Bug#585394: marked as done (CVE-2010-1646: Sudo's secure path option can be circumvented)

Debian Bug Tracking System Thu, 10 Jun 2010 16:30:08 -0700

Your message dated Thu, 10 Jun 2010 22:47:10 +0000
with message-id <e1omqwk-0002ax...@ries.debian.org>
and subject line Bug#585394: fixed in sudo 1.7.2p7-1
has caused the Debian Bug report #585394,
regarding CVE-2010-1646: Sudo's secure path option can be circumvented
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
585394: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585394
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: sudo
Severity: grave
Tags: security
Justification: user security hole

Please see http://www.gratisoft.us/sudo/alerts/secure_path.html

Patch for Lenny is attached, for Squeeze it's likely best to
update to 1.7.2p7.

Cheers,
        Moritz

diff -urNa sudo-1.6.9p22/env.c sudo-1.6.9p23/env.c
--- sudo-1.6.9p22/env.c	Wed Apr  7 06:32:26 2010
+++ sudo-1.6.9p17/env.c	Fri May 28 09:54:46 2010
@@ -270,6 +270,7 @@
 {
     char **nep;
     size_t varlen;
+    int found = FALSE;
 
     /* Make sure there is room for the new entry plus a NULL. */
     if (e->env_len + 2 > e->env_size) {
@@ -278,20 +279,34 @@
     }
 
     if (dupcheck) {
-	    varlen = (strchr(str, '=') - str) + 1;
+	varlen = (strchr(str, '=') - str) + 1;
 
-	    for (nep = e->envp; *nep; nep++) {
+	for (nep = e->envp; !found && *nep != NULL; nep++) {
+	    if (strncmp(str, *nep, varlen) == 0) {
+		*nep = str;
+		found = TRUE;
+	    }
+	}
+	/* Prune out duplicate variables. */
+	if (found) {
+	    while (*nep != NULL) {
 		if (strncmp(str, *nep, varlen) == 0) {
-		    *nep = str;
-		    return;
+		    memmove(nep, nep + 1,
+			(e->env_len - (nep - e->envp)) * sizeof(char *));
+		    e->env_len--;
+		} else {
+		    nep++;
 		}
 	    }
-    } else
-	nep = e->envp + e->env_len;
+	}
+    }
 
-    e->env_len++;
-    *nep++ = str;
-    *nep = NULL;
+    if (!found) {
+	nep = e->envp + e->env_len;
+	e->env_len++;
+	*nep++ = str;
+	*nep = NULL;
+    }
 }
 
 /*

--- End Message ---

--- Begin Message ---

Source: sudo
Source-Version: 1.7.2p7-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.7.2p7-1_i386.deb
  to main/s/sudo/sudo-ldap_1.7.2p7-1_i386.deb
sudo_1.7.2p7-1.debian.tar.gz
  to main/s/sudo/sudo_1.7.2p7-1.debian.tar.gz
sudo_1.7.2p7-1.dsc
  to main/s/sudo/sudo_1.7.2p7-1.dsc
sudo_1.7.2p7-1_i386.deb
  to main/s/sudo/sudo_1.7.2p7-1_i386.deb
sudo_1.7.2p7.orig.tar.gz
  to main/s/sudo/sudo_1.7.2p7.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 585...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bd...@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Jun 2010 15:42:14 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.2p7-1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bd...@gag.com>
Changed-By: Bdale Garbee <bd...@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 522065 581393 585394
Changes: 
 sudo (1.7.2p7-1) unstable; urgency=high
 .
   * new upstream release with security fix for secure path (CVE-2010-1646),
     closes: #585394
   * move timestamps from /var/run/sudo to /var/lib/sudo, so that the state
     about whether to give the lecture is preserved across reboots even when
     RAMRUN is set, closes: #581393
   * add a note to README.Debian about LDAP needing an entry in
     /etc/nsswitch.conf, closes: #522065
   * add a note to README.Debian about how to turn off lectures if using
     RAMRUN in /etc/default/rcS, closes: #581393
Checksums-Sha1: 
 5cc913fa4a9e01251117187b356fee590836940f 1669 sudo_1.7.2p7-1.dsc
 0504e0d7b1d3c987e48325ec4caa6ebfe5237ff5 772356 sudo_1.7.2p7.orig.tar.gz
 c932fac6cd1d1bf4b07e239b9b2001bf83352433 21411 sudo_1.7.2p7-1.debian.tar.gz
 1c2d8e773d6258456edf1b6de9b4c1e6e6eb0c67 310522 sudo_1.7.2p7-1_i386.deb
 64b555bb670ca0277d8f8b97992614362b94ee30 334782 sudo-ldap_1.7.2p7-1_i386.deb
Checksums-Sha256: 
 fa0468ecc2cb9067f058731103a01d0fc5cfddb82111fc9ea920a27231e6d437 1669 
sudo_1.7.2p7-1.dsc
 07a9c83e628a088314523e558236ac3c4cb0d54d7d7093e5b3e4c8101b1a2bea 772356 
sudo_1.7.2p7.orig.tar.gz
 2caf90754a55531eddc162981cdfdf9236f9fa1fcdbcff48b293ca0a17fd3f07 21411 
sudo_1.7.2p7-1.debian.tar.gz
 c65427cd0a0e7e8d6050887a3ff07c4d6730203c3a0f10fc2869404b0735a335 310522 
sudo_1.7.2p7-1_i386.deb
 5a0e796ab7f3250fb7af13fb66ca10d3b38999829440ee859936820d72795709 334782 
sudo-ldap_1.7.2p7-1_i386.deb
Files: 
 5e0d1b3f2e43ed356baed1ce63c9dc6b 1669 admin optional sudo_1.7.2p7-1.dsc
 3ac78668427a53e12d7639fdfab2f1af 772356 admin optional sudo_1.7.2p7.orig.tar.gz
 814f901b243758ef5bcea4ebe87ac01f 21411 admin optional 
sudo_1.7.2p7-1.debian.tar.gz
 3b0747242cf7f719b832d91f3595e5ba 310522 admin optional sudo_1.7.2p7-1_i386.deb
 c829535cfb5984e9060f00f2171ec403 334782 admin optional 
sudo-ldap_1.7.2p7-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTBFqXDqTYZbAldlBAQoqyBAAiX2Q/mHUwXYPqXbBj7+CuQjLwvK1Qnwy
rK1tQLhGVIBcIfK7dyysZKhxITjbs9ubnbBhjGyCAF5Cx5wdY2CvUD2Jf20wi2WX
SduOKZP+lPxwe085sSA55qTgHenxeYDAULHQMHrmduQJ6/kLtWeGRHWDGTstidc2
HEtrx0dX9dPFf8QrI1lK479taHsmMy11o+/QVj1Go/3JVbdt/cbl6dBrj4Zef+UI
Hye1fLQWPJR+8yt8Z8jAMBCitOyxFYdb7XJnDJLf7pCIcBix79zutbRCl9g4AECS
X6z2IO6ltJTRFA9MttNXBKyzNSojKQs7JTc9gyhROcDhNNlorMop0Z/SjiM8Fazv
nsCEJtqvzl5cla8jdDp8es4F6D04R1BgMUkjnQSv/nxLkps73fAogyrG0OK1f3QY
sfFWBWOZbBlJiBAulNY9CLCDiBNdQ1uFOh4888fPu/3WT4CbSdbtVvmnxo/ewSxU
ZdJcN4p0bUGRdIywv4pf+gBCBYZ/rrOT+CvAxcroNlpiZnYdM6B5rWteNyzZdP4D
9SK4cUWBgo66id9+iagu0BViB7v+IOGFryYgHq2lwipypZDCEET0hsgu34/AEjxW
RCtYl78pon98mXOq3CtSR+l4SR3Kxg5LWp1iXaRTZ2swNdZokT1SRnYO76o6cVzj
wZ9Ohd9eUA4=
=4Q77
-----END PGP SIGNATURE-----

--- End Message ---

Bug#585394: marked as done (CVE-2010-1646: Sudo's secure path option can be circumvented)

Reply via email to