Bug 580441 (CVE-2010-1163) - CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issue CVE-2010-0426
Summary: CVE-2010-1163 sudo: incomplete fix for the sudoedit privilege escalation issu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-1163
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 580525 580526 580527
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-08 09:44 UTC by Tomas Hoger
Modified: 2019-09-29 12:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-22 15:56:48 UTC


Attachments (Terms of Use)
Upstream patch (542 bytes, patch)
2010-04-08 09:46 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0361 normal SHIPPED_LIVE Moderate: sudo security update 2010-04-20 15:43:24 UTC

Description Tomas Hoger 2010-04-08 09:44:44 UTC
It was discovered that the original upstream fix for the sudo's sudoedit privilege escalation flaw known as CVE-2010-0426 (see bug #567337) did not fully resolve the issue.  In configurations where sudo's ignore_dot option was set to off (default is on), the user allowed to sudoedit some file with the privileges of some user could run arbitrary command with the privileges of that user.

Acknowledgements:

Red Hat would like to thank Todd C. Miller, the upstream sudo maintainer, for responsibly reporting this issue. Upstream acknowledges Valerio Costamagna as the original reporter.

Comment 1 Tomas Hoger 2010-04-08 09:46:28 UTC
Created attachment 405247 [details]
Upstream patch

Comment 3 Tomas Hoger 2010-04-08 10:50:43 UTC
As with the original flaw, sudo versions in Red Hat Enterprise Linux 3 and 4 were not affected by this flaw, as they do not support sudoedit special command.

This issue did *not* affect sudo 1.6.9p17 packages released in RHSA-2010:0122 fixing CVE-2010-0426.  In that sudo version, ignore_dot option value can not be changed from the sudoers configuration file and the compile-time default value is always used ('on' in RHEL sudo packages, configure run with --with-ignore-dot), as is documented in the sudoers manpage:

  ignore_dot
    [ ... ]
    This flag is on by default.  Currently, while it is possible to set
    ignore_dot in sudoers, its value is not used.  This option should be
    considered read-only (it will be fixed in a future version of sudo).

However, RHBA-2010:0212, released as part of Red Hat Enterprise Linux 5.5, rebased sudo packages to upstream version 1.7.2p1, which allows changing ignore_dot option value using the sudoers configuration file.  Hence, only users that already upgraded to RHEL-5.5 sudo packages and changed ignore_dot default value in the sudoers file can be affected by this flaw.

Comment 5 Tomas Hoger 2010-04-12 16:19:16 UTC
(In reply to comment #1)
> Created an attachment (id=405247) [details]
> Upstream patch    

Committed upstream as: http://sudo.ws/repos/sudo/rev/07de8e40cb4c

Comment 6 Tomas Hoger 2010-04-13 14:42:01 UTC
Public now via:
  http://sudo.ws/sudo/alerts/sudoedit_escalate2.html

Fixed upstream in versions 1.7.2p6 and 1.6.9p22.

Comment 7 Fedora Update System 2010-04-14 14:47:46 UTC
sudo-1.7.2p6-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc11

Comment 8 Fedora Update System 2010-04-14 14:48:12 UTC
sudo-1.7.2p6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc12

Comment 9 Fedora Update System 2010-04-14 14:48:23 UTC
sudo-1.7.2p6-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/sudo-1.7.2p6-1.fc13

Comment 10 Vincent Danen 2010-04-16 04:58:46 UTC
This has been assigned CVE-2010-1163.

Comment 11 errata-xmlrpc 2010-04-20 15:43:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0361 https://rhn.redhat.com/errata/RHSA-2010-0361.html

Comment 12 Fedora Update System 2010-04-23 06:04:33 UTC
sudo-1.7.2p6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2010-05-03 16:05:24 UTC
sudo-1.7.2p6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2010-05-03 16:11:11 UTC
sudo-1.7.2p6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.