Date: Fri, 6 Feb 2009 17:25:49 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/131446: [patch] [vuxml] security/sudo: fix CVE-2009-0034 Message-ID: <20090206142549.8B8911711D@amnesiac.at.no.dns> Resent-Message-ID: <200902061430.n16EU4VV085205@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 131446 >Category: ports >Synopsis: [patch] [vuxml] security/sudo: fix CVE-2009-0034 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 06 14:30:04 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-STABLE amd64 >Description: It was discovered, [1], that in certain system configurations that allow users to run commands as the members of some group, the backport error in sudo up to 1.9.6p20 was permitted these users to run commands as root. [1] http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html >How-To-Repeat: Insert the following rule to the sudoers, ----- user ALL=(%group) ALL ----- where 'user' is ordinary user, 'group' is the group for the user. And try 'sudo -L root COMMAND'. It will give me root with 1.9.6p17. >Fix: The following patch updates the current port to the 1.9.6p20 that has this bug fixed. I had tested the port for non-LDAP case -- works for me and fixes the issue. --- fix-CVE-2009-0034.diff begins here --- >From fbf8b6659e4ac2988f867b775c2fdac10fbdee7e Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 6 Feb 2009 17:15:29 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/sudo/Makefile | 4 ++-- security/sudo/distinfo | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 3848874..5a68e05 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -6,7 +6,7 @@ # PORTNAME= sudo -PORTVERSION= 1.6.9.17 +PORTVERSION= 1.6.9.20 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://obsd.isc.org/pub/sudo/ \ @@ -16,7 +16,7 @@ MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \ ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= tmclaugh/sudo -DISTNAME= ${PORTNAME}-1.6.9p17 +DISTNAME= ${PORTNAME}-1.6.9p20 MAINTAINER= tmclaugh@FreeBSD.org COMMENT= Allow others to run commands as root diff --git a/security/sudo/distinfo b/security/sudo/distinfo index dfc778c..9103e9d 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,3 +1,3 @@ -MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110 -SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596 -SIZE (sudo-1.6.9p17.tar.gz) = 593534 +MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a +SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b +SIZE (sudo-1.6.9p20.tar.gz) = 596009 -- 1.6.1 --- fix-CVE-2009-0034.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="13d6d997-f455-11dd-8516-001b77d09812"> <topic>sudo -- certain authorized users could run commands as any user</topic> <affects> <package> <name>sudo</name> <range><ge>1.6.9.17</ge><lt>1.6.9.20</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Todd Miller reports:</p> <blockquote cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html">; <p>A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.</p> </blockquote> </body> </description> <references> <mlist msgid="200902041802.n14I2llS024155@core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist>; <cvename>CVE-2009-0034</cvename> <bid>33517</bid> </references> <dates> <discovery>2009-02-04</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090206142549.8B8911711D>