ports/74297: security/sudoscript to 2.1.2; fixes security bug

Howard Owen hbo at egbok.com
Tue Nov 23 16:50:21 UTC 2004 

>Number:         74297
>Category:       ports
>Synopsis:       security/sudoscript to 2.1.2; fixes security bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 23 16:50:20 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Howard Owen
>Release:        FreeBSD 5.3-RELEASE i386
>Organization:
EGBOK Consultants
>Environment:
System: FreeBSD freebie.egbok.com 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 0
4:19:18 UTC 2004 root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

>Description:
Version 2.1.2 of sudoscript closes a hole in which a member of the 
"ssers" group, in use when non-root access is enabled by sudoscript,
can send a HUP signal to any process on the system.

This update changes the signal used by sudoscriptd from HUP to
WINCH. The latter is ignored by most process whereas the former
is not. If sudoscript is used to enable root access only, then this
bug doesn't bite, since the root enabled user can do lots more mischeif
without signaling arbitrary processes.

>How-To-Repeat:
I could tell you, but then I'd have to shoot myself. 8)
>Fix:
begin 644 portpatch
M9&EF9B`M<G5.('-U9&]S8W)I<'0M;W)I9R]-86ME9FEL92!S=61O<V-R:7!T
M+TUA:V5F:6QE"BTM+2!S=61O<V-R:7!T+6]R:6<O36%K969I;&4)5'5E($9E
M8B`@,R`R,3HP.#HU,B`R,#`T"BLK*R!S=61O<V-R:7!T+TUA:V5F:6QE"4UO
M;B!.;W8@,C(@,C$Z-#<Z,#<@,C`P-`I`0"`M,2PQ,R`K,2PQ,2!`0`H@(R!.
M97<@<&]R=', at 8V]L;&5C=&EO;B!M86ME9FEL92!F;W(Z("`@<W5D;W-C<FEP
M=`HM(R!$871E(&-R96%T960Z("`@("`@("`Q-R!*=6YE+"`R,#`S"BLC($1A
M=&4 at 8W)E871E9#H@("`@("`@(#(R($YO=F5M8F5R+"`R,#`T"B`C(%=H;VTZ
M("`@("`@("`@("`@("`@(&AB;T!E9V)O:RYC;VT*+2,*+2,@)$9R965"4T0Z
M('!O<G1S+W-E8W5R:71Y+W-U9&]S8W)I<'0O36%K969I;&4L=B`Q+C0@,C`P
M-"\P,B\P-"`P-3HP.#HU,B!M87)C=7, at 17AP("0**R,@)$9R965"4T0D"B`C
M"B`*(%!/4E1.04U%/0ES=61O<V-R:7!T"BU03U)45D524TE/3CT),BXQ+C$*
M+5!/4E12159)4TE/3CT),PHK4$]25%9%4E-)3TX]"3(N,2XR"B!#051%1T]2
M2453/0ES96-U<FET>0H at 34%35$527U-)5$53/0EH='1P.B\O9&]W;FQO860N
M<V]U<F-E9F]R9V4N;F5T+W-U9&]S8W)I<'0O(%P*(`D):'1T<#HO+V5G8F]K
M+F-O;2]S=61O<V-R:7!T+PI`0"`M,C(L-2`K,C`L-"!`0`H@"B!54T5?1TU!
M2T4]"7EE<PH at 55-%7U!%4DPU/0EY97,*+0H at +FEN8VQU9&4@/&)S9"YP;W)T
M+FUK/@ID:69F("UR=4X@<W5D;W-C<FEP="UO<FEG+V1I<W1I;F9O('-U9&]S
M8W)I<'0O9&ES=&EN9F\*+2TM('-U9&]S8W)I<'0M;W)I9R]D:7-T:6YF;PE4
M=64 at 36%R(#,P(#$Y.C$Q.C$T(#(P,#0**RLK('-U9&]S8W)I<'0O9&ES=&EN
M9F\)36]N($YO=B`R,B`R,3HS,#HQ."`R,#`T"D!`("TQ+#(@*S$L,B!`0`HM
M340U("AS=61O<V-R:7!T+3(N,2XQ+G1A<BYG>BD@/2!D93%E8V$Q-38R-F(S
M9&8W-#AB8C9D9C<P8C<Y,S`R-0HM4TE:12`H<W5D;W-C<FEP="TR+C$N,2YT
M87(N9WHI(#T@,S,V,#DV"BM-1#4@*'-U9&]S8W)I<'0M,BXQ+C(N=&%R+F=Z
M*2`](&%C,&8X,3(X965F.6)F,3EF,#8P.3)A,6$V9#9C9CDT"BM325I%("AS
M=61O<V-R:7!T+3(N,2XR+G1A<BYG>BD@/2`S,S at T.#4*9&EF9B`M<G5.('-U
M9&]S8W)I<'0M;W)I9R]P:V<M<&QI<W0@<W5D;W-C<FEP="]P:V<M<&QI<W0*
M+2TM('-U9&]S8W)I<'0M;W)I9R]P:V<M<&QI<W0)1G)I($IA;B`S,"`P,SHQ
M-SHR-B`R,#`T"BLK*R!S=61O<V-R:7!T+W!K9RUP;&ES=`E-;VX at 3F]V(#(R
M(#(Q.C,P.C$X(#(P,#0*0$`@+3,L,S(@*S,L,S(@0$`*(&5T8R]R8RYD+W-U
M9&]S8W)I<'1D+G-H"B!L:6(O<W5D;W-C<FEP="]3=61O<V-R:7!T+G!M"B!S
M8FEN+W-U9&]S8W)I<'1D"BUS:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,2\R
M+C!A<F-H+F=I9 at HM<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C$O,BXP87)C
M:"YH=&UL"BUS:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,2\R+C!A<F-H+GAM
M;`HM<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C$O0TA!3D=%3$]'"BUS:&%R
M92]D;V,O<W5D;W-C<FEP="TR+C$N,2])3E-404Q,"BUS:&%R92]D;V,O<W5D
M;W-C<FEP="TR+C$N,2]03U)#34],4U5,0BYH=&UL"BUS:&%R92]D;V,O<W5D
M;W-C<FEP="TR+C$N,2]03U)#34],4U5,0BYP9&8*+7-H87)E+V1O8R]S=61O
M<V-R:7!T+3(N,2XQ+U!/4D--3TQ354Q"+GAM;`HM<VAA<F4O9&]C+W-U9&]S
M8W)I<'0M,BXQ+C$O4$]25$E.1PHM<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ
M+C$O4%)/0DQ%35,*+7-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XQ+U)%041-
M10HM<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C$O4D5,14%314Y/5$53"BUS
M:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,2]314-54DE460HM<VAA<F4O9&]C
M+W-U9&]S8W)I<'0M,BXQ+C$O4U5$3T-/3D9)1PHM<VAA<F4O9&]C+W-U9&]S
M8W)I<'0M,BXQ+C$O4W5D;W-C<FEP="XS<&TN:'1M;`HM<VAA<F4O9&]C+W-U
M9&]S8W)I<'0M,BXQ+C$O4W5D;W-C<FEP="YP;2US<F,N:'1M;`HM<VAA<F4O
M9&]C+W-U9&]S8W)I<'0M,BXQ+C$O9'1D+V5G8F]K9&]C+F1T9`HM<VAA<F4O
M9&]C+W-U9&]S8W)I<'0M,BXQ+C$O<W5D;W-C<FEP="YP;V0*+7-H87)E+V1O
M8R]S=61O<V-R:7!T+3(N,2XQ+W-U9&]S8W)I<'0N."YH=&UL"BUS:&%R92]D
M;V,O<W5D;W-C<FEP="TR+C$N,2]S=61O<V-R:7!T9"US<F,N:'1M;`HM<VAA
M<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C$O<W5D;W-C<FEP=&0N."YH=&UL"BUS
M:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,2]S=61O<VAE;&PM<W)C+FAT;6P*
M+7-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XQ+W-U9&]S:&5L;"XQ+FAT;6P*
M+7-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XQ+WAS;"]E9V)O:V1O8RYX<VP*
M+7-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XQ+WAS;"]E9V)O:V1O8S)F;W`N
M>'-L"BMS:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,B\R+C!A<F-H+F=I9 at HK
M<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C(O,BXP87)C:"YH=&UL"BMS:&%R
M92]D;V,O<W5D;W-C<FEP="TR+C$N,B\R+C!A<F-H+GAM;`HK<VAA<F4O9&]C
M+W-U9&]S8W)I<'0M,BXQ+C(O0TA!3D=%3$]'"BMS:&%R92]D;V,O<W5D;W-C
M<FEP="TR+C$N,B])3E-404Q,"BMS:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N
M,B]03U)#34],4U5,0BYH=&UL"BMS:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N
M,B]03U)#34],4U5,0BYP9&8**W-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XR
M+U!/4D--3TQ354Q"+GAM;`HK<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C(O
M4$]25$E.1PHK<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C(O4%)/0DQ%35,*
M*W-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XR+U)%041-10HK<VAA<F4O9&]C
M+W-U9&]S8W)I<'0M,BXQ+C(O4D5,14%314Y/5$53"BMS:&%R92]D;V,O<W5D
M;W-C<FEP="TR+C$N,B]314-54DE460HK<VAA<F4O9&]C+W-U9&]S8W)I<'0M
M,BXQ+C(O4U5$3T-/3D9)1PHK<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ+C(O
M4W5D;W-C<FEP="XS<&TN:'1M;`HK<VAA<F4O9&]C+W-U9&]S8W)I<'0M,BXQ
M+C(O4W5D;W-C<FEP="YP;2US<F,N:'1M;`HK<VAA<F4O9&]C+W-U9&]S8W)I
M<'0M,BXQ+C(O9'1D+V5G8F]K9&]C+F1T9`HK<VAA<F4O9&]C+W-U9&]S8W)I
M<'0M,BXQ+C(O<W5D;W-C<FEP="YP;V0**W-H87)E+V1O8R]S=61O<V-R:7!T
M+3(N,2XR+W-U9&]S8W)I<'0N."YH=&UL"BMS:&%R92]D;V,O<W5D;W-C<FEP
M="TR+C$N,B]S=61O<V-R:7!T9"US<F,N:'1M;`HK<VAA<F4O9&]C+W-U9&]S
M8W)I<'0M,BXQ+C(O<W5D;W-C<FEP=&0N."YH=&UL"BMS:&%R92]D;V,O<W5D
M;W-C<FEP="TR+C$N,B]S=61O<VAE;&PM<W)C+FAT;6P**W-H87)E+V1O8R]S
M=61O<V-R:7!T+3(N,2XR+W-U9&]S:&5L;"XQ+FAT;6P**W-H87)E+V1O8R]S
M=61O<V-R:7!T+3(N,2XR+WAS;"]E9V)O:V1O8RYX<VP**W-H87)E+V1O8R]S
M=61O<V-R:7!T+3(N,2XR+WAS;"]E9V)O:V1O8S)F;W`N>'-L"B!`9&ER<FT@
M;&EB+W-U9&]S8W)I<'0*+4!D:7)R;2!S:&%R92]D;V,O<W5D;W-C<FEP="TR
M+C$N,2]X<VP*+4!D:7)R;2!S:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,2]D
M=&0*+4!D:7)R;2!S:&%R92]D;V,O<W5D;W-C<FEP="TR+C$N,0HK0&1I<G)M
M('-H87)E+V1O8R]S=61O<V-R:7!T+3(N,2XR+WAS;`HK0&1I<G)M('-H87)E
M+V1O8R]S=61O<V-R:7!T+3(N,2XR+V1T9`HK0&1I<G)M('-H87)E+V1O8R]S
0=61O<V-R:7!T+3(N,2XR"@``
`
end

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list