Bug 628628 (CVE-2010-2956)
| Summary: | CVE-2010-2956 sudo: incorrect handling of RunAs specification with both user and group lists | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | amarecek, bressers, dapospis, dkopecek, jbastian, rsroka, security-response-team, spoyarek, syeghiay, todd.miller, vincew | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-12-22 15:49:20 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 627976, 629053, 629054, 630957 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2010-08-30 14:53:06 UTC
Created attachment 441964 [details]
Proposed patch from Todd C. Miller
This issue did NOT affect the versions of the sudo package, as shipped with Red Hat Enterprise Linux 3 and 4, as those sudo versions do not allow to specify group options on sudo command line. This issue affects the versions of the sudo package, as shipped with Red Hat Enterprise Linux 5. -- This issue affects the versions of the sudo package, as shipped with Fedora release of 12 and 13. The CVE identifier of CVE-2010-2956 has been assigned to this. To extend the description in comment #0 a bit, this problem affects configurations using Runas_Spec with both user and group list specified, such as this example from the sudoers man page: dgb boulder = (operator : operator) /bin/ls In such configurations, user could run specified command with the privileges of arbitrary user or group using -u and -g command line arguments, sudo only enforce one of the specified user or group matched the list configured in sudoers file. The description of this feature in the sudoers man page seems somewhat confusing / incomplete: If both Runas_Lists are specified, the command may be run with any combination of users and groups listed in their respective Runas_Lists. This does not cover cases where sudo is run with only -u option (command is run with UID of the user in user Runas_List and GID of primary group of the user, that does not need to be listed in group Runas_List), or -g option (command is run with invoking user's UID and only GID is changed). It may be more clear to mention that any combination of users and groups listed in their respective Runas_Lists can be used as arguments to sudo's -u and -g options. Public now via: [1] http://seclists.org/fulldisclosure/2010/Sep/89 Upstream advisory: http://www.sudo.ws/sudo/alerts/runas_group.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0675 https://rhn.redhat.com/errata/RHSA-2010-0675.html Created sudo tracking bugs for this issue Affects: fedora-all [bug 630957] |