Bug 1761584
Summary: | CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Laura Pardo <lpardo> |
Component: | sudo | Assignee: | Radovan Sroka <rsroka> |
Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 31 | CC: | awilliam, bellecodeur, dapospis, dkopecek, dustymabe, fzatlouk, germano.massullo, kevin, klember, kzak, mattdm, mboddu, michel.morisot, pasik, rsroka, sgallagh, tosykora |
Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedFreezeException | ||
Fixed In Version: | sudo-1.8.28-1.fc30 sudo-1.8.28-1.fc31 sudo-1.8.28-1.fc29 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-19 03:46:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1644940, 1760531 |
Description
Laura Pardo
2019-10-14 19:34:07 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=high # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1760531,1761584 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new Proposed as a Freeze Exception for 31-final by Fedora user dustymabe using the blocker tracking app because: https://fedoraproject.org/wiki/Fedora_31_Final_Release_Criteria#Security_bugs We should try to ship a sudo that doesn't have a security flaw. I proposed this at least as an FE for Fedora 31. It's at least potentially a blocker: "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." https://fedoraproject.org/wiki/Fedora_31_Final_Release_Criteria#Security_bugs Do we have the Red Hat classification for this yet? I can't see it anywhere offhand. hmm, that does have the 'satisfactorily resolved by a package update' wording, I guess, and this probably can be resolved with an update. (In reply to Adam Williamson from comment #4) > It's at least potentially a blocker: > > "The release must contain no known security bugs of 'important' or higher > impact according to the Red Hat severity classification scale which cannot > be satisfactorily resolved by a package update (e.g. issues during > installation)." > > https://fedoraproject.org/wiki/Fedora_31_Final_Release_Criteria#Security_bugs > > Do we have the Red Hat classification for this yet? I can't see it anywhere > offhand. I think we can glean that from the information in comment 1 where they prefilled some of the information and included: `severity=high`. I don't think so. The bugzilla severity scale does not clearly map to the RH security classification scale. It has no 'important' value. However, the vuln is up here now: https://access.redhat.com/security/cve/cve-2019-14287 and it's "important", so that requirement is met. There's still the 'cannot be satisfactorily resolved by a package update' requirement though, I guess. *** Bug 1761684 has been marked as a duplicate of this bug. *** FEDORA-2019-67998e9f7e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-67998e9f7e FEDORA-2019-9cb221f2be has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9cb221f2be FEDORA-2019-72755db9c7 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-72755db9c7 +1 FE. This seems like a fairly high profile security issue and would be nice to make sure systems are not vulnerable to this after clean install. Eh, I'm less clearly +1, because you have to have a fairly odd sudo config to be affected by this. It's certainly not a config you'd have after a clean install. Still, it probably can't hurt a lot to pull it in. sudo-1.8.28-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-67998e9f7e sudo-1.8.28-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. sudo-1.8.28-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-72755db9c7 as this is on the f31 FE tracker, re-opening and changing version to 31. +1 FE +1 FE +1 FE, even though it's unlikely to actually affect many people. It's high profile and we might as well say we have the fix in. +1 FE That's +4 FE, so setting accepted FE. sudo-1.8.28-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. sudo-1.8.28-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |