Bug 454398 (CVE-2008-3067) - CVE-2008-3067 sudo: does not flush stdin buffer on password timeout
Summary: CVE-2008-3067 sudo: does not flush stdin buffer on password timeout
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2008-3067
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-08 08:58 UTC by Tomas Hoger
Modified: 2021-11-12 19:50 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-12-23 21:30:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2008-07-08 08:58:44 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3067 to the following vulnerability:

sudo in SUSE openSUSE 10.3 does not clear the stdin buffer when password entry times out, which might allow local users to obtain a password by reading stdin from the parent process after a sudo child process exits.

Refences:
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
Comment 1 Tomas Hoger 2008-07-08 09:00:46 UTC 
According to upstream (Todd C. Miller), the issue was introduced in in version
1.6.9 when the TCSAFLUSH was changed to TCSADRAIN.  Issue was fixed upstream in
1.6.9p12.
Comment 2 Tomas Hoger 2008-07-08 09:20:51 UTC 
Steps to reproduce:

$ sudo some_cmd

On password prompt, type your password, but not enter.  Wait for passwd_timeout
(5min by default).  After sudo times-out, entered password appears on the shell
command line.

Confirmed on Fedora 8, which is the only affected version.  Fedora 9 and later
is based on fixed upstream version.

This issue did not affect the versions of sudo as shipped with Red Hat
Enterprise Linux 2.1, 3, 4, or 5, as they are based on old, unaffected version.
Note You need to log in before you can comment on or make changes to this bug.