Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 May 2012 14:30:14 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
CC: Solar Designer <solar@...nwall.com>,
        "Todd C. Miller" <Todd.Miller@...rtesan.com>,
        Daniel Kopecek <dkopecek@...hat.com>
Subject: Re: sudo: IP addresses in sudoers with netmask may
 match additional hosts (CVE-2012-2337)


Hi Solar,

On 05/18/2012 01:57 PM, Solar Designer wrote:
> Hi,
>
> (I was hoping someone else would bring this in here once it became public.)

Yes, my fault (Thought not to forget to do so on Wednesday, but
got distracted by something else, and in the end it resulted me not to
send it completely :().

Apologize for that and thank you for sending it.

Will do better job next time.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> A sudo advisory was published by upstream and corrected versions were
> released on 2012-05-16:
>
> http://www.sudo.ws/sudo/alerts/netmask.html
>
> "Summary:
> A flaw exists in the IP network matching code in sudo versions 1.6.9p3
> through 1.8.4p4 that may result in the local host being matched even
> though it is not actually part of the network described by the IP
> address and associated netmask listed in the sudoers file or in LDAP.
> As a result, users authorized to run commands on certain IP networks may
> be able to run commands on hosts that belong to other networks not
> explicitly listed in sudoers.
>
> Sudo versions affected:
> Sudo versions 1.6.9p3 through 1.8.4p4 inclusive are affected.  The bug
> only has an effect when the sudoers file (or LDAP sudoers data) using a
> host specification that grants permissions using an IP address with an
> associated netmask, e.g. 10.0.1.0/255.255.255.0 or 10.0.2.0/24."
>
> This is CVE-2012-2337.
>
> Red Hat Bugzilla entries:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=820677
> https://bugzilla.redhat.com/show_bug.cgi?id=822175
>
> Ubuntu advisory:
>
> http://www.ubuntu.com/usn/usn-1442-1/
>
> Debian tracking:
>
> http://security-tracker.debian.org/tracker/CVE-2012-2337
>
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.