> The #else portion of the code may be fine, I haven't studied it extensively
I doubt this, it relies on comparing inode numbers and devices numbers returned by lstat() and fstat(). lstat() just like O_FOLLOW only considers the final component of the path. If it's a symlink, it returns data about the symlink otherwise it returns data about the file (even though it's accessed through symlinks). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1512781 Title: CVE-2015-5602 - Unauthorized Privilege Escalation Status in sudo: Unknown Status in sudo package in Ubuntu: Confirmed Status in sudo source package in Precise: Confirmed Status in sudo source package in Trusty: Confirmed Status in sudo source package in Vivid: Confirmed Status in sudo source package in Wily: Confirmed Status in sudo source package in Xenial: Confirmed Status in sudo package in Debian: Confirmed Bug description: https://www.exploit-db.com/exploits/37710/ As descpribed in the link above, sudo versions lower or equal than 1.8.14 have a security issue: user with root access to a path with more than one wildcard can access forbidden files such as /etc/shadow, because sudoedit (sudo -e) does not verifiy full path of accessed file: (quote from link above) It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow). As an expample, 1. Give user `usr' right to edit some his files: usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt 2. Under usr, create ~/temp directory, and then create a symblink ~/temp/test.txt to /etc/shadow 3. Perform sudoedit ~/temp/test.txt - you will able to access /etc/shadow. What realease is affected: tested on all supported now Ubuntu versions. For personaly me, it's 14.04 LTS. What version is affected: as mentioned, all versions <=1.8.14. For personally me, it's 1.8.9p5 What was expected and happend instead: sudoedit should check full real path, but it didn't. To manage notifications about this bug go to: https://bugs.launchpad.net/sudo/+bug/1512781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
