Skip site navigation (1)Skip section navigation (2)
Date:      Fri,  6 Feb 2009 17:25:49 +0300 (MSK)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/131446: [patch] [vuxml] security/sudo: fix CVE-2009-0034
Message-ID:  <20090206142549.8B8911711D@amnesiac.at.no.dns>
Resent-Message-ID: <200902061430.n16EU4VV085205@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         131446
>Category:       ports
>Synopsis:       [patch] [vuxml] security/sudo: fix CVE-2009-0034
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 06 14:30:04 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-STABLE amd64

>Description:

It was discovered, [1], that in certain system configurations that allow
users to run commands as the members of some group, the backport error
in sudo up to 1.9.6p20 was permitted these users to run commands as root.

[1] http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html

>How-To-Repeat:

Insert the following rule to the sudoers,
-----
user ALL=(%group) ALL
-----
where 'user' is ordinary user, 'group' is the group for the user.
And try 'sudo -L root COMMAND'.  It will give me root with 1.9.6p17.

>Fix:

The following patch updates the current port to the 1.9.6p20 that has
this bug fixed.  I had tested the port for non-LDAP case -- works for me
and fixes the issue.
--- fix-CVE-2009-0034.diff begins here ---
>From fbf8b6659e4ac2988f867b775c2fdac10fbdee7e Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Fri, 6 Feb 2009 17:15:29 +0300

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 security/sudo/Makefile |    4 ++--
 security/sudo/distinfo |    6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 3848874..5a68e05 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	sudo
-PORTVERSION=	1.6.9.17
+PORTVERSION=	1.6.9.20
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		ftp://obsd.isc.org/pub/sudo/ \
@@ -16,7 +16,7 @@ MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ \
 		${MASTER_SITE_LOCAL}
 MASTER_SITE_SUBDIR=	tmclaugh/sudo
-DISTNAME=	${PORTNAME}-1.6.9p17
+DISTNAME=	${PORTNAME}-1.6.9p20
 
 MAINTAINER=	tmclaugh@FreeBSD.org
 COMMENT=	Allow others to run commands as root
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index dfc778c..9103e9d 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,3 +1,3 @@
-MD5 (sudo-1.6.9p17.tar.gz) = 60daf18f28e2c1eb7641c4408e244110
-SHA256 (sudo-1.6.9p17.tar.gz) = 1e2cd4ff684c6f542b7e392010021f36b201d074620dad4d7689da60f9c74596
-SIZE (sudo-1.6.9p17.tar.gz) = 593534
+MD5 (sudo-1.6.9p20.tar.gz) = cd1caee0227641968d63d06845dea70a
+SHA256 (sudo-1.6.9p20.tar.gz) = 1197bd5f2087c13a3837e1c4da250f7db2a86f843bf00f2b3568f6410239ac7b
+SIZE (sudo-1.6.9p20.tar.gz) = 596009
-- 
1.6.1
--- fix-CVE-2009-0034.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="13d6d997-f455-11dd-8516-001b77d09812">
    <topic>sudo -- certain authorized users could run commands as any user</topic>
    <affects>
      <package>
        <name>sudo</name>
        <range><ge>1.6.9.17</ge><lt>1.6.9.20</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>Todd Miller reports:</p>
        <blockquote
          cite="http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html">;
          <p>A bug was introduced in Sudo's group matching code in
          version 1.6.9 when support for matching based on the
          supplemental group vector was added.  This bug may allow
          certain users listed in the sudoers file to run a command as a
          different user than their access rule specifies.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <mlist msgid="200902041802.n14I2llS024155@core.courtesan.com">http://www.gratisoft.us/pipermail/sudo-announce/2009-February/000085.html</mlist>;
      <cvename>CVE-2009-0034</cvename>
      <bid>33517</bid>
    </references>
    <dates>
      <discovery>2009-02-04</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090206142549.8B8911711D>