ports/131446: [patch] [vuxml] security/sudo: fix CVE-2009-0034
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Fri Feb 6 14:30:06 UTC 2009
>Number: 131446
>Category: ports
>Synopsis: [patch] [vuxml] security/sudo: fix CVE-2009-0034
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 06 14:30:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-STABLE amd64
>Description:
It was discovered, [1], that in certain system configurations that allow
users to run commands as the members of some group, the backport error
in sudo up to 1.9.6p20 was permitted these users to run commands as root.
[1] http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html
>How-To-Repeat:
Insert the following rule to the sudoers,
-----
user ALL=(%group) ALL
-----
where 'user' is ordinary user, 'group' is the group for the user.
And try 'sudo -L root COMMAND'. It will give me root with 1.9.6p17.
>Fix:
The following patch updates the current port to the 1.9.6p20 that has
this bug fixed. I had tested the port for non-LDAP case -- works for me
and fixes the issue.
--- fix-CVE-2009-0034.diff begins here ---
>From fbf8b6659e4ac2988f867b775c2fdac10fbdee7e Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Fri, 6 Feb 2009 17:15:29 +0300
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
security/sudo/Makefile | 4 ++--
security/sudo/distinfo | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 3848874..5a68e05 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -6,7 +6,7 @@
#
PORTNAME= sudo
-PORTVERSION= 1.6.9.17
+PORTVERSION= 1.6.9.20
CATEGORIES= security
MASTER_SITES= http://www.sudo.ws/sudo/dist/ \
ftp://obsd.isc.org/pub/sudo/ \
@@ -16,7 +16,7 @@ MASTER_SITES= http://www.sudo.ws/sudo/dist/ \
ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \
${MASTER_SITE_LOCAL}
MASTER_SITE_SUBDIR= tmclaugh/sudo
-DISTNAME= ${PORTNAME}-1.6.9p17
+DISTNAME= ${PORTNAME}-1.6.9p20
MAINTAINER= tmclaugh at FreeBSD.org
COMMENT= Allow others to run commands as root
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index dfc778c..9103e9d 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,3 +1,3 @@
-MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110
-SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596
-SIZE (sudo-1.6.9p17.tar.gz) = 593534
+MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a
+SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b
+SIZE (sudo-1.6.9p20.tar.gz) = 596009
--
1.6.1
--- fix-CVE-2009-0034.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="13d6d997-f455-11dd-8516-001b77d09812">
<topic>sudo -- certain authorized users could run commands as any user</topic>
<affects>
<package>
<name>sudo</name>
<range><ge>1.6.9.17</ge><lt>1.6.9.20</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Todd Miller reports:</p>
<blockquote
cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html">
<p>A bug was introduced in Sudo's group matching code in
version 1.6.9 when support for matching based on the
supplemental group vector was added. This bug may allow
certain users listed in the sudoers file to run a command as a
different user than their access rule specifies.</p>
</blockquote>
</body>
</description>
<references>
<mlist msgid="200902041802.n14I2llS024155 at core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist>
<cvename>CVE-2009-0034</cvename>
<bid>33517</bid>
</references>
<dates>
<discovery>2009-02-04</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list