Bug 162750 - CAN-2004-1051, CAN-2004-1689, CAN-2005-1119, CAN-2005-1831, CAN-2005-1993 sudo issues
CAN-2004-1051, CAN-2004-1689, CAN-2005-1119, CAN-2005-1831, CAN-2005-1993 sud...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: sudo (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.courtesan.com/sudo/alerts/...
LEGACY, rh73, rh90, 1, 2
: Security
: 165182 166940 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-08 05:50 EDT by Ward Wouts
Modified: 2007-04-18 13:29 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-23 19:04:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ward Wouts 2005-07-08 05:50:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
http://www.courtesan.com/sudo/alerts/path_race.html describes a problem with sudo that as far as I know hasn't been fixed in fedora legacy.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 Pekka Savola 2005-08-06 00:11:24 EDT
CAN-2004-1689  sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with
root privileges, which allows local users to read arbitrary files via a symlink
attack on the temporary file before quitting sudoedit.  

CAN-2005-1119  Sudo VISudo 1.6.8 and earlier allows local users to corrupt
arbitrary files via a symlink attack on temporary files.  

CAN-2005-1831  Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux
distributions, allows local users to gain privileges by using sudo to call su,
then entering a blank password and hitting CTRL-C. NOTE: SuSE has not been able
to replicate this issue.  

CAN-2005-1993  Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL
pseudo-command is used after a user entry in the sudoers file, allows local
users to gain privileges via a symlink attack.  

...

RHEL has updated sudo to address CAN-2005-1993 (the bug being referred above).

FC2 fix for also CAN-2004-1051 may be needed.

Comment 2 Pekka Savola 2005-08-06 00:13:11 EDT
*** Bug 165182 has been marked as a duplicate of this bug. ***
Comment 3 Marc Bejarano 2005-08-23 13:03:33 EDT
could somebody add the CVE id's to the summary to assist in searching, please?
Comment 4 Pekka Savola 2005-08-28 12:44:38 EDT
*** Bug 166940 has been marked as a duplicate of this bug. ***
Comment 6 Marc Bejarano 2005-11-21 13:31:34 EST
ward: CVE-2005-1993 has been a part of this bug for some time.  perhaps you are
talking about this recently discovered sudo bug:
http://www.sudo.ws/sudo/alerts/perl_env.html
?
Comment 7 Marc Deslauriers 2006-02-13 19:07:36 EST
CVE-2004-1689 isn't applicable to any FL release.
CVE-2005-1119 is not a problem since /etc is not world-writeable.
CVE-2005-1831 cannot be reproduced.
CVE-2004-1051 won't be fixed by Red Hat, so it won't be fixed by FL.

Looks like CVE-2005-1993 is the only real issue here.
Comment 8 Marc Deslauriers 2006-02-15 23:11:21 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated sudo packages to QA:

Changelog:
* Mon Feb 13 2006 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.6.5p2-2.3.legacy
- - Fix CVE-2005-1993 sudo trusted user arbitrary command execution

f6c9ad24f3b13feaf7d8535ca3376388c2bd8984  7.3/sudo-1.6.5p2-2.3.legacy.i386.rpm
11d306d3d80c080be52b2fcbdd52f12addce3fca  7.3/sudo-1.6.5p2-2.3.legacy.src.rpm
8ead746c3ac95321a70ecdb27cc774b5dddc1d92  9/sudo-1.6.6-3.3.legacy.i386.rpm
7b29856659cfdb744148f25ce158cb6be34a1cbb  9/sudo-1.6.6-3.3.legacy.src.rpm
ce7f100a5ee6cd47dad8a2da691862e77423135d  1/sudo-1.6.7p5-2.3.legacy.i386.rpm
1976b320d505e565f869055745baf5cd09a77708  1/sudo-1.6.7p5-2.3.legacy.src.rpm
bc057a033f60f0d53bfe040358707f0ce3b800fd  2/sudo-1.6.7p5-26.1.legacy.i386.rpm
69c5f787fe1bf0b803f4c4fe616ab58b29aad249  2/sudo-1.6.7p5-26.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.5p2-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.6-3.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.7p5-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.7p5-26.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8/0KLMAs/0C4zNoRAvabAJ9U6aOMw6aSqJA17fYGjeGWbWaOZgCgjPSR
4XNksWkAVJeCHRO8WzQGh60=
=qLbC
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-02-16 00:34:24 EST
The URLs were wrong, but I could figure out where to get them... :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
  
11d306d3d80c080be52b2fcbdd52f12addce3fca  sudo-1.6.5p2-2.3.legacy.src.rpm
7b29856659cfdb744148f25ce158cb6be34a1cbb  sudo-1.6.6-3.3.legacy.src.rpm
1976b320d505e565f869055745baf5cd09a77708  sudo-1.6.7p5-2.3.legacy.src.rpm
69c5f787fe1bf0b803f4c4fe616ab58b29aad249  sudo-1.6.7p5-26.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD9A/kGHbTkzxSL7QRAshgAJ9kBdcNPsamkQXljZ/Gs3VQDAsbCACdHA/r
+mHxYYuubyKA5vGV3WFjI5M=
=5NDo
-----END PGP SIGNATURE-----
Comment 10 Marc Deslauriers 2006-02-16 07:51:10 EST
whoops! :)
Comment 11 Marc Deslauriers 2006-02-17 16:22:15 EST
Packages were released to updates-testing
Comment 12 Pekka Savola 2006-02-18 01:44:01 EST
Basic 2-week timeout per the new policy.
Comment 13 Donald Maner 2006-02-20 00:12:01 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

5eed8171a2be78f8a03de987b86220b1c8ecb9d4  sudo-1.6.5p2-2.3.legacy.i386.rpm
7a84e2d96bba56142ca8c6dec2603577e31b2072  sudo-1.6.6-3.3.legacy.i386.rpm
4e7b55e41c355e51b4cdd3a820a6d5c94df43fdc  sudo-1.6.7p5-2.3.legacy.i386.rpm
954a6e7098b7e86e7bc1f1532a72f8a3dab32380  sudo-1.6.7p5-26.2.legacy.i386.rpm

Installed fine.  Tested visudo to edit sudoers, and added username and group
name.  Successfully su'ed to root while listed as a user and tested as member
of a group.  sudo denied my attempts when not listed in sudoers.  All attempts 
successfully logged in /var/log/secure.

+VERIFY rh73,rh9,fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFD+VCHpxMPKJzn2lIRAkGQAKCI7OhsJTNdtOe9M4108zU5fPU5nQCZAXA4
1rRZoe5TPQrf3YXBef2q6t0=
=1nH3
-----END PGP SIGNATURE-----
Comment 14 Pekka Savola 2006-02-20 00:34:31 EST
Thanks!
Comment 15 Marc Deslauriers 2006-02-23 19:04:56 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.