Date: Thu, 13 Jan 2011 00:15:42 +0300 (MSK) From: Eygene Ryabinkin <rea@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/153939: [patch] security/sudo: fix CVE-2011-0010 Message-ID: <20110112211542.48337DA81F@void.codelabs.ru> Resent-Message-ID: <201101122120.p0CLK8ds025972@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153939 >Category: ports >Synopsis: [patch] security/sudo: fix CVE-2011-0010 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jan 12 21:20:08 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: CVE-2011-0010 was just issued, but the real description of the problem is available at the Debian's bug tracker [1]. To be short, if sudoers have explicit group list in the Runas specification, 'sudo -g <GROUP> <CMD>' for the allowed <GROUP> and <CMD> will not ask for the password. >How-To-Repeat: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 [2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 Here's the transcript of my test session with old and updated port: {{{ [prior to patching] $ sudo -k && sudo -g kmem id uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of> [after patching] $ sudo -k && sudo -g kmem id Password: uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem),<bunch of> [vanilla id output] $ id uid=1001(rea) gid=1001(rea) groups=1001(rea),<bunch of> }}} In sudoers I have '(ALL:ALL)' as the Runas specification. >Fix: The following patch fixes the problem: --- fix-CVE-2011-0010.diff begins here --- >From 860a164877887ac1f36a136870f6795ce8f1dc0d Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Wed, 12 Jan 2011 23:24:11 +0300 Prior to this patch sudo allowed users to change groups without asking for password. Look-at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 Look-at: http://www.sudo.ws/repos/sudo/raw-rev/fe8a94f96542 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/sudo/Makefile | 2 +- security/sudo/files/patch-cve-2011-0010 | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletions(-) create mode 100644 security/sudo/files/patch-cve-2011-0010 diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 198a8a6..79757af 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -7,7 +7,7 @@ PORTNAME= sudo PORTVERSION= 1.7.4.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ http://www.signal42.com/mirrors/sudo_ftp/ \ diff --git a/security/sudo/files/patch-cve-2011-0010 b/security/sudo/files/patch-cve-2011-0010 new file mode 100644 index 0000000..06696e2 --- /dev/null +++ b/security/sudo/files/patch-cve-2011-0010 @@ -0,0 +1,28 @@ + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@courtesan.com> +# Date 1294760019 18000 +# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5 +# Parent 8f9303326db73a2e00cd53c2515db8188386cfc0 +If the user is running sudo as himself but as a different group we +need to prompt for a password. + +diff -r 8f9303326db7 -r fe8a94f96542 check.c +--- check.c Mon Jan 10 10:28:59 2011 -0500 ++++ check.c Tue Jan 11 10:33:39 2011 -0500 +@@ -120,7 +120,13 @@ + if (ISSET(mode, MODE_INVALIDATE)) { + SET(validated, FLAG_CHECK_USER); + } else { +- if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) ++ /* ++ * Don't prompt for the root passwd or if the user is exempt. ++ * If the user is not changing uid/gid, no need for a password. ++ */ ++ if (user_uid == 0 || (user_uid == runas_pw->pw_uid && ++ (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || ++ user_is_exempt()) + return; + } + + -- 1.7.3.4 --- fix-CVE-2011-0010.diff ends here --- It works on my test machines and Tinderbox builds are also fine: - http://gpf.codelabs.ru/tb-logs/mine-7/sudo-1.7.4.4_2.log - http://gpf.codelabs.ru/tb-logs/mine-8/sudo-1.7.4.4_2.log - http://gpf.codelabs.ru/tb-logs/mine-9/sudo-1.7.4.4_2.log The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="908f4cf2-1e8b-11e0-a587-001b77d09812"> <topic>sudo -- local privilege escalation</topic> <affects> <package> <name>sudo</name> <range><lt>1.7.4.4_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>When sudoers database has entries with the list of groups in the Runas_Spec block, users for which these entries permit to run commands may execute them with credentials of these groups, but without any password propts using command "sudo -g <GROUP> <CMD>".</p> </body> </description> <references> <cvename>CVE-2011-0010</cvename> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641</url>; <url>http://www.sudo.ws/repos/sudo/rev/fe8a94f96542</url>; </references> <dates> <discovery>2011-01-11</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- I had sent it for the review to Remko Lodder, but your (and anyone's) comments are welcome. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110112211542.48337DA81F>