Date: Wed, 16 Jan 2002 19:20:30 -0500 (EST) From: Hassan Halta <hassan@cs.earlham.edu> To: <freebsd-questions@freebsd.org> Subject: Re: Sudo v 1.6.4.1 Message-ID: <20020116191752.Q13072-100000@quark.cs.earlham.edu>
next in thread | raw e-mail | index | archive | help
Hi all,
I just got email forwarded below about sudo, but when I try to get the new
version from the following path:
"/pub/FreeBSD/ports/i386/packages-4-stable/security" which is said in the
email, it doesn't appear to have the new version of sudo as indecated.
However, it still has 1.6.3.7
Anyone has the same problem?
Thanks,
Hassan
---------- Forwarded message ----------
Date: Wed, 16 Jan 2002 15:15:33 -0800 (PST)
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:06.sudo
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:06 Security Advisory
FreeBSD, Inc.
Topic: sudo port may enable local privilege escalation
Category: ports
Module: sudo
Announced: 2002-01-16
Credits: Sebastian Krahmer <krahmer@suse.de>
Affects: Ports collection prior to the correction date
Corrected: 2002-01-15 02:56:33 UTC
FreeBSD only: NO
I. Background
Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity.
II. Problem Description
The sudo port, versions prior to sudo-1.6.4.1, contains a
vulnerability that may allow a local user to obtain superuser
privileges.
If a user who has not been authorized by the system administrator
(listed in the `sudoers' file) attempts to use sudo, sudo will send an
email alert. When it does so, it invokes the system mailer with
superuser privileges, and with most of the user's environment intact.
The sudo port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
If the system mailer's behavior can be influenced by the settings of
environmental variables, then an attacker may obtain superuser
privileges. There is at least one mailer (postfix) that can be
influenced in this fashion.
IV. Workaround
1) Deinstall the sudo port/package if you have it installed.
V. Solution
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/sudo-1.6.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/sudo-1.6.4.1.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
NOTE: It may be several days before updated packages are available.
3) Download a new port skeleton for the sudo port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Path Revision
- -------------------------------------------------------------------------
ports/security/sudo/Makefile 1.43
ports/security/sudo/distinfo 1.26
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPEYIq1UuHi5z0oilAQEgTAP/YXD+lSngGwbloUn09xvwgn8i5uGaEX5O
Rj1v7XM3HRT/Gmr1CJiK7LtMbj/iilHzC2YiTAUHyxYzdEU7k9SnLgxK6rcSYNql
5wkYL1asHQhFPYejEqQVPKejrr4L/+/bYmQbkLKc9EMdErnhYoNrw6QbN+XvmO6p
oAzSK07ixi4=
=rmb8
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020116191752.Q13072-100000>