|Summary:||CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||amarecek, dkopecek, security-response-team, vdanen|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-12-22 15:56:48 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||580525, 580526, 580527|
Description Tomas Hoger 2010-04-08 09:44:44 UTC
It was discovered that the original upstream fix for the sudo's sudoedit privilege escalation flaw known as CVE-2010-0426 (see bug #567337) did not fully resolve the issue. In configurations where sudo's ignore_dot option was set to off (default is on), the user allowed to sudoedit some file with the privileges of some user could run arbitrary command with the privileges of that user. Acknowledgements: Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer, for responsibly reporting this issue. Upstream acknowledges Valerio Costamagna as the original reporter.
Comment 3 Tomas Hoger 2010-04-08 10:50:43 UTC
As with the original flaw, sudo versions in Red Hat Enterprise Linux 3 and 4 were not affected by this flaw, as they do not support sudoedit special command. This issue did *not* affect sudo 1.6.9p17 packages released in RHSA-2010:0122 fixing CVE-2010-0426. In that sudo version, ignore_dot option value can not be changed from the sudoers configuration file and the compile-time default value is always used ('on' in RHEL sudo packages, configure run with --with-ignore-dot), as is documented in the sudoers manpage: ignore_dot [ ... ] This flag is on by default. Currently, while it is possible to set ignore_dot in sudoers, its value is not used. This option should be considered read-only (it will be fixed in a future version of sudo). However, RHBA-2010:0212, released as part of Red Hat Enterprise Linux 5.5, rebased sudo packages to upstream version 1.7.2p1, which allows changing ignore_dot option value using the sudoers configuration file. Hence, only users that already upgraded to RHEL-5.5 sudo packages and changed ignore_dot default value in the sudoers file can be affected by this flaw.
Comment 5 Tomas Hoger 2010-04-12 16:19:16 UTC
(In reply to comment #1) > Created an attachment (id=405247) [details] > Upstream patch Committed upstream as: http://sudo.ws/repos/sudo/rev/07de8e40cb4c
Comment 6 Tomas Hoger 2010-04-13 14:42:01 UTC
Public now via: http://sudo.ws/sudo/alerts/sudoedit_escalate2.html Fixed upstream in versions 1.7.2p6 and 1.6.9p22.
Comment 7 Fedora Update System 2010-04-14 14:47:46 UTC
sudo-1.7.2p6-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc11
Comment 8 Fedora Update System 2010-04-14 14:48:12 UTC
sudo-1.7.2p6-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc12
Comment 9 Fedora Update System 2010-04-14 14:48:23 UTC
sudo-1.7.2p6-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc13
Comment 11 errata-xmlrpc 2010-04-20 15:43:26 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0361 https://rhn.redhat.com/errata/RHSA-2010-0361.html
Comment 12 Fedora Update System 2010-04-23 06:04:33 UTC
sudo-1.7.2p6-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2010-05-03 16:05:24 UTC
sudo-1.7.2p6-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2010-05-03 16:11:11 UTC
sudo-1.7.2p6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.