From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Jan 12 21:20:08 2011 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE922106566C; Wed, 12 Jan 2011 21:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7E45E8FC15; Wed, 12 Jan 2011 21:20:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p0CLK8JW025973; Wed, 12 Jan 2011 21:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p0CLK8ds025972; Wed, 12 Jan 2011 21:20:08 GMT (envelope-from gnats) Resent-Date: Wed, 12 Jan 2011 21:20:08 GMT Resent-Message-Id: <201101122120.p0CLK8ds025972@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: remko@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CA63106564A for ; Wed, 12 Jan 2011 21:15:44 +0000 (UTC) (envelope-from rea@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 8F7568FC08 for ; Wed, 12 Jan 2011 21:15:43 +0000 (UTC) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1Pd82g-000GZA-Id for FreeBSD-gnats-submit@freebsd.org; Thu, 13 Jan 2011 00:15:42 +0300 Message-Id: <20110112211542.48337DA81F@void.codelabs.ru> Date: Thu, 13 Jan 2011 00:15:42 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: remko@freebsd.org Cc: Subject: ports/153939: [patch] security/sudo: fix CVE-2011-0010 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2011 21:20:08 -0000 >Number: 153939 >Category: ports >Synopsis: [patch] security/sudo: fix CVE-2011-0010 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jan 12 21:20:08 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: CVE-2011-0010 was just issued, but the real description of the problem is available at the Debian's bug tracker [1]. To be short, if sudoers have explicit group list in the Runas specification, 'sudo -g ' for the allowed and will not ask for the password. >How-To-Repeat: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 [2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 Here's the transcript of my test session with old and updated port: {{{ [prior to patching] $ sudo -k && sudo -g kmem id uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem), [after patching] $ sudo -k && sudo -g kmem id Password: uid=1001(rea) gid=1001(rea) egid=2(kmem) groups=2(kmem), [vanilla id output] $ id uid=1001(rea) gid=1001(rea) groups=1001(rea), }}} In sudoers I have '(ALL:ALL)' as the Runas specification. >Fix: The following patch fixes the problem: --- fix-CVE-2011-0010.diff begins here --- >From 860a164877887ac1f36a136870f6795ce8f1dc0d Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Wed, 12 Jan 2011 23:24:11 +0300 Prior to this patch sudo allowed users to change groups without asking for password. Look-at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 Look-at: http://www.sudo.ws/repos/sudo/raw-rev/fe8a94f96542 Signed-off-by: Eygene Ryabinkin --- security/sudo/Makefile | 2 +- security/sudo/files/patch-cve-2011-0010 | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletions(-) create mode 100644 security/sudo/files/patch-cve-2011-0010 diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 198a8a6..79757af 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -7,7 +7,7 @@ PORTNAME= sudo PORTVERSION= 1.7.4.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ http://www.signal42.com/mirrors/sudo_ftp/ \ diff --git a/security/sudo/files/patch-cve-2011-0010 b/security/sudo/files/patch-cve-2011-0010 new file mode 100644 index 0000000..06696e2 --- /dev/null +++ b/security/sudo/files/patch-cve-2011-0010 @@ -0,0 +1,28 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1294760019 18000 +# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5 +# Parent 8f9303326db73a2e00cd53c2515db8188386cfc0 +If the user is running sudo as himself but as a different group we +need to prompt for a password. + +diff -r 8f9303326db7 -r fe8a94f96542 check.c +--- check.c Mon Jan 10 10:28:59 2011 -0500 ++++ check.c Tue Jan 11 10:33:39 2011 -0500 +@@ -120,7 +120,13 @@ + if (ISSET(mode, MODE_INVALIDATE)) { + SET(validated, FLAG_CHECK_USER); + } else { +- if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) ++ /* ++ * Don't prompt for the root passwd or if the user is exempt. ++ * If the user is not changing uid/gid, no need for a password. ++ */ ++ if (user_uid == 0 || (user_uid == runas_pw->pw_uid && ++ (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || ++ user_is_exempt()) + return; + } + + -- 1.7.3.4 --- fix-CVE-2011-0010.diff ends here --- It works on my test machines and Tinderbox builds are also fine: - http://gpf.codelabs.ru/tb-logs/mine-7/sudo-1.7.4.4_2.log - http://gpf.codelabs.ru/tb-logs/mine-8/sudo-1.7.4.4_2.log - http://gpf.codelabs.ru/tb-logs/mine-9/sudo-1.7.4.4_2.log The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- sudo -- local privilege escalation sudo 1.7.4.4_2

When sudoers database has entries with the list of groups in the Runas_Spec block, users for which these entries permit to run commands may execute them with credentials of these groups, but without any password propts using command "sudo -g <GROUP> <CMD>".

CVE-2011-0010 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 2011-01-11 TODAY --- vuln.xml ends here --- I had sent it for the review to Remko Lodder, but your (and anyone's) comments are welcome. >Release-Note: >Audit-Trail: >Unformatted: