Your message dated Sun, 10 Mar 2013 17:02:21 +0000
with message-id <e1uejdd-0003an...@franck.debian.org>
and subject line Bug#701838: fixed in sudo 1.7.4p4-2.squeeze.4
has caused the Debian Bug report #701838,
regarding sudo: CVE-2013-1775 authentication bypass when clock is reset
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
701838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701838
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sudo
Severity: grave
Tags: security
Hi,
the following vulnerability was published for sudo.
CVE-2013-1775[0]:
(from the upstream report)
Sudo 1.8.6p7 and 1.7.10p7 are now available which include a fix
for the following bug:
Sudo authentication bypass when clock is reset
Summary:
When a user successfully authenticates with sudo, a time stamp
file is updated to allow that user to continue running sudo
without requiring a password for a preset time period (five
minutes by default). The user's time stamp file can be reset
using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local
clock (common in desktop environments) can run a command via
sudo without authenticating as long as they have previously
authenticated themselves at least once by running "sudo -k" and
then setting the clock to the epoch (1970-01-01 01:00:00).
The vulnerability does not permit a user to run commands other
than those allowed by the sudoers policy.
Sudo versions affected:
Sudo 1.6.0 through 1.7.10p7 and sudo 1.8.0 through 1.8.6p7.
Details:
By default, sudo displays a lecture when the user's time stamp
file is not present. In sudo 1.6, the -k option was changed
to reset the time stamp file to the epoch rather than remove
it to prevent the lecture from being displayed the next time
sudo was run. No special case was added for handling a time
stamp file set to the epoch since the clock should never
legitimately be set to that value.
However, there are two common ways for the clock to be reset
to the epoch. The first way is when the clock is reset due to
a fully drained battery on some systems. The other way is by
a user logged in to a desktop environment that allows changes
to the date and time.
As long as the user has successfully run sudo before, they are
able to run "sudo -k" to reset the time stamp file. This action
does not require a password and is not logged. If the user is
also able to reset the date and time to the epoch (1970-01-01
01:00:00), they will be able to run sudo without having to
authenticate.
Impact:
The flaw may allow someone with physical access to a machine
that is not password-protected to run sudo commands without
knowing the logged in user's password. On systems where sudo
is the principal way of running commands as root, such as on
Ubuntu and Mac OS X, there is a greater chance that the logged
in user has run sudo before and thus that an attack would
succeed.
Fix:
The bug is fixed in sudo 1.8.6p7 and 1.7.10p7. These versions
will ignore a time stamp file that is set to the epoch.
Workaround:
Using "sudo -K" instead of "sudo -k" will completely remove the
time stamp file instead of just resetting it.
Credit:
I'd like to thank Marco Schoepl for finding and reporting this
long-standing bug.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
http://security-tracker.debian.org/tracker/CVE-2013-1775
Please adjust the affected versions in the BTS as needed.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
pgpjEKY_XNrso.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.7.4p4-2.squeeze.4
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 701...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilb...@debian.org> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 06 Mar 2013 18:41:15 +0000
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.7.4p4-2.squeeze.4
Distribution: stable-security
Urgency: high
Maintainer: Bdale Garbee <bd...@gag.com>
Changed-By: Michael Gilbert <mgilb...@debian.org>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 701838 701839
Changes:
sudo (1.7.4p4-2.squeeze.4) stable-security; urgency=high
.
* Fix cve-2013-1775: authentication bypass when the clock is set to the UNIX
epoch [00:00:00 UTC on 1 January 1970] (closes: #701838).
* Fix cve-2013-1776: session id hijacking from another authorized tty
(closes: #701839).
Checksums-Sha1:
38d3ef0ea1632746b4cdba65c23f2bfbd8ee0741 2409 sudo_1.7.4p4-2.squeeze.4.dsc
45b34139fb11e054c139e8cd490b66f1ab4310b3 26820
sudo_1.7.4p4-2.squeeze.4.debian.tar.gz
2787aff0d629ca809a5c8379363e973c53ab4b86 610580
sudo_1.7.4p4-2.squeeze.4_amd64.deb
7835c2b5dcac20992edc5f1a34e5770402f07052 636122
sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb
Checksums-Sha256:
0c3296d2b60c8714c8ce05da7fe16cdd93fa9d1f8dfa77dac335eb50474742fd 2409
sudo_1.7.4p4-2.squeeze.4.dsc
2f5ecd85e449c578358d08cfaf720a38a2a1a7d1b5b98588a4d37c806358eee9 26820
sudo_1.7.4p4-2.squeeze.4.debian.tar.gz
897938338ce027885bfdd01bf1fe14b69fad88df9b06a6452ebd443a34d890b0 610580
sudo_1.7.4p4-2.squeeze.4_amd64.deb
e29664e57d452a062b93b82c803176ec050a862ed346c5b59e09e92a37792dc8 636122
sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb
Files:
8d68f623c42268605baabe3b56e5f0f9 2409 admin optional
sudo_1.7.4p4-2.squeeze.4.dsc
339ce612cd70937d3658c9e2b76f6424 26820 admin optional
sudo_1.7.4p4-2.squeeze.4.debian.tar.gz
07c29e218682def30096615f476f7ba2 610580 admin optional
sudo_1.7.4p4-2.squeeze.4_amd64.deb
80d0993d6602ea0469407f2a04959fc9 636122 admin optional
sudo-ldap_1.7.4p4-2.squeeze.4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQQcBAEBAgAGBQJRN5U9AAoJELjWss0C1vRzBQYf/iy2W3WlxDrw3b5ulsdn6bpI
DBraaNIhGTdmQGHjcHnh02Rnnxz8Zsa7AYR2tAt01kDrRYZEW2D3ue+5+3baaS0k
pOUEmT+S7SNYUcIpL4sg2z/kRTZvbLZaFKcED7em8LiTp52FZbFBoGTB4jWqGe3s
MGfgdd5bR/HO/qk4rB5q6bW4NJNg6QJ4X7RkbXkfbeuUERh1ALJ4DJdejI7sS97f
NGD2wVtOdK6r0MiclBnihZfKcm/W4ahKR6JY02PRMiQiIMmb2IgJ+t2wW7L3QluL
/s7OLFEUZq51mfah85/IGvQJc1B7eC+Rq/Q+4d6i/1MXOia5dhVqVAP8SxBluTor
iAxITezIRJD6vM6nV2Hd+YjwhE7yb4OAuiaZqz5nQx7ppykOWvzUqT11KFuLTBw1
RfUC4aJbJwRK5CfKvBoWopXc/ujlGOhrPxHyEKbGzYLHsWVmPY1+Q0JoD9dp2hhB
HYHTdgvHFv3qr6OgtxnWcYk7MbiwjLd0lH8nhST8uDBk+jlV9+nTyRHN2Nbjg6DZ
0hLQ87pHRRt54cjpfhp2kVDFkEpAmeGsNo0hoC5+A9PWaen0Gfd2ALoDncfRtAWC
RFnRZ+HC/x8KG5sYfl8By1gvwvU+c69ba0iYTHN8/YY5ajUBdPc1X9oFbsSH8TMY
lG7wBdjjUu4mQkDM7RK7gbGHY8uH2+sA0z7osEPy7TPgvetD3v05GuuJPRwv7RxR
0X19QnIhK6uDcV7FI/NewEoq73Wdclpuxdjp0ODFlhpVPq2ZSI7V68stARhOEAaH
bv/IhFre8AJaRA2/9nIqySOm3bdWPeQ3DxECjheLtfCN6fcpSIxr/NrraCFytmY8
OKIFPJEaTxGSkVUBRq/WzxqXJ6t1jmYr1UaqezB2MnTeDyU69as1ZZqQ2F2OBoYz
/mCpuZ1RxDa90gDS5W6VsrO9NaT53kNAiHBd0Ck5aTrcbBmzdXjEMXR0NCeYSn2+
VZ25wmNvrgtrVmL/KKVr2doDFNMeiR119LFKXn7+6ZST0l5DuvSNIVtr51egDDn4
dh7qs3GHE00NCNfW2rMwLec21+LMihwj+65Hto6VV1J6Q5dsw8tpWFuxDl8YiuLr
Rmu1hi//JdCah62a9h9sKJkELqZHpR7yQt/Vu4/0j8LoUkEUds49hmd/e5fqeUY+
YZ4KMd13QexhaYE1kg26v91d9dbiiPv8n4OIIvkq3PKV5HoRJgvFLsRnnhTgTVyu
L3bHb4kfPu66j97EL7hAiKQq7H+BevwnqYbjy5C4gjBcoB1wP+HPJl6b8w+lLD8F
s8vxcmCyvJUHrwgiW0SvsI90CvjCYQx0I9Gc+EnIwiY2150cifJbKJQdTeYzFwk=
=bZxh
-----END PGP SIGNATURE-----
--- End Message ---
