Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162750 - CAN-2004-1051, CAN-2004-1689, CAN-2005-1119, CAN-2005-1831, CAN-2005-1993 sudo issues
Summary: CAN-2004-1051, CAN-2004-1689, CAN-2005-1119, CAN-2005-1831, CAN-2005-1993 sud...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: sudo
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://www.courtesan.com/sudo/alerts/...
Whiteboard: LEGACY, rh73, rh90, 1, 2
: 165182 166940 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-08 09:50 UTC by Ward Wouts
Modified: 2007-04-18 17:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-24 00:04:56 UTC


Attachments (Terms of Use)

Description Ward Wouts 2005-07-08 09:50:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
http://www.courtesan.com/sudo/alerts/path_race.html describes a problem with sudo that as far as I know hasn't been fixed in fedora legacy.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:

Comment 1 Pekka Savola 2005-08-06 04:11:24 UTC
CAN-2004-1689  sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with
root privileges, which allows local users to read arbitrary files via a symlink
attack on the temporary file before quitting sudoedit.  

CAN-2005-1119  Sudo VISudo 1.6.8 and earlier allows local users to corrupt
arbitrary files via a symlink attack on temporary files.  

CAN-2005-1831  Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux
distributions, allows local users to gain privileges by using sudo to call su,
then entering a blank password and hitting CTRL-C. NOTE: SuSE has not been able
to replicate this issue.  

CAN-2005-1993  Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL
pseudo-command is used after a user entry in the sudoers file, allows local
users to gain privileges via a symlink attack.  

...

RHEL has updated sudo to address CAN-2005-1993 (the bug being referred above).

FC2 fix for also CAN-2004-1051 may be needed.



Comment 2 Pekka Savola 2005-08-06 04:13:11 UTC
*** Bug 165182 has been marked as a duplicate of this bug. ***

Comment 3 Marc Bejarano 2005-08-23 17:03:33 UTC
could somebody add the CVE id's to the summary to assist in searching, please?

Comment 4 Pekka Savola 2005-08-28 16:44:38 UTC
*** Bug 166940 has been marked as a duplicate of this bug. ***

Comment 6 Marc Bejarano 2005-11-21 18:31:34 UTC
ward: CVE-2005-1993 has been a part of this bug for some time.  perhaps you are
talking about this recently discovered sudo bug:
http://www.sudo.ws/sudo/alerts/perl_env.html
?

Comment 7 Marc Deslauriers 2006-02-14 00:07:36 UTC
CVE-2004-1689 isn't applicable to any FL release.
CVE-2005-1119 is not a problem since /etc is not world-writeable.
CVE-2005-1831 cannot be reproduced.
CVE-2004-1051 won't be fixed by Red Hat, so it won't be fixed by FL.

Looks like CVE-2005-1993 is the only real issue here.

Comment 8 Marc Deslauriers 2006-02-16 04:11:21 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated sudo packages to QA:

Changelog:
* Mon Feb 13 2006 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.6.5p2-2.3.legacy
- - Fix CVE-2005-1993 sudo trusted user arbitrary command execution

f6c9ad24f3b13feaf7d8535ca3376388c2bd8984  7.3/sudo-1.6.5p2-2.3.legacy.i386.rpm
11d306d3d80c080be52b2fcbdd52f12addce3fca  7.3/sudo-1.6.5p2-2.3.legacy.src.rpm
8ead746c3ac95321a70ecdb27cc774b5dddc1d92  9/sudo-1.6.6-3.3.legacy.i386.rpm
7b29856659cfdb744148f25ce158cb6be34a1cbb  9/sudo-1.6.6-3.3.legacy.src.rpm
ce7f100a5ee6cd47dad8a2da691862e77423135d  1/sudo-1.6.7p5-2.3.legacy.i386.rpm
1976b320d505e565f869055745baf5cd09a77708  1/sudo-1.6.7p5-2.3.legacy.src.rpm
bc057a033f60f0d53bfe040358707f0ce3b800fd  2/sudo-1.6.7p5-26.1.legacy.i386.rpm
69c5f787fe1bf0b803f4c4fe616ab58b29aad249  2/sudo-1.6.7p5-26.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.5p2-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.6-3.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.7p5-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.7p5-26.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8/0KLMAs/0C4zNoRAvabAJ9U6aOMw6aSqJA17fYGjeGWbWaOZgCgjPSR
4XNksWkAVJeCHRO8WzQGh60=
=qLbC
-----END PGP SIGNATURE-----


Comment 9 Pekka Savola 2006-02-16 05:34:24 UTC
The URLs were wrong, but I could figure out where to get them... :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
  
11d306d3d80c080be52b2fcbdd52f12addce3fca  sudo-1.6.5p2-2.3.legacy.src.rpm
7b29856659cfdb744148f25ce158cb6be34a1cbb  sudo-1.6.6-3.3.legacy.src.rpm
1976b320d505e565f869055745baf5cd09a77708  sudo-1.6.7p5-2.3.legacy.src.rpm
69c5f787fe1bf0b803f4c4fe616ab58b29aad249  sudo-1.6.7p5-26.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD9A/kGHbTkzxSL7QRAshgAJ9kBdcNPsamkQXljZ/Gs3VQDAsbCACdHA/r
+mHxYYuubyKA5vGV3WFjI5M=
=5NDo
-----END PGP SIGNATURE-----


Comment 10 Marc Deslauriers 2006-02-16 12:51:10 UTC
whoops! :)

Comment 11 Marc Deslauriers 2006-02-17 21:22:15 UTC
Packages were released to updates-testing

Comment 12 Pekka Savola 2006-02-18 06:44:01 UTC
Basic 2-week timeout per the new policy.

Comment 13 Donald Maner 2006-02-20 05:12:01 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

5eed8171a2be78f8a03de987b86220b1c8ecb9d4  sudo-1.6.5p2-2.3.legacy.i386.rpm
7a84e2d96bba56142ca8c6dec2603577e31b2072  sudo-1.6.6-3.3.legacy.i386.rpm
4e7b55e41c355e51b4cdd3a820a6d5c94df43fdc  sudo-1.6.7p5-2.3.legacy.i386.rpm
954a6e7098b7e86e7bc1f1532a72f8a3dab32380  sudo-1.6.7p5-26.2.legacy.i386.rpm

Installed fine.  Tested visudo to edit sudoers, and added username and group
name.  Successfully su'ed to root while listed as a user and tested as member
of a group.  sudo denied my attempts when not listed in sudoers.  All attempts 
successfully logged in /var/log/secure.

+VERIFY rh73,rh9,fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFD+VCHpxMPKJzn2lIRAkGQAKCI7OhsJTNdtOe9M4108zU5fPU5nQCZAXA4
1rRZoe5TPQrf3YXBef2q6t0=
=1nH3
-----END PGP SIGNATURE-----

Comment 14 Pekka Savola 2006-02-20 05:34:31 UTC
Thanks!

Comment 15 Marc Deslauriers 2006-02-24 00:04:56 UTC
Packages were released.


Note You need to log in before you can comment on or make changes to this bug.