Date: Wed, 4 Feb 2009 11:25:23 -0800 (PST) From: Cy Schubert <cy@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/131373: Sudo group vulnerability: CVE 2009-0034 Message-ID: <200902041925.n14JPNfG032707@cwsys.cwsent.com> Resent-Message-ID: <200902042000.n14K00w0079595@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 131373 >Category: ports >Synopsis: Sudo group vulnerability: CVE 2009-0034 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 04 20:00:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Cy Schubert >Release: FreeBSD-2.0 >Organization: FreeBSD >Environment: System: FreeBSD cwsys 7.1-STABLE FreeBSD 7.1-STABLE #1: Fri Jan 30 11:59:14 PST 2009 root@cwsys:/export/obj/opt/src/svn-stable7/sys/KOMQUATS i386 >Description: A bug in sudo 1.6.9 to 1.6.9p19 allows users to run as a different user than specified in an access rule. >How-To-Repeat: See CVS 2009-0034 >Fix: Upgrade to sudo 1.7.0. Patch to port is below: Index: Makefile =================================================================== RCS file: /home/pcvs/ports/security/sudo/Makefile,v retrieving revision 1.100 diff -u -r1.100 Makefile --- Makefile 21 Aug 2008 06:18:21 -0000 1.100 +++ Makefile 4 Feb 2009 19:21:10 -0000 @@ -6,7 +6,7 @@ # PORTNAME= sudo -PORTVERSION= 1.6.9.17 +PORTVERSION= 1.7.0 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ ftp://obsd.isc.org/pub/sudo/ \ @@ -16,7 +16,7 @@ ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \ ${MASTER_SITE_LOCAL} MASTER_SITE_SUBDIR= tmclaugh/sudo -DISTNAME= ${PORTNAME}-1.6.9p17 +DISTNAME= ${PORTNAME}-1.7.0 MAINTAINER= tmclaugh@FreeBSD.org COMMENT= Allow others to run commands as root @@ -62,7 +62,7 @@ CONFIGURE_ARGS+=--enable-shell-sets-home .endif -MAN5= sudoers.5 +MAN5= sudoers.5 sudoers.ldap.5 MAN8= sudo.8 visudo.8 MLINKS= sudo.8 sudoedit.8 @@ -77,8 +77,6 @@ .if !defined(NOPORTDOCS) ${MKDIR} ${DOCSDIR} - ${INSTALL_DATA} ${WRKSRC}/BUGS ${DOCSDIR} - ${INSTALL_DATA} ${WRKSRC}/CHANGES ${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/README ${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/TROUBLESHOOTING ${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/UPGRADE ${DOCSDIR} Index: distinfo =================================================================== RCS file: /home/pcvs/ports/security/sudo/distinfo,v retrieving revision 1.60 diff -u -r1.60 distinfo --- distinfo 6 Jul 2008 23:20:05 -0000 1.60 +++ distinfo 4 Feb 2009 19:21:10 -0000 @@ -1,3 +1,3 @@ -MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110 -SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596 -SIZE (sudo-1.6.9p17.tar.gz) = 593534 +MD5 (sudo-1.7.0.tar.gz) = 5fd96bba35fe29b464f7aa6ad255f0a6 +SHA256 (sudo-1.7.0.tar.gz) = 5f7de94287f39c8b3b8d86aed147967e9286f45740412004233858b637391978 +SIZE (sudo-1.7.0.tar.gz) = 744311 Index: pkg-plist =================================================================== RCS file: /home/pcvs/ports/security/sudo/pkg-plist,v retrieving revision 1.16 diff -u -r1.16 pkg-plist --- pkg-plist 10 Apr 2008 14:00:22 -0000 1.16 +++ pkg-plist 4 Feb 2009 19:21:10 -0000 @@ -6,8 +6,6 @@ etc/sudoers.default libexec/sudo_noexec.so sbin/visudo -%%PORTDOCS%%%%DOCSDIR%%/BUGS -%%PORTDOCS%%%%DOCSDIR%%/CHANGES %%PORTDOCS%%%%DOCSDIR%%/README %%PORTDOCS%%%%DOCSDIR%%/TROUBLESHOOTING %%PORTDOCS%%%%DOCSDIR%%/UPGRADE >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902041925.n14JPNfG032707>