Bug 580441 (CVE-2010-1163)

Summary: CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amarecek, dkopecek, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 15:56:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 580525, 580526, 580527    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch none

Description Tomas Hoger 2010-04-08 09:44:44 UTC
It was discovered that the original upstream fix for the sudo's sudoedit privilege escalation flaw known as CVE-2010-0426 (see bug #567337) did not fully resolve the issue.  In configurations where sudo's ignore_dot option was set to off (default is on), the user allowed to sudoedit some file with the privileges of some user could run arbitrary command with the privileges of that user.

Acknowledgements:

Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer, for responsibly reporting this issue. Upstream acknowledges Valerio Costamagna as the original reporter.

Comment 1 Tomas Hoger 2010-04-08 09:46:28 UTC
Created attachment 405247 [details]
Upstream patch

Comment 3 Tomas Hoger 2010-04-08 10:50:43 UTC
As with the original flaw, sudo versions in Red Hat Enterprise Linux 3 and 4 were not affected by this flaw, as they do not support sudoedit special command.

This issue did *not* affect sudo 1.6.9p17 packages released in RHSA-2010:0122 fixing CVE-2010-0426.  In that sudo version, ignore_dot option value can not be changed from the sudoers configuration file and the compile-time default value is always used ('on' in RHEL sudo packages, configure run with --with-ignore-dot), as is documented in the sudoers manpage:

  ignore_dot
    [ ... ]
    This flag is on by default.  Currently, while it is possible to set
    ignore_dot in sudoers, its value is not used.  This option should be
    considered read-only (it will be fixed in a future version of sudo).

However, RHBA-2010:0212, released as part of Red Hat Enterprise Linux 5.5, rebased sudo packages to upstream version 1.7.2p1, which allows changing ignore_dot option value using the sudoers configuration file.  Hence, only users that already upgraded to RHEL-5.5 sudo packages and changed ignore_dot default value in the sudoers file can be affected by this flaw.

Comment 5 Tomas Hoger 2010-04-12 16:19:16 UTC
(In reply to comment #1)
> Created an attachment (id=405247) [details]
> Upstream patch    

Committed upstream as: http://sudo.ws/repos/sudo/rev/07de8e40cb4c

Comment 6 Tomas Hoger 2010-04-13 14:42:01 UTC
Public now via:
  http://sudo.ws/sudo/alerts/sudoedit_escalate2.html

Fixed upstream in versions 1.7.2p6 and 1.6.9p22.

Comment 7 Fedora Update System 2010-04-14 14:47:46 UTC
sudo-1.7.2p6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc11

Comment 8 Fedora Update System 2010-04-14 14:48:12 UTC
sudo-1.7.2p6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc12

Comment 9 Fedora Update System 2010-04-14 14:48:23 UTC
sudo-1.7.2p6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc13

Comment 10 Vincent Danen 2010-04-16 04:58:46 UTC
This has been assigned CVE-2010-1163.

Comment 11 errata-xmlrpc 2010-04-20 15:43:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0361 https://rhn.redhat.com/errata/RHSA-2010-0361.html

Comment 12 Fedora Update System 2010-04-23 06:04:33 UTC
sudo-1.7.2p6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-05-03 16:05:24 UTC
sudo-1.7.2p6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-05-03 16:11:11 UTC
sudo-1.7.2p6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.