svn commit: r563000 - branches/2021Q1/security/sudo

Cy Schubert cy at FreeBSD.org
Tue Jan 26 20:40:58 UTC 2021 

Author: cy
Date: Tue Jan 26 20:40:57 2021
New Revision: 563000
URL: https://svnweb.freebsd.org/changeset/ports/563000

Log:
  MFH: r562997
  
  security/sudo - update 1.9.5p1 to 1.9.5p2
  
  	(text/plain)
  Sudo version 1.9.5p2 is now available which fixes CVE-2021-3156
  (aka Baron Samedit), a severe security vulnerability in sudo versions
  1.8.2 through 1.9.5p1.  For more details, see:
      https://www.sudo.ws/alerts/unescape_overflow.html
      https://www.openwall.com/lists/oss-security/2021/01/26/3
  
  Source:
      https://www.sudo.ws/dist/sudo-1.9.5p2.tar.gz
      ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.tar.gz
      SHA256 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978
      MD5 e6bc4c18c06346e6b3431637a2b5f3d5
  
  Patch:
      https://www.sudo.ws/dist/sudo-1.9.5p2.patch.gz
      ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.5p2.patch.gz
      SHA256 0dd80809c4061670a0b393445b2807be452caf5d5988f279e736040cef1c14dc
      MD5 2816f5fa537c61fb913046ef20b88e3b
  
  Binary packages:
      https://www.sudo.ws/download.html#binary
      https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_5p2
  
  For a list of download mirror sites, see:
      https://www.sudo.ws/download_mirrors.html
  
  Sudo web site:
      https://www.sudo.ws/
  
  Sudo web site mirrors:
      https://www.sudo.ws/mirrors.html
  
  Major changes between sudo 1.9.5p2 and 1.9.5p1
  
   * Fixed sudo's setprogname(3) emulation on systems that don't
     provide it.
  
   * Fixed a problem with the sudoers log server client where a partial
     write to the server could result the sudo process consuming large
     amounts of CPU time due to a cycle in the buffer queue. Bug #954.
  
   * Added a missing dependency on libsudo_util in libsudo_eventlog.
     Fixes a link error when building sudo statically.
  
   * The user's KRB5CCNAME environment variable is now preserved when
     performing PAM authentication.  This fixes GSSAPI authentication
     when the user has a non-default ccache.
  
   * When invoked as sudoedit, the same set of command line options
     are now accepted as for "sudo -e".  The -H and -P options are
     now rejected for sudoedit and "sudo -e" which matches the sudo
     1.7 behavior.  This is part of the fix for CVE-2021-3156.
  
   * Fixed a potential buffer overflow when unescaping backslashes
     in the command's arguments.  Normally, sudo escapes special
     characters when running a command via a shell (sudo -s or sudo
     -i).  However, it was also possible to run sudoedit with the -s
     or -i flags in which case no escaping had actually been done,
     making a buffer overflow possible.  This fixes CVE-2021-3156.
  
  Major changes between sudo 1.9.5p1 and 1.9.5
  
   * Fixed a regression introduced in sudo 1.9.5 where the editor run
     by sudoedit was set-user-ID root unless SELinux RBAC was in use.
     The editor is now run with the user's real and effective user-IDs.
  
  Major changes between sudo 1.9.5 and 1.9.4p2
  
   * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
     unknown user.  This is related to but distinct from Bug #948.
  
   * If the "lecture_file" setting is enabled in sudoers, it must now
     refer to a regular file or a symbolic link to a regular file.
  
   * Fixed a potential use-after-free bug in sudo_logsrvd when the
     server shuts down if there are existing connections from clients
     that are only logging events and not session I/O data.
  
   * Fixed a buffer size mismatch when serializing the list of IP
     addresses for configured network interfaces.  This bug is not
     actually exploitable since the allocated buffer is large enough
     to hold the list of addresses.
  
   * If sudo is executed with a name other than "sudo" or "sudoedit",
     it will now fall back to "sudo" as the program name.  This affects
     warning, help and usage messages as well as the matching of Debug
     lines in the /etc/sudo.conf file.  Previously, it was possible
     for the invoking user to manipulate the program name by setting
     argv[0] to an arbitrary value when executing sudo.
  
   * Sudo now checks for failure when setting the close-on-exec flag
     on open file descriptors.  This should never fail but, if it
     were to, there is the possibility of a file descriptor leak to
     a child process (such as the command sudo runs).
  
   * Fixed CVE-2021-23239, a potential information leak in sudoedit
     that could be used to test for the existence of directories not
     normally accessible to the user in certain circumstances.  When
     creating a new file, sudoedit checks to make sure the parent
     directory of the new file exists before running the editor.
     However, a race condition exists if the invoking user can replace
     (or create) the parent directory.  If a symbolic link is created
     in place of the parent directory, sudoedit will run the editor
     as long as the target of the link exists.  If the target of the
     link does not exist, an error message will be displayed.  The
     race condition can be used to test for the existence of an
     arbitrary directory.  However, it _cannot_ be used to write to
     an arbitrary location.
  
   * Fixed CVE-2021-23240, a flaw in the temporary file handling of
     sudoedit's SELinux RBAC support.  On systems where SELinux is
     enabled, a user with sudoedit permissions may be able to set the
     owner of an arbitrary file to the user-ID of the target user.
     On Linux kernels that support "protected symlinks", setting
     /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
     being exploited.  For more information see
     https://www.sudo.ws/alerts/sudoedit_selinux.html.
  
   * Added writability checks for sudoedit when SELinux RBAC is in use.
     This makes sudoedit behavior consistent regardless of whether
     or not SELinux RBAC is in use.  Previously, the "sudoedit_checkdir"
     setting had no effect for RBAC entries.
  
   * A new sudoers option "selinux" can be used to disable sudo's
     SELinux RBAC support.
  
   * Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
     Added suppression annotations for PVS Studio false positives.
  
  PR:		253034
  Submitted by:	cy
  Reported by:	cy
  Reviewed by:	emaste
  Approved by:	emaste
  Approved by:	ports-secteam (delphij)
  Security:	CVE-2021-3156, CVE-2021-3156
  Differential Revision:	https://reviews.freebsd.org/D28363

Modified:
  branches/2021Q1/security/sudo/Makefile
  branches/2021Q1/security/sudo/distinfo
Directory Properties:
  branches/2021Q1/   (props changed)

Modified: branches/2021Q1/security/sudo/Makefile
==============================================================================
--- branches/2021Q1/security/sudo/Makefile	Tue Jan 26 20:32:15 2021	(r562999)
+++ branches/2021Q1/security/sudo/Makefile	Tue Jan 26 20:40:57 2021	(r563000)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	sudo
-PORTVERSION=	1.9.5p1
+PORTVERSION=	1.9.5p2
 CATEGORIES=	security
 MASTER_SITES=	SUDO
 

Modified: branches/2021Q1/security/sudo/distinfo
==============================================================================
--- branches/2021Q1/security/sudo/distinfo	Tue Jan 26 20:32:15 2021	(r562999)
+++ branches/2021Q1/security/sudo/distinfo	Tue Jan 26 20:40:57 2021	(r563000)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1610454752
-SHA256 (sudo-1.9.5p1.tar.gz) = 4dddf37c22653defada299e5681e0daef54bb6f5fc950f63997bb8eb966b7882
-SIZE (sudo-1.9.5p1.tar.gz) = 4008926
+TIMESTAMP = 1611687962
+SHA256 (sudo-1.9.5p2.tar.gz) = 539e2ef43c8a55026697fb0474ab6a925a11206b5aa58710cb42a0e1c81f0978
+SIZE (sudo-1.9.5p2.tar.gz) = 4012277

More information about the svn-ports-branches mailing list