Your message dated Tue, 20 Apr 2010 03:33:07 +0000
with message-id <e1o44cx-0006b5...@ries.debian.org>
and subject line Bug#578275: fixed in sudo 1.7.2p6-1
has caused the Debian Bug report #578275,
regarding CVE-2010-1163: incomplete fix for the sudoedit privilege escalation
issue CVE-2010-0426
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
578275: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sudo
Version: 1.6.9p17-2
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for sudo.
CVE-2010-1163[0]:
| The command matching functionality in sudo 1.6.9p22 through 1.7.2p5 does not
| properly handle when a file in the current working directory has the same
name
| as a pseudo-command in the sudoers file and the PATH contains an entry
| for ".", which allows local users to execute arbitrary commands via a Trojan
| horse executable, as demonstrated using sudoedit, a different vulnerability
| than CVE-2010-0426.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1163
http://security-tracker.debian.org/tracker/CVE-2010-1163
The vulnerability only affects when ignore_dot value is on. Lenny is not
affected since the default value is off and can be changed.
The patch: https://bugzilla.redhat.com/attachment.cgi?id=405247&action=diff
thanks, luciano
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.7.2p6-1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo-ldap_1.7.2p6-1_i386.deb
to main/s/sudo/sudo-ldap_1.7.2p6-1_i386.deb
sudo_1.7.2p6-1.debian.tar.gz
to main/s/sudo/sudo_1.7.2p6-1.debian.tar.gz
sudo_1.7.2p6-1.dsc
to main/s/sudo/sudo_1.7.2p6-1.dsc
sudo_1.7.2p6-1_i386.deb
to main/s/sudo/sudo_1.7.2p6-1_i386.deb
sudo_1.7.2p6.orig.tar.gz
to main/s/sudo/sudo_1.7.2p6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 578...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <bd...@gag.com> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Apr 2010 10:45:47 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.2p6-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bd...@gag.com>
Changed-By: Bdale Garbee <bd...@gag.com>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 570737 578275
Changes:
sudo (1.7.2p6-1) unstable; urgency=low
.
* new upstream version fixing CVE-2010-1163, closes: #578275, #570737
Checksums-Sha1:
4bc4847a322646716af8609e5fdc2bd06216a48e 1669 sudo_1.7.2p6-1.dsc
45976e82cc2ca9f34cad574629ddd998c377734e 771148 sudo_1.7.2p6.orig.tar.gz
dd0f47032091456997fa7e55d799d06b2d18c318 21064 sudo_1.7.2p6-1.debian.tar.gz
8db50462a048b81e417ea8757000845157501e8c 309468 sudo_1.7.2p6-1_i386.deb
2cf883e763d131df2245c787817e2b0dcdffdfb1 333748 sudo-ldap_1.7.2p6-1_i386.deb
Checksums-Sha256:
aca61503dad001e1fa8fd967a41b820bd8a6a7fa5583d00c5289f4ab315a99d8 1669
sudo_1.7.2p6-1.dsc
8104c5e0130f100bbdbfbc0318fea3024027929adaafd2018f1c96c94f771161 771148
sudo_1.7.2p6.orig.tar.gz
c9c87d1a700bfb45cf214e42edae5a932191cb948e914776af3fd4ba5bc7fab5 21064
sudo_1.7.2p6-1.debian.tar.gz
3571e36ebcbf6e1fec66ab62bdb0a5f0fcb85509ff07c2ad21a5a4d954b4cab7 309468
sudo_1.7.2p6-1_i386.deb
7ae295a6e9384674955f457d5b3159e00bfe3cfad8cc4fd276f57222427e9b76 333748
sudo-ldap_1.7.2p6-1_i386.deb
Files:
ff7041a040d3ab34f8c62ac38d6dee89 1669 admin optional sudo_1.7.2p6-1.dsc
c4f1a43e8ba94f6bf06d2211442148c4 771148 admin optional sudo_1.7.2p6.orig.tar.gz
0af614180e532711ad4c846fc1308a3d 21064 admin optional
sudo_1.7.2p6-1.debian.tar.gz
9152461e4c861219eeafa33bf93d5b5b 309468 admin optional sudo_1.7.2p6-1_i386.deb
fa3e98f8fe0fdb618ab9d8b775046877 333748 admin optional
sudo-ldap_1.7.2p6-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBS80YEDqTYZbAldlBAQpajQ//QmS58vecEbzrkTuQIYQnKfwtxPfRfR5e
v4V0cXjvOXhiyGqnCBk9pkdPuWjCHHqjgFEczJ4vPFu6FjTzWzv2/9BVjiRBfSVO
T3pjchZ2qlUjqZGf4g7N8Q1piLCKOBsB0m68BLqD4fGCffM6q5MbZhPPBT6JSw8b
2CgtLF+sKR7bHO2amrJSX7F5Ry6ZggFbVuFXEgYyzlfnzS7gN2Iwpl3UthgZXBiK
XvuHo/zQa//kCU1meubDBHNU0zkcDeTfJ5GhzLwpC7RJ0D++Cbbgtub9FTZ3gb31
0EqvM6mxn+rXxTOAWjL8I2tsZaksTAGHbi+brqYXzTrGEY3owzVHoH6+T2x50l9e
gl+XWTFs9VmPCaYPGAZgOGKKyubpFOmyHtWM0NGszpRNKjf53yx9xp0rfZdIOWBU
i1YMAfb1F7FgdQKk0xmCm4gPzMSMJ6MZJ9k0p2NQKxvfQGSkJbDtoDfT8HHc+tIq
iuPh1XHKbk619miMns1AbkSxFIhmDtfh25/J9o6HlaYWAzwg+HKoSSIzyPENqqR2
CwAsL0iT5SRLyWI3z9xs63ifYDEIN6O+MK5rSfTwyFCLF7fRTCx8HY6/rbLg8qxE
kcFgUCOfXkKOoaBS3AeLstHHCshFrMvJza/qSzGy2pKHY596yjdwrrZllljNZ6b2
CWFyFwOVfwY=
=gGs5
-----END PGP SIGNATURE-----
--- End Message ---
