From owner-freebsd-ports  Thu Jul 30 12:27:28 1998
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA02598
          for freebsd-ports-outgoing; Thu, 30 Jul 1998 12:27:28 -0700 (PDT)
          (envelope-from owner-freebsd-ports@FreeBSD.ORG)
Received: from dt053nd2.san.rr.com (dt053nd2.san.rr.com [204.210.34.210])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA02574
          for <ports@freebsd.org>; Thu, 30 Jul 1998 12:27:24 -0700 (PDT)
          (envelope-from Studded@san.rr.com)
Received: from san.rr.com (Studded@localhost [127.0.0.1])
	by dt053nd2.san.rr.com (8.8.8/8.8.8) with ESMTP id LAA04440;
	Thu, 30 Jul 1998 11:09:31 -0700 (PDT)
	(envelope-from Studded@san.rr.com)
Message-ID: <35C0B6DB.C4B73BC8@san.rr.com>
Date: Thu, 30 Jul 1998 11:09:31 -0700
From: Studded <Studded@san.rr.com>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-STABLE-0507 i386)
MIME-Version: 1.0
To: ports@FreeBSD.ORG, erich@rrnet.com
Subject: Small bug in sudo 1.5.4
Content-Type: multipart/mixed; boundary="------------4BAE728D552C0D3C3AFD83AE"
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.
--------------4BAE728D552C0D3C3AFD83AE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

A while back a small bug was found in sudo, attached is the author's
response on bugtraq. I'm curious as to whether there are plans to
upgrade our port. It looks like Erich has things in good shape, so if he
doesn't have time to do it I would be willing to up the version and make
sure it works as it's port'ed now. 

Doug

-- 
***           Chief Operations Officer, DALnet IRC network          ***

When you don't know where you're going, every road will take you there.
     - Yiddish Proverb
--------------4BAE728D552C0D3C3AFD83AE
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Received: from delivery.dal.net (delivery.dal.net [209.133.28.70])
	by dt053nd2.san.rr.com (8.8.8/8.8.8) with ESMTP id KAA18636
	for <studded@gor.org>; Mon, 29 Jun 1998 10:51:08 -0700 (PDT)
	(envelope-from owner-bugtraq@NETSPACE.ORG)
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by delivery.dal.net (8.8.5/DALnet) with ESMTP id KAA29139; Mon, 29 Jun 1998 10:47:47 -0700 (PDT)
X-Envelope-From: owner-bugtraq@NETSPACE.ORG
Received: from unknown@netspace.org (port 49184 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <916-32412>; Mon, 29 Jun 1998 12:39:31 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 1527893 for BUGTRAQ@NETSPACE.ORG; Mon, 29 Jun 1998 12:15:29
          -0400
Received: from brimstone.netspace.org (brimstone.netspace.org
          [128.148.157.143]) by netspace.org (8.8.7/8.8.7) with ESMTP id
          MAA31716 for <BUGTRAQ@NETSPACE.ORG>; Mon, 29 Jun 1998 12:06:38 -0400
Received: from unknown@netspace.org (port 49184 [128.148.157.6]) by
          brimstone.netspace.org with ESMTP id <96969-32411>; Mon, 29 Jun 1998
          12:05:53 -0400
Approved-By: aleph1@DFW.NET
Received: from xerxes.courtesan.com (courtesan.com [199.45.131.58]) by
          netspace.org (8.8.7/8.8.7) with ESMTP id QAA12552 for
          <BUGTRAQ@NETSPACE.ORG>; Sat, 27 Jun 1998 16:28:04 -0400
Received: from xerxes.courtesan.com (IDENT:millert@localhost.courtesan.com
          [127.0.0.1]) by xerxes.courtesan.com (8.9.0/8.9.0) with ESMTP id
          OAA22337; Sat, 27 Jun 1998 14:27:57 -0600 (MDT)
References: <Pine.LNX.3.96.980626031539.9457A-100000@is-so.elite.nu>
Message-ID: <199806272027.OAA22337@xerxes.courtesan.com>
Date: 	Sat, 27 Jun 1998 14:27:56 -0600
Reply-To: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: "Todd C. Miller" <Todd.Miller@COURTESAN.COM>
Subject:      Re: Bug is sudo?
X-To:         Rhodie <rhodie@NAC.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "Fri, 26 Jun 1998 03:25:56 +0300." 
              <Pine.LNX.3.96.980626031539.9457A-100000@is-so.elite.nu>

Of course, this only works if you exist in the sudoers file, which
makes it pretty benign.  I agree that sudo should ask for a password
and this is fixed in sudo 1.5.4p1, available now from:
    ftp://ftp.cs.colorado.edu/pub/sudo/cu-sudo.v1.5.4p1.tar.Z

It is still possible for a user in sudoers to probe for binaries
but it's not really possible to disable that without making it
impossible for a sudo user to know *which* version of a command
was disallowed (for instance, sudoers may specify the system "ls"
and the user may have the GNU version first in their path).

 - todd


--------------4BAE728D552C0D3C3AFD83AE--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message