ports/131446: [patch] [vuxml] security/sudo: fix CVE-2009-0034

Eygene Ryabinkin rea-fbsd at codelabs.ru
Fri Feb 6 14:30:06 UTC 2009 

>Number:         131446
>Category:       ports
>Synopsis:       [patch] [vuxml] security/sudo: fix CVE-2009-0034
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 06 14:30:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-STABLE amd64

>Description:

It was discovered, [1], that in certain system configurations that allow
users to run commands as the members of some group, the backport error
in sudo up to 1.9.6p20 was permitted these users to run commands as root.

[1] http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html

>How-To-Repeat:

Insert the following rule to the sudoers,
-----
user ALL=(%group) ALL
-----
where 'user' is ordinary user, 'group' is the group for the user.
And try 'sudo -L root COMMAND'.  It will give me root with 1.9.6p17.

>Fix:

The following patch updates the current port to the 1.9.6p20 that has
this bug fixed.  I had tested the port for non-LDAP case -- works for me
and fixes the issue.
--- fix-CVE-2009-0034.diff begins here ---
>From fbf8b6659e4ac2988f867b775c2fdac10fbdee7e Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 6 Feb 2009 17:15:29 +0300

Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
 security/sudo/Makefile |    4 ++--
 security/sudo/distinfo |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 3848874..5a68e05 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	sudo
-PORTVERSION=	1.6.9.17
+PORTVERSION=	1.6.9.20
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		ftp://obsd.isc.org/pub/sudo/ \
@@ -16,7 +16,7 @@ MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \
 		${MASTER_SITE_LOCAL}
 MASTER_SITE_SUBDIR=	tmclaugh/sudo
-DISTNAME=	${PORTNAME}-1.6.9p17
+DISTNAME=	${PORTNAME}-1.6.9p20
 
 MAINTAINER=	tmclaugh at FreeBSD.org
 COMMENT=	Allow others to run commands as root
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index dfc778c..9103e9d 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,3 +1,3 @@
-MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110
-SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596
-SIZE (sudo-1.6.9p17.tar.gz) = 593534
+MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a
+SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b
+SIZE (sudo-1.6.9p20.tar.gz) = 596009
-- 
1.6.1
--- fix-CVE-2009-0034.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="13d6d997-f455-11dd-8516-001b77d09812">
    <topic>sudo -- certain authorized users could run commands as any user</topic>
    <affects>
      <package>
        <name>sudo</name>
        <range><ge>1.6.9.17</ge><lt>1.6.9.20</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Todd Miller reports:</p>
        <blockquote
          cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html">
          <p>A bug was introduced in Sudo's group matching code in
          version 1.6.9 when support for matching based on the
          supplemental group vector was added.  This bug may allow
          certain users listed in the sudoers file to run a command as a
          different user than their access rule specifies.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <mlist msgid="200902041802.n14I2llS024155 at core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist>
      <cvename>CVE-2009-0034</cvename>
      <bid>33517</bid>
    </references>
    <dates>
      <discovery>2009-02-04</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list