Your message dated Fri, 01 Mar 2013 05:32:53 +0000
with message-id <e1ubiat-0007fq...@franck.debian.org>
and subject line Bug#701838: fixed in sudo 1.8.5p2-1+nmu1
has caused the Debian Bug report #701838,
regarding sudo: CVE-2013-1775 authentication bypass when clock is reset
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
701838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701838
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sudo
Severity: grave
Tags: security
Hi,
the following vulnerability was published for sudo.
CVE-2013-1775[0]:
(from the upstream report)
Sudo 1.8.6p7 and 1.7.10p7 are now available which include a fix
for the following bug:
Sudo authentication bypass when clock is reset
Summary:
When a user successfully authenticates with sudo, a time stamp
file is updated to allow that user to continue running sudo
without requiring a password for a preset time period (five
minutes by default). The user's time stamp file can be reset
using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local
clock (common in desktop environments) can run a command via
sudo without authenticating as long as they have previously
authenticated themselves at least once by running "sudo -k" and
then setting the clock to the epoch (1970-01-01 01:00:00).
The vulnerability does not permit a user to run commands other
than those allowed by the sudoers policy.
Sudo versions affected:
Sudo 1.6.0 through 1.7.10p7 and sudo 1.8.0 through 1.8.6p7.
Details:
By default, sudo displays a lecture when the user's time stamp
file is not present. In sudo 1.6, the -k option was changed
to reset the time stamp file to the epoch rather than remove
it to prevent the lecture from being displayed the next time
sudo was run. No special case was added for handling a time
stamp file set to the epoch since the clock should never
legitimately be set to that value.
However, there are two common ways for the clock to be reset
to the epoch. The first way is when the clock is reset due to
a fully drained battery on some systems. The other way is by
a user logged in to a desktop environment that allows changes
to the date and time.
As long as the user has successfully run sudo before, they are
able to run "sudo -k" to reset the time stamp file. This action
does not require a password and is not logged. If the user is
also able to reset the date and time to the epoch (1970-01-01
01:00:00), they will be able to run sudo without having to
authenticate.
Impact:
The flaw may allow someone with physical access to a machine
that is not password-protected to run sudo commands without
knowing the logged in user's password. On systems where sudo
is the principal way of running commands as root, such as on
Ubuntu and Mac OS X, there is a greater chance that the logged
in user has run sudo before and thus that an attack would
succeed.
Fix:
The bug is fixed in sudo 1.8.6p7 and 1.7.10p7. These versions
will ignore a time stamp file that is set to the epoch.
Workaround:
Using "sudo -K" instead of "sudo -k" will completely remove the
time stamp file instead of just resetting it.
Credit:
I'd like to thank Marco Schoepl for finding and reporting this
long-standing bug.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
http://security-tracker.debian.org/tracker/CVE-2013-1775
Please adjust the affected versions in the BTS as needed.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
pgpMVtipusY2f.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.8.5p2-1+nmu1
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 701...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilb...@debian.org> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Mar 2013 03:26:37 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.5p2-1+nmu1
Distribution: unstable
Urgency: high
Maintainer: Bdale Garbee <bd...@gag.com>
Changed-By: Michael Gilbert <mgilb...@debian.org>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 701838 701839
Changes:
sudo (1.8.5p2-1+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2013-1775: authentication bypass when the clock is set to the UNIX
epoch [00:00:00 UTC on 1 January 1970] (closes: #701838).
* Fix cve-2013-1776: session id hijacking from another authorized tty
(closes: #701839).
Checksums-Sha1:
05a116304df73e20148759ebfecee6f9dfe96725 2589 sudo_1.8.5p2-1+nmu1.dsc
2052bd6151dc62d71715762e6a192df404a9235f 26822
sudo_1.8.5p2-1+nmu1.debian.tar.gz
b47bb046d0fa4ce2c1743c1e45e9d42a6c5251c4 842220 sudo_1.8.5p2-1+nmu1_amd64.deb
cd0baf39ba2dc417d3dd4bc97e95e4732d176607 863082
sudo-ldap_1.8.5p2-1+nmu1_amd64.deb
Checksums-Sha256:
aefcde86fe6b74b5ce1affd52b057dc68c969ced29f1292ac3a937763d2380d8 2589
sudo_1.8.5p2-1+nmu1.dsc
15b44cd8f4542352b20629d8fe786d14d47e3b35fd86a05648658ec390423835 26822
sudo_1.8.5p2-1+nmu1.debian.tar.gz
557c3147b18d5f09bdb60a83ad6ce30a5243d903fbad714beca233cb856cb8b2 842220
sudo_1.8.5p2-1+nmu1_amd64.deb
545bd3a0d15ceaa9d9c71edd61f196dee0262ea762750e61ea28df32fac40259 863082
sudo-ldap_1.8.5p2-1+nmu1_amd64.deb
Files:
0d259053017092470a1d804503ee3a42 2589 admin optional sudo_1.8.5p2-1+nmu1.dsc
149d2138846fc7121cfcd3ff4df7fea9 26822 admin optional
sudo_1.8.5p2-1+nmu1.debian.tar.gz
3df5acae3e544aba6916085f6a169181 842220 admin optional
sudo_1.8.5p2-1+nmu1_amd64.deb
f3d220876a4edde1a03ab41d609bfda4 863082 admin optional
sudo-ldap_1.8.5p2-1+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQQcBAEBCAAGBQJRMDsnAAoJELjWss0C1vRzsYEf/2aKdfhZH9f+IzeQ0il8q8Ax
9HgqOT0uD15LWPOoy5nNNYLHACtBeuYte6l72dfDbCoUz+o220PFbhQtOoXuwAjn
wj0joyPHmiHYW4+vvRYoJ5z56UC836Hyg2FlEVVnN2f16rSrAw0XQtfkvm8B2s9N
Coosf0ue6HElezXa0uznq0F49Spv9TJ324nneslEH8uBg/1yvPp14HQs6EA+a0/W
u7IV1rxWAY+W4PD5+j5sSbOI5EiibsMPidNrrrdZkLue4RNPL8PIRguwww8A+O3a
ZuUAS6PX/8TAr345GzqyR0Navj+hnyWre+XRhXrKhMfTbV2cPwGoduRhma4XtNdw
dvElLNPtAs9xQHjJoQp9K9HTKT8OJa6kQxX4Iv4qTdkutIpEeqZ4UcW4h9802Iom
EDsTAWo6rXOdOm8ccRaNxs2xswC0GiO0pX2XbsUIsJtN7lWhG3s1sVBO9kw506CA
f4VfuU+hnvHYtUQ5xizVs6OzWGF1hu4Z/rrjxzp6rfqJJb22OuLgp8K3ZIHjsacX
WDys1nPSDflIVz4Y0YlPSXCk3qYaFKC/XZEBYPOFHBTmro6nIJfa9aZpmDYgm0jE
9z3qtE1whV4O+7bEZcl/LyKHqQO2GsPZEZl0GWolSnAsIUXZDS7TYY7UVXmOIcFY
b0Lqtr+/Zkzi+sULl7vB1rrOzEGYhQ3Yb9qu+V7VoGGt1HhVwphzcvuiMmcGVswu
pAsgTUpvwRy4NKxxRwjRm27dyBtOLT8p8Xq66okF5EgGnRezbqiZFDUvO5VEQM/G
+YIB/brpKD4YkuQb2zdXAu31oPRNIKFy6Abs1R1aFMVNnY56cgy1G6zPezmdHgwu
irLLGKU7RB6VENJdncn28sdiXDgBFchFHRERinGutRqZCzPjSe2Omvsf9Q4CuqAx
s8WgLnFGYCCQG62a8cmqr+DcUuhu5+oaSUrMWJVsyJ2KmBbgHt7J4RcsaB7IuHId
QB4ebrNvIbs7+G0Z/AG3DURFjGJSBCBglMm6qZFIuBwitj7b3qCUhTi3Bdtf1bFF
eXNSqHoF5gbXWIp6vAjmKffc0mrZTdQBXOANtxxHWS8D7nhcf95dkn8C6tDjtGKi
pX2Ab4G8CEKGdUmRvnrCqG7GkNNNNI8exTzxtwRlFqTpZwFNKQVqojvkn4elfOsl
hKmwSJWQbMnnpsRB1l7tHDRfj000dgDtXAmNNmdsaLqdeYOZ+bMS1zKHrN8iVYIu
mhuc4TT7iRtkOAeSYY7MWIV47vBRhXlAWU8UGqXzQpH2mG/Jns6aBCCiKFJCUo5Q
DUlwrsSUb7jOrPvGd/as2gKmwushPLBE37KgsNv7SuVQVne7SAPkhOUrWN1cX2k=
=pgRW
-----END PGP SIGNATURE-----
--- End Message ---
