Bug 152856

Summary: CAN-2004-1051 sudo - Bash scripts can be subverted
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: sudoAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: pekkas, redhat-bugzilla, rostetter
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.sudo.ws/sudo/alerts/bash_functions.html
Whiteboard: 1, LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-13 00:54:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:29:51 UTC 
A flaw in exists in sudo's environment sanitizing prior to sudo
version 1.6.8p2 that could allow a malicious user with permission to
run a shell script that utilized the bash shell to run arbitrary
commands. The /bin/sh shell on most (if not all) Linux systems is bash.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139671
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139478
http://www.sudo.ws/sudo/alerts/bash_functions.html



------- Additional Comments From pekkas 2004-12-21 10:14:53 ----

Red Hat closed this as a WONTFIX, but as many other vendors have reacted, I
guess we can as well, because this is such a simple case..

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Packaged the patch from Debian (http://www.debian.org/security/2004/dsa-596)
for RHL73, RHL9, and FC1 on a very straightforward way.  The same patch
applies to all of them.

http://www.netcore.fi/pekkas/linux/sudo-1.6.5p2-2.1.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkas/linux/sudo-1.6.6-3.1.legacy.src.rpm   (RHL9)
http://www.netcore.fi/pekkas/linux/sudo-1.6.7p5-2.1.legacy.src.rpm (FC1)

SHA1sums:
5c43e4020bc9c89b89ee042df60c75e8966e4081  sudo-1.6.5p2-2.1.legacy.src.rpm
6466c68e6dc677e7303e9c6a450996aec6da93fe  sudo-1.6.6-3.1.legacy.src.rpm
e0819ad97368f3059699054b0901362feb58fedb  sudo-1.6.7p5-2.1.legacy.src.rpm

Changelog:
* Tue Dec 21 2004 Pekka Savola <pekkas> 1.6.6-3.1.legacy
- - Fix CAN-2004-1051 (#2291) with patch from Debian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFByIP2GHbTkzxSL7QRAr11AKCEJpFghY1UrHpw2fjqJ4nQVg2VeQCffFys
XlbNfWK2Ia4RwoAbXEgs0Aw=
=+nle
-----END PGP SIGNATURE-----




------- Additional Comments From julien.gilli 2005-02-23 06:21:54 ----

Are those packages published on the official fedora legacy mirrors ? If not, is
there a chance for them to be released as official patches anytime soon ?

Thank you very much for your work !



------- Additional Comments From pekkas 2005-02-23 06:30:54 ----

Maybe -- if someone (maybe you?) provides the QA :)

See http://www.fedoralegacy.org/participate/.



------- Additional Comments From marcdeslauriers 2005-03-05 20:00:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Pekka's packages:

5c43e4020bc9c89b89ee042df60c75e8966e4081  sudo-1.6.5p2-2.1.legacy.src.rpm
6466c68e6dc677e7303e9c6a450996aec6da93fe  sudo-1.6.6-3.1.legacy.src.rpm
e0819ad97368f3059699054b0901362feb58fedb  sudo-1.6.7p5-2.1.legacy.src.rpm

- - Source files match previous release
- - Patch file matches Debian and looks good
- - Spec file changes good

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKpxVLMAs/0C4zNoRAtiGAKCXXuO/cgyNv8idxE7fEKIxproRewCgtOHB
sBWixQQeh9uHQSJiEz9T7kI=
=4Lx4
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-07 03:25:04 ----

Packages were released to updates-testing



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2291 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2291
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Eric Jon Rostetter 2005-04-12 18:29:49 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL 7.3
 
Package: sudo-1.6.5p2-2.2.legacy.i386.rpm
Signatures and checksums seem okay.
 
Package installed without problem via rpm -Uhv.  Seems to work fine
after testing the "visudo" and "sudo" commands.  Did not test expliot,
only functionality.
 
+VERIFY  for RHL 7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCXBL74jZRbknHoPIRAlS2AJ4gLBHakdmNwiETUndrGw/Vi3oWSQCggQYe
X63ZGvToIvHrr3EoJFFmmXg=
=bh4V
-----END PGP SIGNATURE-----
Comment 2 Eric Jon Rostetter 2005-04-12 18:40:08 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL 9
 
Package: sudo-1.6.6-3.2.legacy.i386.rpm
Signatures and checksums seem okay.
 
Package installed without problem via rpm -Uhv.  Seems to work fine
after testing the "visudo" and "sudo" commands.  Did not test expliot,
only functionality.
 
+VERIFY  for RHL 9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCXBVT4jZRbknHoPIRAm0nAJwNeFYw3kgEvoB78XMhRPNW/oWEcwCfUDTG
iBlk/Sqfm4vAHY34jTQKTUo=
=/7WP
-----END PGP SIGNATURE-----
Comment 3 mschout 2005-05-10 00:15:49 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 Verify:

sha1
a990c5c070acd9ae8c50181487f2f9cdacb38378 sudo-1.6.7p5-2.2.legacy.i386.rpm

dsa sha1 md5 gpg signatures OK

installed all packages without any warnings or errors

sudo works as expected

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgENz+CqvSzp9LOwRAoBxAJ948HB5LmUH6o40H7FwmN1PbvkEbQCgiB2B
xaPkM6c8WhPMN5LwwCe7Eac=
=WNcG
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2005-05-13 00:54:14 UTC 
Released to updates