Date: Wed, 24 Feb 2010 16:50:25 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: Jamie Strandboge <jamie@...onical.com> CC: oss-security@...ts.openwall.com Subject: Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set Hi Jamie, there are two sudo issues: a, CVE-2010-0426 sudoedit to allow to run arbitrary code b, CVE-2010-0427 sudo fails to reset cached groups, when runas_default option set Jamie Strandboge wrote: > On Tue, 2010-02-23 at 17:17 +0100, Jan Lieskovsky wrote: > > Thanks for your investigation. > >> b, v1.7.x based versions of sudo are not affected by this >> flaw due the differences in the way sudoers file is parsed. This comment speaks only about CVE-2010-0427 issue. > > This is in conflict with Todd's statement in his writeup: > "Sudo versions affected: > 1.6.9 through 1.7.2p3 inclusive. > ... > Fix: > The bug is fixed in sudo 1.7.2p4 and 1.6.9p21" Above quotes from Todd are referring to CVE-2010-0426 issue (and these are valid). > > > Upstream appears to have patched 1.7.2. Can you explain why it is not > affected? But you mean CVE-2010-0426 here, right? For CVE-2010-0427 wrt to v1.7.x you can check reproducer in: http://www.gratisoft.us/bugzilla/show_bug.cgi?id=349 that it isn't working against v1.7.x. I probably confused you with 'more about sudo "fails to reset group permissions if runas_default set" issue', when not saying this is different / new issue. Sorry for that. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ