Bug 162750 - CAN-2004-1051, CAN-2004-1689, CAN-2005-1119, CAN-2005-1831, CAN-2005-1993 sudo issues
Summary: CAN-2004-1051, CAN-2004-1689, CAN-2005-1119, CAN-2005-1831, CAN-2005-1993 sud...
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: sudo   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://www.courtesan.com/sudo/alerts/...
Whiteboard: LEGACY, rh73, rh90, 1, 2
Keywords: Security
: 165182 166940 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-08 09:50 UTC by Ward Wouts
Modified: 2007-04-18 17:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-24 00:04:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ward Wouts 2005-07-08 09:50:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
http://www.courtesan.com/sudo/alerts/path_race.html describes a problem with sudo that as far as I know hasn't been fixed in fedora legacy.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:

Comment 1 Pekka Savola 2005-08-06 04:11:24 UTC
CAN-2004-1689  sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with
root privileges, which allows local users to read arbitrary files via a symlink
attack on the temporary file before quitting sudoedit.  

CAN-2005-1119  Sudo VISudo 1.6.8 and earlier allows local users to corrupt
arbitrary files via a symlink attack on temporary files.  

CAN-2005-1831  Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux
distributions, allows local users to gain privileges by using sudo to call su,
then entering a blank password and hitting CTRL-C. NOTE: SuSE has not been able
to replicate this issue.  

CAN-2005-1993  Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL
pseudo-command is used after a user entry in the sudoers file, allows local
users to gain privileges via a symlink attack.  

...

RHEL has updated sudo to address CAN-2005-1993 (the bug being referred above).

FC2 fix for also CAN-2004-1051 may be needed.



Comment 2 Pekka Savola 2005-08-06 04:13:11 UTC
*** Bug 165182 has been marked as a duplicate of this bug. ***

Comment 3 Marc Bejarano 2005-08-23 17:03:33 UTC
could somebody add the CVE id's to the summary to assist in searching, please?

Comment 4 Pekka Savola 2005-08-28 16:44:38 UTC
*** Bug 166940 has been marked as a duplicate of this bug. ***

Comment 6 Marc Bejarano 2005-11-21 18:31:34 UTC
ward: CVE-2005-1993 has been a part of this bug for some time.  perhaps you are
talking about this recently discovered sudo bug:
http://www.sudo.ws/sudo/alerts/perl_env.html
?

Comment 7 Marc Deslauriers 2006-02-14 00:07:36 UTC
CVE-2004-1689 isn't applicable to any FL release.
CVE-2005-1119 is not a problem since /etc is not world-writeable.
CVE-2005-1831 cannot be reproduced.
CVE-2004-1051 won't be fixed by Red Hat, so it won't be fixed by FL.

Looks like CVE-2005-1993 is the only real issue here.

Comment 8 Marc Deslauriers 2006-02-16 04:11:21 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated sudo packages to QA:

Changelog:
* Mon Feb 13 2006 Marc Deslauriers <marcdeslauriers@videotron.ca> 1.6.5p2-2.3.legacy
- - Fix CVE-2005-1993 sudo trusted user arbitrary command execution

f6c9ad24f3b13feaf7d8535ca3376388c2bd8984  7.3/sudo-1.6.5p2-2.3.legacy.i386.rpm
11d306d3d80c080be52b2fcbdd52f12addce3fca  7.3/sudo-1.6.5p2-2.3.legacy.src.rpm
8ead746c3ac95321a70ecdb27cc774b5dddc1d92  9/sudo-1.6.6-3.3.legacy.i386.rpm
7b29856659cfdb744148f25ce158cb6be34a1cbb  9/sudo-1.6.6-3.3.legacy.src.rpm
ce7f100a5ee6cd47dad8a2da691862e77423135d  1/sudo-1.6.7p5-2.3.legacy.i386.rpm
1976b320d505e565f869055745baf5cd09a77708  1/sudo-1.6.7p5-2.3.legacy.src.rpm
bc057a033f60f0d53bfe040358707f0ce3b800fd  2/sudo-1.6.7p5-26.1.legacy.i386.rpm
69c5f787fe1bf0b803f4c4fe616ab58b29aad249  2/sudo-1.6.7p5-26.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.5p2-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.6-3.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.7p5-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/sudo-1.6.7p5-26.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8/0KLMAs/0C4zNoRAvabAJ9U6aOMw6aSqJA17fYGjeGWbWaOZgCgjPSR
4XNksWkAVJeCHRO8WzQGh60=
=qLbC
-----END PGP SIGNATURE-----


Comment 9 Pekka Savola 2006-02-16 05:34:24 UTC
The URLs were wrong, but I could figure out where to get them... :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
  
11d306d3d80c080be52b2fcbdd52f12addce3fca  sudo-1.6.5p2-2.3.legacy.src.rpm
7b29856659cfdb744148f25ce158cb6be34a1cbb  sudo-1.6.6-3.3.legacy.src.rpm
1976b320d505e565f869055745baf5cd09a77708  sudo-1.6.7p5-2.3.legacy.src.rpm
69c5f787fe1bf0b803f4c4fe616ab58b29aad249  sudo-1.6.7p5-26.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD9A/kGHbTkzxSL7QRAshgAJ9kBdcNPsamkQXljZ/Gs3VQDAsbCACdHA/r
+mHxYYuubyKA5vGV3WFjI5M=
=5NDo
-----END PGP SIGNATURE-----


Comment 10 Marc Deslauriers 2006-02-16 12:51:10 UTC
whoops! :)

Comment 11 Marc Deslauriers 2006-02-17 21:22:15 UTC
Packages were released to updates-testing

Comment 12 Pekka Savola 2006-02-18 06:44:01 UTC
Basic 2-week timeout per the new policy.

Comment 13 Donald Maner 2006-02-20 05:12:01 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

5eed8171a2be78f8a03de987b86220b1c8ecb9d4  sudo-1.6.5p2-2.3.legacy.i386.rpm
7a84e2d96bba56142ca8c6dec2603577e31b2072  sudo-1.6.6-3.3.legacy.i386.rpm
4e7b55e41c355e51b4cdd3a820a6d5c94df43fdc  sudo-1.6.7p5-2.3.legacy.i386.rpm
954a6e7098b7e86e7bc1f1532a72f8a3dab32380  sudo-1.6.7p5-26.2.legacy.i386.rpm

Installed fine.  Tested visudo to edit sudoers, and added username and group
name.  Successfully su'ed to root while listed as a user and tested as member
of a group.  sudo denied my attempts when not listed in sudoers.  All attempts 
successfully logged in /var/log/secure.

+VERIFY rh73,rh9,fc1,fc2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFD+VCHpxMPKJzn2lIRAkGQAKCI7OhsJTNdtOe9M4108zU5fPU5nQCZAXA4
1rRZoe5TPQrf3YXBef2q6t0=
=1nH3
-----END PGP SIGNATURE-----

Comment 14 Pekka Savola 2006-02-20 05:34:31 UTC
Thanks!

Comment 15 Marc Deslauriers 2006-02-24 00:04:56 UTC
Packages were released.


Note You need to log in before you can comment on or make changes to this bug.