displayed. The race condition can be used to test for the existence of an arbitrary directory. However, it _cannot_ be used to write to an arbitrary location. * Fixed CVE-2021-23240, a flaw in the temporary file handling of sudoedit's SELinux RBAC support. On systems where SELinux is enabled, a user with sudoedit permissions may be able to set the owner of an arbitrary file to the user-ID of the target user. On Linux kernels that support "protected symlinks", setting /proc/sys/fs/protected_symlinks to 1 will prevent the bug from being exploited. For more information see https://www.sudo.ws/alerts/sudoedit_selinux.html. * Added writability checks for sudoedit when SELinux RBAC is in use. This makes sudoedit behavior consistent regardless of whether or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir" setting had no effect for RBAC entries. * A new sudoers option "selinux" can be used to disable sudo's SELinux RBAC support. * Quieted warnings from PVS Studio, clang analyzer, and cppcheck. Added suppression annotations for PVS Studio false positives. PR: 253034 Submitted by: cy Reported by: cy Reviewed by: emaste Approved by: emaste Approved by: ports-secteam (delphij) Security: CVE-2021-3156, CVE-2021-3156 Differential Revision: https://reviews.freebsd.org/D28363 Changes: _U branches/2021Q1/ branches/2021Q1/security/sudo/Makefile branches/2021Q1/security/sudo/distinfo
Hello. Failed to build this port on FreeBSD 12.2-p1. pkg system does not contain 1.9.5-p2 and port build fails. [root@xxx /usr/ports/security/sudo]# portupgrade sudo [Reading data from pkg(8) ... - 484 packages found - done] ---> Upgrading 'sudo-1.9.5p1' to 'sudo-1.9.5p2' (security/sudo) ---> Building '/usr/ports/security/sudo' ===> Cleaning for sudo-1.9.5p2 ===> License sudo accepted by the user ===> sudo-1.9.5p2 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by sudo-1.9.5p2 for building ===> Extracting for sudo-1.9.5p2 => SHA256 Checksum OK for sudo-1.9.5p2.tar.gz. ===> Patching for sudo-1.9.5p2 ===> Applying FreeBSD patches for sudo-1.9.5p2 from /usr/ports/security/sudo/files ===> sudo-1.9.5p2 depends on executable: msgfmt - found ===> sudo-1.9.5p2 depends on shared library: libintl.so - found (/usr/local/lib/libintl.so) ===> Configuring for sudo-1.9.5p2 configure: loading site script /usr/ports/Templates/config.site configure: Configuring Sudo version 1.9.5p2 checking for gcc... cc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether cc accepts -g... yes checking for cc option to accept ISO C89... unsupported checking how to run the C preprocessor... cpp checking for grep that handles long lines and -e... (cached) /usr/bin/grep checking for egrep... (cached) /usr/bin/egrep checking for ANSI C header files... (cached) yes checking for sys/types.h... (cached) yes checking for sys/stat.h... (cached) yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for memory.h... (cached) yes checking for strings.h... (cached) yes checking for inttypes.h... (cached) yes checking for stdint.h... (cached) yes checking for unistd.h... (cached) yes checking for minix/config.h... (cached) no checking whether it is safe to define __EXTENSIONS__... no checking whether to use a two line prompt for OTP authentication... yes checking whether to lecture users the first time they run sudo... yes checking whether sudo should log via syslog or to a file by default... syslog checking at which syslog priority to log commands... notice checking at which syslog priority to log failures... alert checking how long a line in the log file should be... 80 checking whether sudo should ignore '.' or '' in $PATH... yes checking whether to send mail when a user is not in sudoers... yes checking whether to send mail when user listed but not for this host... no checking whether to send mail when a user tries a disallowed command... no checking who should get the mail that sudo sends... root checking for bad password prompt... Password: checking for bad password message... Sorry, try again. checking whether to expect fully qualified hosts in sudoers... no checking for umask programs should be run with... 0022 checking for default user to run commands as... root checking for editor that visudo should use... vi checking whether to obey EDITOR and VISUAL environment variables... yes checking number of tries a user gets to enter their password... 3 checking time in minutes after which sudo will ask for a password again... 5 checking time in minutes after the password prompt will time out... 5 checking whether to include insults... no checking whether to override the user's path... no checking whether to get ip addresses from the network interfaces... yes checking whether to use an askpass helper... no checking whether to do user authentication by default... yes checking whether to disable running the mailer as root... no checking whether to disable shadow password support... no checking whether root should be allowed to use sudo... yes checking whether to log the hostname in the log file... no checking whether to invoke a shell if sudo is given no arguments... no checking whether to set $HOME to target user in shell mode... no checking whether to disable 'command not found' messages... no checking whether to enable environment debugging... no checking whether to enable environment resetting by default... yes checking how to run the C preprocessor... cpp checking for ar... ar checking for ranlib... ranlib configure: error: Sudo version 1.9.5p2 requires an ANSI C compiler to build. ===> Script "configure" failed unexpectedly. Please report the problem to garga@FreeBSD.org [maintainer] and attach the "/usr/ports/security/sudo/work/sudo-1.9.5p2/config.log" including the output of the failure of your make command. Also, it might be a good idea to provide an overview of all packages installed on your system (e.g. a /usr/local/sbin/pkg-static info -g -Ea). *** Error code 1 Stop. make[1]: stopped in /usr/ports/security/sudo *** Error code 1 Stop. make: stopped in /usr/ports/security/sudo ** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20210129-78151-2pkgoj env UPGRADE_TOOL=portupgrade UPGRADE_PORT=sudo-1.9.5p1 UPGRADE_PORT_VER=1.9.5p1 make ** Fix the problem and try again. ** Listing the failed packages (-:ignored / *:skipped / !:failed) ! security/sudo (sudo-1.9.5p1) (configure error)
This is a different issue and needs to be tracked under a different ticket. Can you open this under a new PR, please.