Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Feb 2010 16:50:25 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Jamie Strandboge <jamie@...onical.com>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE assignment notification -- CVE-2010-0427 --
 sudo fails to reset group permissions if runas_default set

Hi Jamie,

   there are two sudo issues:
   a, CVE-2010-0426 sudoedit to allow to run arbitrary code
   b, CVE-2010-0427 sudo fails to reset cached groups, when
                     runas_default option set

Jamie Strandboge wrote:
> On Tue, 2010-02-23 at 17:17 +0100, Jan Lieskovsky wrote:
> 
> Thanks for your investigation.
> 
>>    b, v1.7.x based versions of sudo are not affected by this
>>       flaw due the differences in the way sudoers file is parsed.

   This comment speaks only about CVE-2010-0427 issue.
> 
> This is in conflict with Todd's statement in his writeup:
> "Sudo versions affected:
> 1.6.9 through 1.7.2p3 inclusive.
> ...
> Fix:
> The bug is fixed in sudo 1.7.2p4 and 1.6.9p21"

   Above quotes from Todd are referring to CVE-2010-0426 issue (and these
   are valid).
> 
> 
> Upstream appears to have patched 1.7.2. Can you explain why it is not
> affected?

   But you mean CVE-2010-0426 here, right? For CVE-2010-0427 wrt to v1.7.x
   you can check reproducer in:

     http://www.gratisoft.us/bugzilla/show_bug.cgi?id=349

   that it isn't working against v1.7.x.

   I probably confused you with 'more about sudo "fails to reset group
   permissions if runas_default set" issue', when not saying this is
   different / new issue.

   Sorry for that.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ